Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EAS CD fingerprinting fails when using file-based secrets for Android configuration #315

Open
tharakadesilva opened this issue Dec 5, 2024 · 0 comments
Open

EAS CD fingerprinting fails when using file-based secrets for Android configuration #315

tharakadesilva opened this issue Dec 5, 2024 · 0 comments

Comments

@tharakadesilva
Copy link
Contributor

tharakadesilva commented Dec 5, 2024
edited
Loading

Topic and scope of discussion

EAS CD fingerprint validation fails when using file-based secrets due to path differences between GitHub CI environment and EAS build environment

Motivation

The continuous deployment process is breaking because the fingerprint generated in the GitHub CI environment doesn't match the fingerprint calculated during the EAS build when using file-based secrets. This prevents successful deployment of builds even when there are no actual changes to the application code.

Additional context

I'm encountering an issue with the continuous deployment fingerprinting system when trying to securely handle the google-services.json file for Android builds.

Current Setup:

  1. Using expo-github-action/continuous-deploy-fingerprint for CD
  2. Following security best practices by not committing google-services.json to git
  3. Implemented the recommended approach of using environment variables (https://docs.expo.dev/eas/environment-variables/#file-environment-variables): 
    googleServicesFile: process.env.GOOGLE_SERVICES_JSON || "./google-services.json"
  4. Created a file-based secret using EAS: 
    eas secret:create --scope project --name GOOGLE_SERVICES_JSON --type file --value ./google-services.json

Problem:
The fingerprint validation fails because:

  1. In the GitHub CI environment, the fingerprint is calculated using one file path configuration
  2. When the build runs in EAS, the secret is materialized to a different random file path
  3. This path difference in app.config.js causes the fingerprints to mismatch
  4. As a result, EAS build fails with a fingerprint validation error

Questions:

  1. What's the recommended way to handle file-based secrets with the fingerprinting system to ensure consistent paths between CI and EAS environments?
  2. Should the fingerprinting system ignore or normalize paths for file-based secrets?
  3. Are there alternative approaches to managing the google-services.json file that would work better with the fingerprinting system?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tharakadesilva