feat(pos-app): add production OTA update support#403
Draft
ignaciosantise wants to merge 14 commits intomainfrom
Draft
feat(pos-app): add production OTA update support#403ignaciosantise wants to merge 14 commits intomainfrom
ignaciosantise wants to merge 14 commits intomainfrom
Conversation
| Claude finished @ignaciosantise's task in 3m 20s —— View job PR Review: feat(pos-app): add production OTA update support
Subagent results: ✅ No license issues | ✅ No breaking changes | ✅ No data classification issues Found 3 issue(s)Issue 1: Silent immediate reload during active payment transactionID: use-ota-updates-silent-reload-a3f1 Context:
Recommendation: Check for an active payment route or expose an imperative API that the caller (layout) can use to defer the reload. At minimum, notify the user before reloading: // e.g., defer until the app returns to idle state if (fetchResult.isNew) { addLog("info", "OTA update ready — will apply on next launch", ...); // store a flag and call Updates.reloadAsync() when no transaction is active }Issue 2: Third-party GitHub Actions action pinned by tag, not commit SHAID: ota-update-pos-unpinned-action-b7c2 Context:
Recommendation: Pin to a specific commit SHA: uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v6.x.xIssue 3: External domain URL in app configurationID: app-json-external-domain-url-e9a4 🔒 External Domain URL (Non-blocking) This is the Expo Updates manifest endpoint, required for OTA updates to function. Verify the project ID ( |
| The latest updates on your projects. Learn more about Vercel for GitHub.
|
…ading Restore the expo-asset plugin to ensure assets are embedded in native builds and included in OTA update manifests. Add patch for expo-updates to load .env files before config evaluation (upstream fix pending in expo/expo#43635). Defer API URL validation to request time to avoid crash when env vars load asynchronously. Add expo-channel-name header for production channel routing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Resolve merge conflicts after Expo 55 upgrade on main. Update expo-updates to v55.0.12 and regenerate env loading patch for the new version. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The expo-updates fingerprint:generate command outputs a full JSON object containing parentheses and special characters. When interpolated directly into shell scripts via ${{ }}, this caused syntax errors. Fix by piping through jq to extract just the hash, and using env blocks instead of inline interpolation in the OTA workflow. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> …rison Query fingerprints directly from EAS server using eas build:list and eas fingerprint:compare, eliminating the need to save/download fingerprint artifacts across workflows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Capture eas CLI output before parsing with jq to gracefully handle cases where no builds exist yet and the CLI returns non-JSON output. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Required for eas CLI commands (build:list, fingerprint:compare) to identify the project in non-interactive mode. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
EAS fingerprint API only works with EAS Build, but we build natively with Gradle/Fastlane. Revert to artifact-based approach with the original fixes: jq hash extraction and env block for safe shell interpolation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…facts Replace GitHub Actions artifacts (30-day retention limit) with a dedicated `fingerprints-dont-remove` branch for storing native build fingerprints. This ensures fingerprints never expire, so the OTA safety check always works regardless of time between releases. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Called workflows (release-android-base, release-ios-base) now require contents:write to push fingerprints to the fingerprints-dont-remove branch. All caller workflows must grant at least that level. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds production OTA update support for
dapps/pos-appwith Expo Updates, including runtime update checks, update metadata in Settings, and production-only channel configuration.It also wires release workflows to publish native fingerprint artifacts and adds a dedicated OTA publish workflow that blocks updates when Android or iOS native fingerprints drift.
Documentation was updated in
dapps/pos-app/README.mdanddapps/pos-app/AGENTS.mdto describe publish, rollback, and operational constraints for JS-only OTA releases.Validation run:
npm run lint,npx tsc --noEmit, andnpm test -- --watch=falseindapps/pos-app.OTA Flow
flowchart TD A[Release POS workflow] --> B[Expo prebuild with production channel] B --> C[Generate Android and iOS native fingerprints] C --> D[Upload fingerprint artifacts] E[Manual OTA workflow dispatch] --> F[Compute current Android and iOS fingerprints] F --> G[Download last production fingerprints] G --> H{Fingerprints match?} H -- No --> I[Block OTA publish] H -- Yes --> J[eas update --channel production]