feat(cli): generate GitHub Actions workflow + auto-push CAPGO_TOKEN

[WcaleNieWolny]

Summary

When capgo build init detects a GitHub remote after a successful first build, the wizard now offers a 3-option choice replacing the existing yes/no secrets upload:

• ✅ Yes — set the secrets AND create a workflow file
• 🔒 Yes — set ONLY the secrets
• ❌ No

The "No" branch then offers a .env export fallback so the user can wire up CI later via gh secret set -f, reusing the renderer from build credentials manage.

cc @riderx

What's new in v1

1. CAPGO_TOKEN auto-push

createCiSecretEntries now takes an optional API key. When provided, the bundle pushed to GitHub/GitLab includes CAPGO_TOKEN alongside build credentials — the generated workflow can authenticate without the user manually running gh secret set CAPGO_TOKEN afterward.

2. Workflow generator (cli/src/build/onboarding/workflow-generator.ts)

Pure function that produces .github/workflows/capgo-build.yml:

• workflow_dispatch trigger with platform + build_mode inputs (defaults to the platform being onboarded)
• One install + one build + one capgo build request step, branched on package manager
• env: block enumerates the exact secret names that were pushed — no drift between what we set and what we reference
• Final step posts the artifact URL to $GITHUB_STEP_SUMMARY

Per maintainer convention, the bun template includes BOTH oven-sh/setup-bun@v2 AND actions/setup-node@v4 — bun's Node compat isn't perfect and many build pipelines still need node on PATH.

12 unit tests in cli/test/test-workflow-generator.mjs covering all four PMs, custom commands, skip-build mode, monorepo-friendly secrets enumeration, and the workflow_dispatch-only constraint.

3. Workflow writer (cli/src/build/onboarding/workflow-writer.ts)

Thin file-I/O wrapper. Returns kind: 'exists' with both contents when the target file is already present, so the wizard can show a line-count comparison and ask for explicit overwrite confirmation before clobbering.

4. .env export reuse (cli/src/build/onboarding/env-export.ts)

Reuses renderEnvFile from build credentials manage (refactored to take ({ appId, local, platform, creds }) — one minimal signature change, same comment header / .gitignore reminder / provisioning-map base64 fallback). Writes mode 0600, refuses to silently overwrite.

5. Build script picker (both wizards)

When the user picks "secrets + workflow", the wizard always prompts for which package.json script builds the web assets BEFORE invoking capgo build request — never auto-picks blindly. Lists every script in scripts{}, surfaces a "recommended" hint sourced from findBuildCommandForProjectType() when the matching script exists, plus escape hatches:

• Type a custom command… (text input, e.g. make web, bash scripts/build.sh)
• Skip build step (my app is raw HTML) for plain HTML/JS Capacitor apps

Routing

• GitHub-only for v1 — GitLab keeps the existing 2-option ask-ci-secrets flow. In the multi-target picker, picking GitHub routes to the new 3-option prompt; GitLab routes to the legacy prompt.
• uploading-ci-secrets branches on setupMode:
  • with-workflow → loads scripts + project-type recommendation → pick-build-script → writing-workflow-file (with overwrite confirm if file exists)
  • secrets-only / undecided (GitLab) → build-complete
• The "No → .env export" path is reachable only from the new 3-option prompt. ci-secrets-target-select "skip" still goes straight to build-complete (no second-chance prompt).

What v1 deliberately doesn't do

• GitLab .gitlab-ci.yml generation (structurally different, follow-up)
• Push / pull_request triggers (only workflow_dispatch — manual until the user trusts it)
• Monorepo subdirectory detection (working-directory)
• Modifying / merging into existing non-Capgo workflows
• webDir verification after the build step

