[MOSIP-42820] prechecks enabled and severbaseurl

[Ivanmeneges]

Summary by CodeRabbit

• Chores
  • Updated CI workflows to improve reliability and job structure.
  • Added explicit initialization for security analysis and standardized checkout before builds.
  • Ensured build steps run in the correct subdirectories and added Flutter setup so Android builds include Flutter dependencies.
  • Reworked npm dependency install into a safer multi-step flow and adjusted when serverBaseURL substitution occurs.
  • Refined workflow dispatch inputs for Android triggers.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The PR updates two GitHub Actions workflows: .github/workflows/push_trigger.yml — adjusts CodeQL job indentation, adds an explicit "Initialize CodeQL" step, converts the CodeQL build into multi-line scripts (changing into client, making gradlew executable, running ./gradlew build || true), renames/clarifies the Checkout step, adds Flutter setup and moves npm install into a client working-directory with an intermediate repo listing step, and reorders some steps; and .github/workflows/build-android.yml — re-indents the inputs block under workflow_dispatch without changing the declared fields.

Changes

Cohort / File(s)	Change Summary
Push trigger workflow \.github/workflows/push_trigger.yml	Adjusted CodeQL job indentation and added an Initialize CodeQL step; expanded CodeQL build into multi-line script that cd client, chmod +x gradlew, and runs `./gradlew build
Build Android workflow \.github/workflows/build-android.yml	Re-indented the inputs block under workflow_dispatch (moved nesting level); preserved serverBaseURL input fields (description, required, default, type) unchanged.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant GH as GitHub Actions
    participant Checkout as Checkout code\n(actions/checkout@v3)
    participant CodeQLInit as Initialize CodeQL
    participant Build as Build (client ./gradlew)
    participant Flutter as Flutter setup
    participant NPMCheck as Repo structure check
    participant NPM as Install npm deps (client)
    participant CodeQL as CodeQL Analyze

    rect rgba(235,245,255,0.20)
    GH->>Checkout: run checkout step
    end

    rect rgba(220,240,220,0.18)
    GH->>CodeQLInit: initialize CodeQL DB
    end

    rect rgba(255,250,220,0.14)
    GH->>Build: cd client -> chmod +x gradlew -> ./gradlew build || true
    end

    rect rgba(245,230,255,0.12)
    GH->>Flutter: setup Flutter & install dependencies
    end

    rect rgba(255,235,235,0.10)
    GH->>NPMCheck: list repo files (sanity)
    GH->>NPM: run npm install (working-directory: client)
    end

    rect rgba(255,240,245,0.12)
    GH->>CodeQL: analyze and upload results
    CodeQL-->>GH: results uploaded
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify YAML indentation and workflow_dispatch.inputs nesting in build-android.yml.
• Confirm Initialize CodeQL placement and consistent CodeQL step configuration.
• Check cd client contexts, working-directory: client for npm steps, and that gradlew permission change is correct.
• Validate Flutter setup steps and that no checkout duplication exists.

Possibly related PRs

• [MOSIP-42820] prechecks enabled and severbaseurl to be dynamic  #631 — modifies the same workflow files and introduces similar CodeQL/init and checkout/build step adjustments.

Suggested reviewers

• ase-101

Poem

🐰
Indents snug, the pipeline hops along,
CodeQL wakes and hums its little song,
Gradlew twitches, Flutter stretches wide,
NPM plants carrots in the client side,
CI garden grows — a hop, a build, a glide! 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'MOSIP-42820 prechecks enabled and severbaseurl' is partially related to the changeset, referring to GitHub Actions workflow modifications but is vague and contains a typo ('severbaseurl' instead of 'serverbaseurl'), making it unclear what the primary change is.	Clarify the title to better reflect the main change, such as 'Configure GitHub Actions workflows for CodeQL and Android builds with serverBaseURL setup' or 'Fix GitHub Actions indentation and add CodeQL initialization', and correct the typo.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 99fba14 and e932f94.

📒 Files selected for processing (1)

• .github/workflows/push_trigger.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.8)

.github/workflows/push_trigger.yml

52-52: step must run script with "run" section or run action with "uses" section

(syntax-check)

🔇 Additional comments (2)

.github/workflows/push_trigger.yml (2)

50-50: Verify the workflow dependency chain is intentional.

Line 50 adds needs: [codeql], which makes the build job wait for the codeql job to complete before starting. This serializes the workflow execution—previously, these jobs could run in parallel.

Confirm this dependency is intended and aligns with the PR objectives, as it will increase overall workflow duration.

