feat(deps): migrate to more secure library for secret management (#11446

) * feat: replace react-native-config with react-native-keys * build(deps): add patch for react-native-keys * docs: add hacks.md entry for rn-keys * refactor: android to use reactnativekeys * refactor: android * refactor: js related code * refactor: ios related stuff - not working * attempt to fix missing node in pre-action * remove placeholder in echo file * undo config changes interfering with cocoapods * uncomment scheme change * update scripts to download the new file * fix: tests * refactor: oss stops complaining Co-authored-by: brainbicycle <[email protected]> * refactor: gitignore + script update * update setup script to update the new file * switch oss flag to string to fix android build Co-authored-by: George <[email protected]> * add back env plugin to fix mapbox token in gradle file Co-authored-by: George <[email protected]> * remove now unused .env file * attempt to handle nvm as well as asdf in preaction script * update preaction again to fix duplicate node stuff * update docs and minor cleanup Co-authored-by: George <[email protected]> * update doctor script Co-authored-by: George <[email protected]> * build(deps): remove most of the patch and bump react-native-keys Co-authored-by: brainbicycle <[email protected]> * workaround for timeout in ci --------- Co-authored-by: George Kartalis <[email protected]>
artsy · Jan 31, 2025 · b8177b0 · b8177b0
1 parent f823191
commit b8177b0
Show file tree

Hide file tree

Showing 48 changed files with 376 additions and 249 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -38,7 +38,7 @@ commands:
     steps:
       - run:
           name: "Set up .env file"
-          command: touch .env.shared && touch .env && scripts/setup/setup-env-for-ci
+          command: touch .env.shared && touch keys.shared.json && scripts/setup/setup-env-for-ci
   setup-awscli:
     steps:
       - run:

diff --git a/.env.example b/.env.example
diff --git a/.gitignore b/.gitignore
@@ -34,6 +34,7 @@ net.artsy.artsy.dev.pem
 ios/Artsy/App/Echo.json
 ios/Artsy/App/EchoNew.json
 **/.xcode.env.local
+ios/tmp.xcconfig
 
 # Fastlane
 Preview.html
@@ -103,6 +104,9 @@ native-hash.txt
 **/.env*
 !.env.example
 
+# Ignore key env files
+**/keys.shared.json
+
 # Android/IntelliJ
 .gradle
 .idea

diff --git a/.secrets.baseline b/.secrets.baseline
@@ -177,6 +177,22 @@
         "line_number": 86
       }
     ],
+    "keys.example.json": [
+      {
+        "type": "Hex High Entropy String",
+        "filename": "keys.example.json",
+        "hashed_secret": "49d94093659ddfdbd054f2f7d6cf6086ec83cfd2",
+        "is_verified": false,
+        "line_number": 4
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "keys.example.json",
+        "hashed_secret": "49d94093659ddfdbd054f2f7d6cf6086ec83cfd2",
+        "is_verified": false,
+        "line_number": 4
+      }
+    ],
     "scripts/utils/required_reason_api_usage.sh": [
       {
         "type": "Base64 High Entropy String",
@@ -1134,5 +1150,5 @@
       }
     ]
   },
-  "generated_at": "2025-01-10T17:13:48Z"
+  "generated_at": "2025-01-28T13:31:59Z"
 }
diff --git a/HACKS.md b/HACKS.md
@@ -296,3 +296,14 @@ https://github.com/software-mansion/react-native-reanimated/pull/6573
 #### Explanation/Context:
 
 In the HomeView Tasks, we want to update the FlatList's `CellRendererComponent` to update the `zIndex` of the rendered elements so they can be on top of each other, and to animate them we need to use Reanimated's FlatList, but it doesn't support updating the `CellRendererComponent` prop since they have their own implementation, so we added this patch to update the style of the component in Reanimated's FlatList.
+
+## patch-pacakge for react-native-keys
+
+#### When can we remove this:
+
+When react-native-keys fixes and releases the this issue:
+https://github.com/numandev1/react-native-keys/issues/86#issuecomment-2546610160
+
+#### Explanation/Context:
+
+Android was unable to build correctly on react-native 76 without excluding `libreactnative.so`
diff --git a/android/app/build.gradle b/android/app/build.gradle
@@ -4,12 +4,12 @@ apply plugin: "com.google.gms.google-services"
 apply plugin: "com.facebook.react"
 apply plugin: "org.jetbrains.kotlin.android"
 
-project.ext.envConfigFiles = [
-    debug: ".env.shared",
-    release: ".env.shared",
+project.ext.keyFiles = [
+ debug: "keys.shared.json",
+ release: "keys.shared.json",
 ]
 