Test plan

• bun run cli:check (lint + typecheck + build + test) green locally
• bun test/test-workflow-generator.mjs — 12 new tests pass
• bun test/test-ci-secrets.mjs — 11 tests pass (8 existing + 3 new CAPGO_TOKEN cases)
• Manual: capgo build init --platform ios in a repo with a GitHub remote — confirm new 3-option prompt fires; pick "secrets + workflow"; verify a .github/workflows/capgo-build.yml lands with the right PM template
• Manual: same with --platform android — confirm the workflow defaults to android
• Manual: pick "secrets only" — confirm secrets are pushed but no workflow file written
• Manual: pick "No" → "Yes export .env" — confirm .env.capgo.<appId>.<platform> written at cwd with 0600
• Manual: re-run wizard with existing capgo-build.yml → confirm overwrite prompt shows line counts
• Manual: run in a repo with only a GitLab remote — confirm existing ask-ci-secrets 2-option flow still fires (no GitLab workflow generation)
• Manual: bun.lock repo — confirm bun template includes both setup-bun + setup-node

Summary by CodeRabbit

• New Features

  • Expanded Android/iOS onboarding: GitHub Actions setup, secret push confirmation, workflow generation/preview/write with overwrite handling, package-manager and build-script selection, and .env export with overwrite/exists/empty handling
  • CI secret upload with async progress and optional API-key injection; secrets confirmation table
  • Terminal-height aware fullscreen diff viewer with keyboard exit and workflow preview telemetry
  • Workflow file writer and secure .env renderer (permission-tightening)

• Tests

  • New tests covering CI secrets, workflow generator, and diffing utilities

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds GitHub Actions workflow generation, .env credential export, CAPGO_TOKEN CI-secret support, async secret upload helpers, LCS diffing and diff preview UI, workflow telemetry, and onboarding UI/state updates for base and Android flows.

Changes

GitHub Actions Workflow & Environment Export Onboarding

Layer / File(s)	Summary
Credentials renderEnvFile refactor cli/src/build/credentials-manage.ts, cli/src/build/env-render.ts	renderEnvFile and escapeDotenvValue moved to env-render with args-object API; call sites updated in credentials manager for single-platform and combined exports.
Environment export module cli/src/build/onboarding/env-export.ts	New EnvExportOpts/EnvExportResult, defaultExportPath() and exportCredentialsToEnv() which count non-empty credential fields, check for existing files, render via renderEnvFile(), and write .env with 0o600 permissions.
Workflow YAML generator cli/src/build/onboarding/workflow-generator.ts	generateWorkflow() produces .github/workflows/capgo-build.yml with workflow_dispatch trigger, package-manager setup, install step, conditional web build step, Capgo native build invocation, optional env: secret forwarding, and artifact URL reporting.
Workflow file writing cli/src/build/onboarding/workflow-writer.ts	writeWorkflowFile() resolves target path, generates content, and returns written or exists results to support overwrite confirmation.
Workflow generator tests cli/test/test-workflow-generator.mjs	Node CLI test harness validating generated workflow YAML across package managers, custom/skip builds, secret inclusion, triggers, and artifact-summary behavior.
CI secrets async & CAPGO_TOKEN cli/src/build/onboarding/ci-secrets.ts, cli/test/test-ci-secrets.mjs	Adds AsyncCommandRunner, runCommandAsync, async repo/key listing and upload helpers, marks CAPGO_TOKEN as masked, and updates createCiSecretEntries to accept apiKey and append a masked CAPGO_TOKEN when non-empty; tests added for token behavior and repo-label resolution.
Diff utils cli/src/build/onboarding/diff-utils.ts	Adds diffLines(before, after) using LCS DP with fast paths and tie-breaking, exports DiffKind/DiffLine.
Diff viewer & SecretsTable UI cli/src/build/onboarding/ui/components.tsx	Adds DiffSummary, FullscreenDiffViewer, DiffViewer, SecretsTable, and SecretRow for previewing workflow diffs and secret push status.
Workflow analytics cli/src/build/onboarding/analytics.ts	Adds telemetry types, getWorkflowDiffTelemetry() and trackBuildOnboardingWorkflowEvent() which resolves org id (cached) and sends telemetry events.
Onboarding step types & progress cli/src/build/onboarding/types.ts, cli/src/build/onboarding/android/types.ts	Extends OnboardingStep and AndroidOnboardingStep with GitHub Actions/.env/workflow steps, updates STEP_PROGRESS/ANDROID_STEP_PROGRESS, and routes new steps into the late “Save & Build” phase.
Base onboarding UI: Workflow & Env Export cli/src/build/onboarding/ui/app.tsx	Extends UI with GitHub Actions setup branching, package-manager/build-script selection (recommended/custom/skip), workflow preview/diff and write/overwrite handling, .env export flow, telemetry hooks, final success reporting, terminalRows prop, and saved-credentials retention for export.
Android onboarding UI: Workflow & Env Export cli/src/build/onboarding/android/ui/app.tsx	Parallel Android Ink UI updates for GitHub Actions setup, package/build-script pickers, async repo resolution and secret listing/upload, workflow preview/write and .env export flows, terminalRows prop, and completion UI updates.
Onboarding command cli/src/build/onboarding/command.ts	Passes terminal rows into Ink onboarding apps to drive fullscreen diff sizing and preserves existing render/wait flow.
Workflow UI helpers cli/src/build/onboarding/workflow-ui-helpers.ts	Adds package-manager normalization and build-script picker option helpers used by the onboarding UI.
Diff utils tests cli/test/test-diff-utils.mjs	Adds CLI tests covering diffLines scenarios, trailing-newline semantics, and exit-on-failure behavior.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• Cap-go/capgo#2052: Overlaps prior additions around .env export and credentials rendering used by credentials-manage.ts.
• Cap-go/capgo#2280: Changes to combined .env exporter that interact with the refactored renderEnvFile API.
• Cap-go/capgo#2310: Overlaps onboarding state-machine transitions gating CI secret upload and related UI flows.