---

39-42: Refactored build command improves resilience.

The conversion of the CodeQL Build step from a single-line command to a multi-line script with explicit directory navigation, executable permission setup, and graceful failure handling (|| true) is a solid improvement. This handles initialization steps cleanly and allows the workflow to continue even if the build fails.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/push_trigger.yml (1)

50-50: New dependency adds sequential execution requirement.

The needs: [codeql] dependency ensures the build job waits for CodeQL analysis to complete before starting. This is a good security practice but will serialize the jobs; consider whether parallel execution is needed for faster feedback.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e932f94 and 7dd9d3f.

📒 Files selected for processing (1)

• .github/workflows/push_trigger.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.8)

.github/workflows/push_trigger.yml

53-53: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (4)

.github/workflows/push_trigger.yml (4)

52-53: ✅ Previous YAML syntax issue is now fixed.

The checkout step is now properly formatted with name: and uses: as properties of the same list item with correct indentation, resolving the critical syntax error flagged in the prior review.

---

38-42: CodeQL build script properly handles build failures.

The multi-line script approach is correct, with cd client, executable permission for gradlew, and || true to continue on build failures. This allows CodeQL analysis to proceed even if the build fails.

---

84-86: Inconsistent error handling between build scripts.

The CodeQL build (line 42) uses || true to continue on failure, but the build-android job (line 86) does not. If this is unintentional, the build will fail immediately if gradlew assembleDebug encounters an error, whereas CodeQL allows failures to proceed. Ensure this aligns with your desired failure behavior.

---

79-81: Based on my verification using GitHub Actions documentation, I can confirm the core concern in the review comment is technically valid:

Key findings from GitHub Actions documentation:

• github.event.inputs is only available when a workflow is triggered with workflow_dispatch
• For other triggers (like push and pull_request), github.event.inputs is undefined/absent
• The workflow shown has only on: push: and on: pull_request: triggers

What this means:
If workflow_dispatch is not defined in the trigger configuration, then on line 81:

• ${{ github.event.inputs.defaultServerBaseURL }} will evaluate to an empty string
• The sed command will replace api-internal.sandbox.xyz.net with an empty string instead of a provided value
• This causes the build configuration to be corrupted

However, without access to the complete workflow file, I cannot definitively confirm whether workflow_dispatch is already defined elsewhere in the file or not. The review comment's assessment and suggested fix are correct in principle—this is a valid concern that requires either:

1. Verification that workflow_dispatch is already defined, OR
2. Implementation of the suggested fix to add it

---

The GitHub Actions workflow is missing the workflow_dispatch trigger with input definitions.

Line 81 references ${{ github.event.inputs.defaultServerBaseURL }}, which will be undefined unless the workflow is triggered via workflow_dispatch. Without it, sed will replace with an empty string, corrupting the build configuration. Add the suggested workflow_dispatch trigger with proper input definitions as shown in the original review comment.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/build-android.yml (1)

24-28: Verify the hardcoded hostname replacement is appropriate for your use case.

The sed command on Line 26-27 replaces the hardcoded hostname api-internal.sandbox.xyz.net with the provided serverBaseURL. This works if the build.gradle files consistently use this hostname, but consider whether:

1. This hostname pattern is always present in the build.gradle files that need updating
2. Multiple different hostnames might exist across different build.gradle files that also need replacement
3. A more flexible approach (e.g., environment variable templating or build configuration profiles) might be more maintainable

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7dd9d3f and 8a89695.

📒 Files selected for processing (1)

• .github/workflows/build-android.yml (1 hunks)

🔇 Additional comments (1)

.github/workflows/build-android.yml (1)

5-5: ✓ All claims in the review comment are technically accurate.

The review comment correctly identifies that the inputs: re-indentation under workflow_dispatch: follows proper GitHub Actions YAML syntax. The referenced patterns for accessing ${{ github.event.inputs.serverBaseURL }} and the conditional if: ${{ github.event_name == 'workflow_dispatch' }} are correct per GitHub Actions documentation. YAML indentation is properly validated in the comment's verification request.

No issues were identified during verification of the review comment's technical accuracy.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/push_trigger.yml (1)

30-31: Upgrade checkout action versions to v4 or later.

The actions/checkout@v3 action uses node16 under the hood, which is deprecated by GitHub. Additionally, the build-android job uses the even older actions/checkout@v2, which uses node12. The current recommended version is v6, though v4 is also stable and widely used.

Apply this diff to upgrade all checkout actions:

       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

And update line 75 in the build-android job:

-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4

Also applies to: 52-53

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8a89695 and da3e025.