-apply from: project(':react-native-config').projectDir.getPath() + "/dotenv.gradle"
+apply from: project(':react-native-keys').projectDir.getPath() + "/RNKeys.gradle"
 apply from: "../../node_modules/react-native-code-push/android/codepush.gradle"
 
 /**

diff --git a/android/app/src/main/java/net/artsy/app/MainApplication.kt b/android/app/src/main/java/net/artsy/app/MainApplication.kt
@@ -19,8 +19,8 @@ import com.facebook.react.soloader.OpenSourceMergedSoMapping
 import com.google.firebase.messaging.FirebaseMessaging
 import com.microsoft.codepush.react.CodePush
 import com.segment.analytics.Analytics
-import net.artsy.app.utils.ReactNativeConfigUtils
 import io.sentry.react.RNSentryPackage
+import com.reactnativekeysjsi.KeysModule.getSecureFor
 
 class MainApplication : Application(), ReactApplication {
 
@@ -55,14 +55,12 @@ class MainApplication : Application(), ReactApplication {
 
         ArtsyNativeModule.didLaunch(this.getSharedPreferences("launchConfig", MODE_PRIVATE))
 
-        var segmentWriteKey = BuildConfig.SEGMENT_PRODUCTION_WRITE_KEY_ANDROID
+        var segmentWriteKey: String = getSecureFor("SEGMENT_PRODUCTION_WRITE_KEY_ANDROID")
         if (BuildConfig.DEBUG) {
-            segmentWriteKey = BuildConfig.SEGMENT_STAGING_WRITE_KEY_ANDROID
+            segmentWriteKey = getSecureFor("SEGMENT_STAGING_WRITE_KEY_ANDROID")
         }
 
-        val analytics = Analytics.Builder(this,
-            ReactNativeConfigUtils.decode(segmentWriteKey, BuildConfig.GRAVITY_API_KEY)
-        ).build()
+        val analytics = Analytics.Builder(this, segmentWriteKey).build()
 
         Analytics.setSingletonInstance(analytics)
 

diff --git a/android/app/src/main/java/net/artsy/app/utils/ReactNativeConfigUtils.java b/android/app/src/main/java/net/artsy/app/utils/ReactNativeConfigUtils.java
diff --git a/android/build.gradle b/android/build.gradle
@@ -25,10 +25,9 @@ buildscript {
 }
 
 plugins {
-    id("co.uzzu.dotenv.gradle") version "4.0.0"
+  id("co.uzzu.dotenv.gradle") version "4.0.0"
 }
 
-
 allprojects {
     repositories {
         maven { url "https://appboy.github.io/appboy-android-sdk/sdk" }

diff --git a/android/gradle.properties b/android/gradle.properties
@@ -45,4 +45,5 @@ newArchEnabled=false
 # If set to false, you will be using JSC instead.
 hermesEnabled=true
 
-dotenv.filename=../.env.shared
+# Specify dotenv file name for access in build.gradle
+dotenv.filename=../.env.shared
diff --git a/docs/adding_new_keys.md b/docs/adding_new_keys.md
@@ -1,38 +1,18 @@
 # Adding a New Key
 
-Keys are stored in `.env.shared` file, accessed through [`react-native-config`](https://github.com/luggit/react-native-config). You need to rebuild in Xcode for changes to the file to take effect.
+Keys accessed within the app are stored in `keys.shared.json` file, accessed through [`react-native-keys`](https://github.com/numandev1/react-native-keys). You need to rebuild in Xcode for changes to the file to take effect.
 
-.env.shared is for artsy people to be able to work and compile.
+keys.shared.json is for artsy people to be able to work and compile.
 Is in .gitignore, and is downloaded by developers using the yarn setup:artsy script.
 It is also the main file that the app gets all the real env vars, keys etc.
 
-.env.example is for open source people to be able to work and compile and see what env vars need/use.
-It is committed in git, and we try to keep the exact layout copied over from .env.shared, but without any actual keys, we replace them with "-" or similar.
+keys.example.json is for open source people to be able to work and compile and see what env vars need/use.
+It is committed in git, and we try to keep the exact layout copied over from keys.shared.json, but without any actual keys, we replace them with "-" or similar.
 