Suggested reviewers

• riderx
• zinc-builds

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 24.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'feat(cli): generate GitHub Actions workflow + auto-push CAPGO_TOKEN' is clear, specific, and directly reflects the main change: adding GitHub Actions workflow generation and CAPGO_TOKEN auto-push functionality to the CLI onboarding flow.
Description check	✅ Passed	The PR description comprehensively covers the summary, detailed implementation (5 key features), routing logic, omissions, test plan with manual steps, and references the objectives. It matches the template structure with Summary, Test plan, and Checklist sections.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 8

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cli/src/build/onboarding/android/ui/app.tsx`:
- Around line 120-159: Extract normalizePackageManager and
buildScriptPickerOptions into a shared module (e.g., workflow-ui-helpers.ts),
export them, and replace the local implementations in this file with imports
from that module so both Android and iOS use the same helpers; also replace the
Object.prototype.hasOwnProperty.call(scripts, recommended) usage in
buildScriptPickerOptions with Object.hasOwn(scripts, recommended) before
importing/using the shared helper to ensure modern shorthand is used everywhere.
- Around line 30-34: Imports for the utility functions are duplicated and out of
order; remove the separate import listing findBuildCommandForProjectType,
findProjectType, getPackageScripts, and getPMAndCommand and instead add those
symbols to the existing utils import so all utilities are consolidated in one
import, then reorder imports to satisfy ESLint grouping (external modules,
project utils, relative files) and eliminate the duplicate import. Ensure you
keep defaultExportPath, exportCredentialsToEnv, writeWorkflowFile,
WORKFLOW_PATH, and BuildScriptChoice/PackageManager imports unchanged while
consolidating the four utility functions into the single utilities import.
- Around line 1036-1040: The current block assigns capgoKey and then
conditionally calls findSavedKey(true) in a try/catch on the same line; split
the statements so each statement is on its own line and avoid inline try/catch.
Replace the try/catch + findSavedKey(true) with a silent lookup by calling
findSavedKeySilent() (to match the iOS pattern) when apikey is falsy, or if you
must keep findSavedKey use it on its own line inside a try/catch block; update
references to capgoKey, apikey, findSavedKey(true) accordingly so the code
conforms to max-statements-per-line and uses findSavedKeySilent for consistency.

