Skip to content

fix(worker): cross-runtime shared tests, worker path resolution parity, and native object lifetime fixes #387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
edusperoni wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix(worker): cross-runtime shared tests, worker path resolution parity, and native object lifetime fixes #387

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
90d1079
fix: release our own blocks and release instead of dealloc data
edusperoni Jun 11, 2026
b19d6b0
fix(worker): worker path resolution parity with android and error han…
edusperoni Jun 11, 2026
2063601
test: use shared tests across android and ios
edusperoni Jun 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/npm_release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ jobs:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
submodules: true
Comment on lines 27 to +30

@coderabbitai coderabbitai Bot Jun 11, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate workflow files
ls -la .github/workflows || true

# Show relevant checkout steps in the two mentioned workflows
for f in .github/workflows/npm_release.yml .github/workflows/pull_request.yml; do
  if [ -f "$f" ]; then
    echo "==== $f (checkout steps) ===="
    rg -n "uses:\s*actions/checkout@" "$f" -n || true
    # Print small surrounding context for each checkout usage
    rg -n "uses:\s*actions/checkout@" "$f" -n | cut -d: -f1 | uniq | while read -r lineno; do
      start=$((lineno-6))
      end=$((lineno+6))
      sed -n "${start},${end}p" "$f" | nl -ba | sed 's/^/  /'
    done
    echo
  else
    echo "==== $f not found ===="
  fi
done

# Global check: any checkout steps without explicit persist-credentials: false
echo "==== Global: checkout steps lacking persist-credentials ===="
rg -n --glob ".github/workflows/*.yml" "uses:\s*actions/checkout@" .github/workflows/*.yml | while read -r line; do
  file=$(echo "$line" | cut -d: -f1)
  lineno=$(echo "$line" | cut -d: -f2)
  # Check whether within next 10 lines there's persist-credentials
  if ! sed -n "$((lineno+1)),$((lineno+12))p" "$file" | rg -q "persist-credentials:"; then
    echo "MISSING persist-credentials near $file:$lineno"
  fi
done

# Also check if persist-credentials is set to true anywhere
echo "==== Global: persist-credentials values ===="
rg -n --glob ".github/workflows/*.yml" "persist-credentials:" .github/workflows/*.yml || true

Repository: NativeScript/ios

Length of output: 820

🏁 Script executed:

#!/bin/bash
set -euo pipefail

for f in .github/workflows/npm_release.yml .github/workflows/pull_request.yml; do
  echo "==== $f (actions/checkout usages + nearby `with:`) ===="
  if [ ! -f "$f" ]; then
    echo "NOT FOUND"
    continue
  fi

  # Print checkout steps with a bit of context
  rg -n -C 3 "uses:\s*actions/checkout@" "$f" || true

  echo "==== $f (checkout steps missing persist-credentials in next 10 lines) ===="
  rg -n "uses:\s*actions/checkout@" "$f" | while IFS=: read -r lineno _; do
    # If persist-credentials doesn't appear in a nearby window, flag it
    if ! sed -n "$((lineno+1)),$((lineno+12))p" "$f" | rg -q "persist-credentials:"; then
      echo "MISSING persist-credentials near $f:$lineno"
    fi
  done
  echo
done

echo "==== Global: persist-credentials occurrences in workflows ===="
rg -n "persist-credentials:" .github/workflows/*.yml || true

Repository: NativeScript/ios

Length of output: 2690

🏁 Script executed:

#!/bin/bash
set -euo pipefail

show_block () {
  local file="$1"
  local lineno="$2"
  echo "---- $file around line $lineno ----"
  sed -n "$((lineno-3)),$((lineno+10))p" "$file" | cat -n | sed 's/^ *//' 
  echo
}

# npm_release checkout line numbers: 27, 97, 220
show_block ".github/workflows/npm_release.yml" 27
show_block ".github/workflows/npm_release.yml" 97
show_block ".github/workflows/npm_release.yml" 220

# pull_request checkout line numbers: 16, 73
show_block ".github/workflows/pull_request.yml" 16
show_block ".github/workflows/pull_request.yml" 73

Repository: NativeScript/ios

Length of output: 3443

🌐 Web query:

actions/checkout persist-credentials default value v6

💡 Result:

The default value for the persist-credentials input in actions/checkout v6 is true [1][2]. While the default behavior remains enabled, starting with v6.0.0, the implementation of how these credentials are persisted was improved for security [3][4]. Instead of writing the credentials directly into the local.git/config file, the action now stores them in a separate file located under $RUNNER_TEMP [1][3]. The credentials are still removed during post-job cleanup, and you can opt out of this behavior by setting persist-credentials to false in your workflow [1][5].

Citations:

Set persist-credentials: false on all actions/checkout steps (npm_release + pull_request)

actions/checkout@v6 defaults persist-credentials: true, and both .github/workflows/npm_release.yml (checkout steps at lines 27, 97, 220) and .github/workflows/pull_request.yml (checkout steps at lines 16, 73) omit persist-credentials while using submodules: true—so later steps can access the GitHub token. Add persist-credentials: false to each checkout step while keeping the existing submodules: true.

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 27-30: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/npm_release.yml around lines 27 - 30, The checkout steps
using actions/checkout@v6 (e.g. the existing step with uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd and other checkout
occurrences in the workflows) currently set submodules: true but omit
persist-credentials; update each actions/checkout step in both workflows to add
persist-credentials: false (keeping submodules: true) so the GITHUB_TOKEN is not
persisted to later steps; ensure every checkout block that currently has
submodules: true gets the new persist-credentials: false entry.

Source: Linters/SAST tools

- name: LLVM cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
Expand Down Expand Up @@ -94,6 +95,8 @@ jobs:
with:
xcode-version: ${{env.XCODE_VERSION}}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
submodules: true
- name: LLVM cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/pull_request.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ jobs:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
submodules: true
- name: LLVM cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
Expand Down Expand Up @@ -70,6 +71,8 @@ jobs:
with:
xcode-version: ${{env.XCODE_VERSION}}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
submodules: true
- name: LLVM cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
Expand Down
4 changes: 4 additions & 0 deletions .gitmodules
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,7 @@
path = libffi
url = https://github.com/NativeScript/libffi.git
branch = darind/v8-ios
[submodule "TestRunner/app/shared"]
path = TestRunner/app/shared
url = https://github.com/NativeScript/common-runtime-tests-app.git
branch = master
Loading
Loading