-On the React Native side:
+On the React Native side follow these [docs](https://github.com/numandev1/react-native-keys?tab=readme-ov-file#javascript)
 
-```ts
-import Config from "react-native-config"
+On the native iOS side follow these [docs](https://github.com/numandev1/react-native-keys?tab=readme-ov-file#ios-1)
 
-// ...
+On the native android side follow these [docs](https://github.com/numandev1/react-native-keys?tab=readme-ov-file#android-)
 
-Config.KEY_NAME
-```
-
-On the native iOS side:
-
-```objc
-#import <react-native-config/ReactNativeConfig.h>
-
-// ...
-
-[ReactNativeConfig envFor:@"KEY_NAME"]
-```
-
-On the native android side:
-
-```java
-BuildConfig.KEY_NAME;
-```
-
-You'll need to update the keys in [`emission.d.ts`](https://github.com/artsy/eigen/blob/869d35e0d83d4afae2cb62ebeab924f420944b0f/typings/emission.d.ts#L58-L72) and [`setupJest.ts`](https://github.com/artsy/eigen/blob/4654bacbcdc8624fb2799e9f86ad7717c5ab604b/src/setupJest.ts#L319-L331).
+You'll need to update the keys in setupJest.ts, look for the mock for react-native-keys.
diff --git a/fastlane/Fastfile b/fastlane/Fastfile
@@ -82,6 +82,8 @@ lane :ship_beta_ios do
   sentry_release_name = "ios-#{latest_version}-#{bundle_version}"
 
   sh('yarn bundle:ios')
+  # Workaround for timeout in ci
+  ENV["FASTLANE_XCODEBUILD_SETTINGS_TIMEOUT"] = "120"
   build_ios_app(
     workspace: 'ios/Artsy.xcworkspace',
     configuration: 'Store',

diff --git a/ios/Artsy.xcodeproj/project.pbxproj b/ios/Artsy.xcodeproj/project.pbxproj
@@ -3336,7 +3336,6 @@
 			buildConfigurationList = 13B07F931A680F5B00A75B9A /* Build configuration list for PBXNativeTarget "Artsy" */;
 			buildPhases = (
 				400905DA34751CB03A2B22D1 /* [CP] Check Pods Manifest.lock */,
-				1A08BBFB291E6B7000062A70 /* Setup .env from react-native-config */,
 				FD10A7F022414F080027D42C /* Start Packager */,
 				13B07F871A680F5B00A75B9A /* Sources */,
 				13B07F8C1A680F5B00A75B9A /* Frameworks */,
@@ -3644,24 +3643,6 @@
 			shellPath = /bin/sh;
 			shellScript = "export SOURCEMAP_FILE=\"$PROJECT_DIR/../main.jsbundle.map\"\n\nset -e\n\nWITH_ENVIRONMENT=\"../node_modules/react-native/scripts/xcode/with-environment.sh\"\nREACT_NATIVE_XCODE=\"../node_modules/react-native/scripts/react-native-xcode.sh\"\n\n/bin/sh -c \"$WITH_ENVIRONMENT $REACT_NATIVE_XCODE\"\n";
 		};
-		1A08BBFB291E6B7000062A70 /* Setup .env from react-native-config */ = {
-			isa = PBXShellScriptBuildPhase;
-			buildActionMask = 2147483647;
-			files = (
-			);
-			inputFileListPaths = (
-			);
-			inputPaths = (
-			);
-			name = "Setup .env from react-native-config";
-			outputFileListPaths = (
-			);
-			outputPaths = (
-			);
-			runOnlyForDeploymentPostprocessing = 0;
-			shellPath = /bin/sh;
-			shellScript = "cp \"${PROJECT_DIR}/../.env.shared\" \"${PROJECT_DIR}/../.env\"\n";
-		};
 		21D9FBA2AAC48EBB99241E8F /* [CP] Check Pods Manifest.lock */ = {
 			isa = PBXShellScriptBuildPhase;
 			buildActionMask = 2147483647;