In `@cli/src/build/onboarding/ci-secrets.ts`:
- Around line 125-135: The code currently treats whitespace-only apiKey as
valid; update the check around the CAPGO_TOKEN creation to use a trimmed value
(e.g., const trimmed = apiKey?.trim()) and only call entries.push for
CAPGO_TOKEN when trimmed is non-empty; when pushing, use the trimmed value for
the value field and keep masked: true to avoid storing a whitespace-only secret
(refer to apiKey, 'CAPGO_TOKEN', and the entries.push call).

In `@cli/src/build/onboarding/env-export.ts`:
- Line 15: Extract renderEnvFile and its helper escapeDotenvValue into a new
shared module (cli/src/build/env-render.ts) that exports both functions, then
update both cli/src/build/onboarding/env-export.ts and
cli/src/build/credentials-manage.ts to import renderEnvFile (and
escapeDotenvValue if needed) from that new module instead of
credentials-manage.ts; remove the original renderEnvFile implementation from
credentials-manage.ts so the only source of truth is the new env-render module.

In `@cli/src/build/onboarding/ui/app.tsx`:
- Line 211: Remove the unused local state pendingCustomCommand and its setter
setPendingCustomCommand: locate the useState declaration for
pendingCustomCommand and any references to setPendingCustomCommand (they are
redundant because the custom command is already stored in
buildScriptChoice.command) and delete those lines; ensure no other code reads
pendingCustomCommand and that buildScriptChoice.command continues to be used for
the custom command flow.
- Line 126: Replace the old hasOwnProperty call with the modern Object.hasOwn
usage: anywhere you currently use Object.prototype.hasOwnProperty.call(scripts,
recommended) (e.g., the conditional checking recommended against scripts and the
other occurrence around the symbol referenced at the lower occurrence) change it
to Object.hasOwn(scripts, recommended); update both occurrences so the checks
use Object.hasOwn and refer to the same variables (scripts and recommended).
- Around line 31-35: Reorder and consolidate the imports to satisfy the ESLint
rules: remove the duplicate import of findBuildCommandForProjectType,
findProjectType, getPackageScripts and merge those symbols into the existing
getPMAndCommand import (the earlier import on line ~20), then re-sort imports so
grouped builtin/third-party/local imports follow the configured
perfectionist/sort-imports order and no duplicate import specifiers remain;
ensure defaultExportPath, exportCredentialsToEnv, writeWorkflowFile,
WORKFLOW_PATH, BuildScriptChoice, PackageManager, and BuildCredentials remain
imported exactly once with consistent ordering.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 57a45754-e9f1-46cc-be00-690422299c62

📥 Commits

Reviewing files that changed from the base of the PR and between fa6727e and a2ca346.

📒 Files selected for processing (11)

• cli/src/build/credentials-manage.ts
• cli/src/build/onboarding/android/types.ts
• cli/src/build/onboarding/android/ui/app.tsx
• cli/src/build/onboarding/ci-secrets.ts
• cli/src/build/onboarding/env-export.ts
• cli/src/build/onboarding/types.ts
• cli/src/build/onboarding/ui/app.tsx
• cli/src/build/onboarding/workflow-generator.ts
• cli/src/build/onboarding/workflow-writer.ts
• cli/test/test-ci-secrets.mjs
• cli/test/test-workflow-generator.mjs

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a2ca346e86

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Quote custom build commands in generated workflow

The build step writes run: as an unquoted plain scalar, so a user-provided custom command that contains YAML-significant sequences (for example : or #, such as echo "a: b") produces invalid workflow YAML and GitHub will refuse to run it. This can be triggered directly from the new pick-build-script-custom path, so the generator should emit the command in a safe form (e.g., block scalar or properly quoted string) instead of interpolating it raw.

Useful? React with 👍 / 👎.