📒 Files selected for processing (1)

• .github/workflows/push_trigger.yml (3 hunks)

🧰 Additional context used

🪛 actionlint (1.7.8)

.github/workflows/push_trigger.yml

53-53: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (3)

.github/workflows/push_trigger.yml (3)

22-45: CodeQL job structure looks good.

The CodeQL job is properly formatted with correct indentation, includes the new "Initialize CodeQL" step, and the multi-line build script correctly changes to the client directory and makes gradlew executable. The || true fallback allows CodeQL analysis to proceed even if the build fails, which is reasonable for security scanning.

---

47-70: Build job dependency is well-structured.

The new needs: [codeql] dependency on Line 50 ensures proper job sequencing, and the checkout step syntax is now correctly formatted. The explicit Java setup configuration is also good.

---

72-95: build-android job structure is solid.

The addition of explicit cd client context before npm install and gradle build commands ensures consistent project structure references. This aligns with the directory layout assumptions.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/push_trigger.yml (1)

77-79: Consider removing debug step or clarifying intent.

The "Check repo structure" step (lines 77–79) uses ls -R . to list files, which appears to be a debug or diagnostic step. If not needed for the workflow's purpose, remove it to keep logs clean. If it serves a specific diagnostic purpose, add a comment explaining its necessity.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between da3e025 and a11c082.

📒 Files selected for processing (1)

• .github/workflows/push_trigger.yml (3 hunks)

🧰 Additional context used

🪛 actionlint (1.7.8)

.github/workflows/push_trigger.yml

53-53: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (3)

.github/workflows/push_trigger.yml (3)

22-45: CodeQL job structure looks good.

The CodeQL job now has proper syntax with the Initialize step and multi-line build script. The || true flag allows CodeQL analysis to proceed even if the build fails, which is acceptable for analysis workflows. The Checkout step syntax from the previous review has been correctly fixed.

---

86-86: Unable to verify against actual codebase due to repository access issues.

However, the technical concerns raised in the review comment are sound based on GitHub Actions documentation:

1. github.event.inputs context limitation is correct: Web search confirms that github.event.inputs is only available for workflow_dispatch and workflow_call events, not for push or pull_request triggers. If line 86 uses this variable during a push/pull_request trigger without workflow_dispatch defined, it will fail.

2. The suggested fix is appropriate: Adding a workflow_dispatch section with the required inputs would enable the feature for manual triggers.

However, without repository access, I cannot verify:

• Whether workflow_dispatch is already defined in the actual workflow
• The actual trigger events configured (lines 4-19)
• The actual action versions in use
• Whether this is truly an unresolved issue or already addressed

The review comment's reasoning is technically valid, but its applicability to the actual PR code cannot be confirmed.

---

109-109: Based on my web search verification, I can confirm the technical accuracy of the review comment:

✅ Verified facts:

• actions/setup-java@v1 is indeed deprecated/obsolete
• v3+ requires an explicit distribution parameter (it is mandatory)
• zulu is a valid distribution option
• The suggested upgrade path and diff are technically sound

However, I cannot verify the file-specific claims because the repository could not be cloned in the sandbox environment. This means I cannot independently confirm:

• Whether line 109 actually contains actions/setup-java@v1
• Whether line 56 already uses v3 as claimed
• The exact context of these lines

---

Update deprecated actions/setup-java@v1 to v3.

Line 109 uses the deprecated actions/setup-java@v1. Update to v3 for consistency with line 56 and to access latest features and security patches.

Apply this diff:

-      - name: Set up JDK 11
-        uses: actions/setup-java@v1
+      - name: Set up JDK 11
+        uses: actions/setup-java@v3
         with:
+          distribution: zulu
           java-version: 11

The distribution parameter is required in v3+ (accepted values: temurin, zulu, adopt, liberica, microsoft, corretto, etc.). zulu is a valid choice compatible with Java 11.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Inconsistent action versions across workflow.

The workflow uses different versions of actions/checkout: v2 (line 75) vs v3 (lines 31, 53). Standardize to v3 or later for consistency and security.

Apply this diff to update line 75:

-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3

Also applies to: 53-53, 31-31

🧰 Tools

🪛 actionlint (1.7.8)

75-75: the runner of "actions/checkout@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

.github/workflows/push_trigger.yml lines 31, 53, and 75: the workflow mixes
actions/checkout@v2 (line 75) with @v3 (lines 31 and 53); update the checkout
action at all three lines to use actions/checkout@v3 (or a newer stable major
version) so the workflow uses a consistent, up-to-date version across the file.