diff --git a/ios/Artsy.xcodeproj/xcshareddata/xcschemes/Artsy.xcscheme b/ios/Artsy.xcodeproj/xcshareddata/xcschemes/Artsy.xcscheme
@@ -1,10 +1,28 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
    LastUpgradeVersion = "1210"
-   version = "1.3">
+   version = "1.7">
    <BuildAction
       parallelizeBuildables = "YES"
       buildImplicitDependencies = "YES">
+      <PreActions>
+         <ExecutionAction
+            ActionType = "Xcode.IDEStandardExecutionActionsCore.ExecutionActionType.ShellScriptAction">
+            <ActionContent
+               title = "Run Script"
+               scriptText = "export KEYSFILE=keys.shared.json&#10;&#10;# Check for asdf&#10;if [ -f &quot;/opt/homebrew/opt/asdf/libexec/asdf.sh&quot; ]; then&#10;  . &quot;/opt/homebrew/opt/asdf/libexec/asdf.sh&quot;&#10;  echo &quot;Using Node via asdf&quot;&#10;elif [ -f &quot;/usr/local/libexec/asdf.sh&quot; ]; then&#10;  . &quot;/usr/local/libexec/asdf.sh&quot;&#10;  echo &quot;Using Node via asdf&quot;&#10;# Check for nvm&#10;elif [ -f &quot;$HOME/.nvm/nvm.sh&quot; ]; then&#10;  . &quot;$HOME/.nvm/nvm.sh&quot;&#10;  nvm use default &gt; /dev/null&#10;  echo &quot;Using Node via nvm&quot;&#10;else&#10;  echo &quot;Neither asdf nor nvm found! Please install one of them to use Node.js.&quot;&#10;  exit 1&#10;fi&#10;&#10;&quot;${SRCROOT}/../node_modules/react-native-keys/keysIOS.js&quot;&#10;">
+               <EnvironmentBuildable>
+                  <BuildableReference
+                     BuildableIdentifier = "primary"
+                     BlueprintIdentifier = "13B07F861A680F5B00A75B9A"
+                     BuildableName = "Artsy.app"
+                     BlueprintName = "Artsy"
+                     ReferencedContainer = "container:Artsy.xcodeproj">
+                  </BuildableReference>
+               </EnvironmentBuildable>
+            </ActionContent>
+         </ExecutionAction>
+      </PreActions>
       <BuildActionEntries>
          <BuildActionEntry
             buildForTesting = "YES"

diff --git a/ios/Artsy/App/ARAppDelegate+Emission.m b/ios/Artsy/App/ARAppDelegate+Emission.m
@@ -20,7 +20,7 @@
 #import "ARRouter.h"
 #import "AROptions.h"
 
-#import <react-native-config/ReactNativeConfig.h>
+#import "Keys.h"
 #import "AREmission.h"
 #import "ARTemporaryAPIModule.h"
 #import "AREventsModule.h"

diff --git a/ios/Artsy/App/ARAppDelegate.mm b/ios/Artsy/App/ARAppDelegate.mm
@@ -30,7 +30,7 @@
 #import "ARPHPhotoPickerModule.h"
 #import "ARCocoaConstantsModule.h"
 
-#import <react-native-config/ReactNativeConfig.h>
+#import "Keys.h"
 #import <ObjectiveSugar/ObjectiveSugar.h>
 #import <React/RCTBundleURLProvider.h>
 #import "AREmission.h"
@@ -138,7 +138,7 @@ - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(
         didFinishLaunchingWithOptions:launchOptions];
 
 
-    BOOL ossUser = [[ReactNativeConfig envFor:@"OSS"] isEqualToString:@"true"];
+    BOOL ossUser = [[Keys publicFor:@"OSS"] isEqualToString:@"true"];
     if ([FIRApp defaultApp] == nil && !ossUser) {
         [FIRApp configure];
     }
@@ -163,9 +163,9 @@ - (UIView *)createRootViewWithBridge:(RCTBridge *)bridge
 
 - (void)setupAnalytics:(UIApplication *)application withLaunchOptions:(NSDictionary *)launchOptions
 {
-    NSString *brazeAppKey = [ReactNativeConfig envFor:@"BRAZE_STAGING_APP_KEY_IOS"];
+    NSString *brazeAppKey = [Keys secureFor:@"BRAZE_STAGING_APP_KEY_IOS"];
     if (![ARAppStatus isDev]) {
-        brazeAppKey = [ReactNativeConfig envFor:@"BRAZE_PRODUCTION_APP_KEY_IOS"];
+        brazeAppKey = [Keys secureFor:@"BRAZE_STAGING_APP_KEY_IOS"];
     }
 
     NSString *brazeSDKEndPoint = @"sdk.iad-06.braze.com";
@@ -178,9 +178,10 @@ - (void)setupAnalytics:(UIApplication *)application withLaunchOptions:(NSDiction
     BrazeInAppMessageUI *inAppMessageUI = [[BrazeInAppMessageUI alloc] init];
     braze.inAppMessagePresenter = inAppMessageUI;
 
-    NSString *segmentWriteKey = [ReactNativeConfig envFor:@"SEGMENT_STAGING_WRITE_KEY_IOS"];
+    NSString *segmentWriteKey = [Keys secureFor:@"SEGMENT_STAGING_WRITE_KEY_IOS"];
+
     if (![ARAppStatus isDev]) {
-        segmentWriteKey = [ReactNativeConfig envFor:@"SEGMENT_PRODUCTION_WRITE_KEY_IOS"];
+        segmentWriteKey = [Keys secureFor:@"SEGMENT_PRODUCTION_WRITE_KEY_IOS"];
     }
 
     SEGAnalyticsConfiguration *configuration = [SEGAnalyticsConfiguration configurationWithWriteKey:segmentWriteKey];