[codspeed-hq]

Merging this PR will improve performance by 82.25%

⚠️ Different runtime environments detected

Some benchmarks with significant performance changes were compared across different runtime environments,
which may affect the accuracy of the results.

Open the report in CodSpeed to investigate

⚡ 1 improved benchmark
✅ 42 untouched benchmarks
⏩ 2 skipped benchmarks¹

Performance Changes

	Benchmark	BASE	HEAD	Efficiency
⚡	/updates manifest response with metadata	204.5 µs	112.2 µs	+82.25%

Tip

Curious why this is faster? Comment @codspeedbot explain why this is faster on this PR, or directly use the CodSpeed MCP with your agent.

---

_{Comparing feat/cli-github-actions-workflow (a35ba39) with main (2d18719)}

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[BataraSurya]

I think the generated Yarn template currently straddles two Yarn generations in a way that can make the workflow fail for common Yarn Classic projects.

The install/build pieces are Classic-compatible (yarn install --frozen-lockfile and yarn <script>), and the test even notes "yarn classic invokes scripts without run". But the Capgo steps use yarn dlx, which is a Yarn Berry command; GitHub-hosted runners commonly provide Yarn 1.x unless the project enables Corepack / ships a Berry release. For a repo detected as Yarn purely from yarn.lock, the generated workflow can therefore reach the Capgo build step and fail with Command "dlx" not found.

Could this either use npx @capgo/cli@latest ... for the Yarn template, or explicitly enable/pin Corepack/Yarn Berry before emitting yarn dlx? A regression test that models a Yarn Classic workflow would catch the mismatch.

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cli/src/build/onboarding/android/ui/app.tsx`:
- Around line 1147-1167: The code advances to setStep('confirm-secrets-push')
even when getCiSecretRepoLabelAsync fails (repoLabel is null), allowing a GitHub
upload without a resolved owner/repo; change the flow so that after awaiting
getCiSecretRepoLabelAsync(ciSecretTarget) you treat a null/failed repoLabel as a
hard stop: set an error/needs-retry state (e.g., update a ciSecretRepoError or
keep cancelled handling) and return early instead of calling
setCiSecretRepoLabel or continuing to listExistingCiSecretKeysAsync and
setStep('confirm-secrets-push'); apply the same guard/update to the similar
block referenced at lines 2658-2717 so unresolved owner/repo always forces
retry/cancel and never reaches confirm-secrets-push.

In `@cli/src/build/onboarding/ui/app.tsx`:
- Around line 1174-1197: The code currently allows proceeding to
setStep('confirm-secrets-push') even when getCiSecretRepoLabelAsync failed and
repoLabel is null; change the GitHub path to fail-closed by verifying repoLabel
is non-null before enabling the upload flow: after awaiting
getCiSecretRepoLabelAsync (and before any setStep('confirm-secrets-push') for
provider === 'github'), detect a null/undefined repoLabel and instead set an
error/blocked UI state (e.g. setCiSecretCheckPhase to an error message and abort
or setStep to a safe fallback) and do not call setStep('confirm-secrets-push');
ensure the same null-check behavior is applied to the duplicate block around
lines 2918-2973 so uploads cannot proceed without a resolved owner/repo.

In `@cli/src/build/onboarding/ui/components.tsx`:
- Around line 5-6: The import order in components.tsx is reversed for the lint
rule; move the type-only import for DiffLine (import type { DiffLine } from
'../diff-utils.js') above the value import of React (import React, { useEffect,
useState } from 'react') so the type import precedes the value import,
satisfying perfectionist/sort-imports; update the two import lines accordingly
and run the linter to confirm no other grouping/order issues.

In `@cli/test/test-diff-utils.mjs`:
- Around line 24-27: Remove the unused helper function "assert" from the file by
deleting the function declaration function assert(condition, message) { if
(!condition) throw new Error(message || 'Assertion failed') }, ensuring no other
code references "assert" before removal; if references exist, replace them with
standard test assertions or throw new Error directly.
- Around line 103-105: The test file is using the global process
(process.exit(1)); import the Node process module and use that instead: add
"import process from 'node:process';" at the top of cli/test/test-diff-utils.mjs
and leave the call to process.exit(1) as-is (or alternatively import { exit }
from 'node:process' and call exit(1)); ensure any other uses of process in this
file refer to the imported symbol (process or exit) to satisfy
node/prefer-global/process.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a5a80bc4-1821-4e27-bfdd-83c00226daf9

📥 Commits

Reviewing files that changed from the base of the PR and between a2ca346 and 07a0b54.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (11)

• cli/src/build/onboarding/analytics.ts
• cli/src/build/onboarding/android/types.ts
• cli/src/build/onboarding/android/ui/app.tsx
• cli/src/build/onboarding/ci-secrets.ts
• cli/src/build/onboarding/command.ts
• cli/src/build/onboarding/diff-utils.ts
• cli/src/build/onboarding/types.ts
• cli/src/build/onboarding/ui/app.tsx
• cli/src/build/onboarding/ui/components.tsx
• cli/test/test-ci-secrets.mjs
• cli/test/test-diff-utils.mjs

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

cli/src/build/onboarding/android/ui/app.tsx (1)

3147-3181: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Unreachable step confirm-workflow-overwrite — consider removing dead code.

This step's UI is rendered but no code path transitions to it. Searching for setStep('confirm-workflow-overwrite') returns zero matches in this file. The workflow preview flow goes directly from preview-workflow-file to either view-workflow-diff or writing-workflow-file, bypassing this step entirely.

This appears to be leftover code from an earlier design that was replaced by the diff-based preview approach. Along with the unused workflowExistingContent state, this dead code adds maintenance burden.

♻️ Suggested cleanup

Remove the unreachable step UI and related unused state:

-  const [workflowExistingContent, setWorkflowExistingContent] = useState<string | null>(null)
+  const [workflowExistingContent] = useState<string | null>(null)

Or remove entirely if the confirm-workflow-overwrite step UI is also removed, since workflowExistingContent is only read in that unreachable block.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cli/src/build/onboarding/android/ui/app.tsx` around lines 3147 - 3181, The UI
block guarded by step === 'confirm-workflow-overwrite' is unreachable and should
be removed along with any related unused state; delete the JSX block that
renders the confirm-workflow-overwrite step (the Box containing WORKFLOW_PATH,
the lines count using workflowExistingContent and workflowProposedContent, and
the Select that calls setStep) and also remove the associated state variables
(e.g., workflowExistingContent) and any imports or constants only used by that
block to avoid dead code; ensure no remaining references to
'confirm-workflow-overwrite' or those state variables remain in the file.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@cli/src/build/onboarding/android/ui/app.tsx`:
- Around line 3147-3181: The UI block guarded by step ===
'confirm-workflow-overwrite' is unreachable and should be removed along with any
related unused state; delete the JSX block that renders the
confirm-workflow-overwrite step (the Box containing WORKFLOW_PATH, the lines
count using workflowExistingContent and workflowProposedContent, and the Select
that calls setStep) and also remove the associated state variables (e.g.,
workflowExistingContent) and any imports or constants only used by that block to
avoid dead code; ensure no remaining references to 'confirm-workflow-overwrite'
or those state variables remain in the file.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 341678c5-76ea-4970-8f02-e0b1a98ba446

📥 Commits

Reviewing files that changed from the base of the PR and between 0d99cda and de542cc.

📒 Files selected for processing (4)

• cli/src/build/onboarding/android/types.ts
• cli/src/build/onboarding/android/ui/app.tsx
• cli/src/build/onboarding/types.ts
• cli/src/build/onboarding/ui/app.tsx

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	bun-types@​1.3.13
	better-qr@​0.1.1
	country-code-to-flag-emoji@​2.1.0
	cron-schedule@​6.0.0
	chartjs-chart-funnel@​4.2.5
	ci-info@​4.4.0
	commander@​14.0.3
	arktype@​2.2.0
	chart.js@​4.5.1

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud