chore: improve CI workflows and README documentation

[ignaciosantise]

Summary

This PR improves CI workflows and documentation for better maintainability.

Workflow Changes

• Move Firebase App IDs from secrets to variables (not sensitive, visible in logs helps debugging)
• Rename secrets for consistency:
  • W3W_* → WALLETKIT_*
  • W3M_WAGMI_* → APPKIT_*
• Move WC_INTERNAL_KEYSTORE_NAME from secret to variable
• Simplify google-services handling:
  • Android: plain text (no base64)
  • iOS: keep base64 (XML parsing issues)

New Script

• scripts/create-certificates.sh - Automates fastlane match with branch protection (creates branch, runs match, creates PR, merges)

README Updates

• Improved intro and app listings
• Fastlane installation guide (rbenv, bundle install)
• Certificate creation/download documentation
• Sentry configuration guide
• Google Services file encoding instructions

Action Required

After merging, update GitHub secrets/variables:

Secrets to DELETE

Secret	Reason
W3W_SENTRY_FILE	Renamed to WALLETKIT_
W3W_ANDROID_INTERNAL_FIREBASE_APP_ID	Moved to variable
W3W_ANDROID_PROD_FIREBASE_APP_ID	Moved to variable
W3W_IOS_INTERNAL_GOOGLE_SERVICES_FILE	Renamed to WALLETKIT_
W3W_IOS_PROD_GOOGLE_SERVICES_FILE	Renamed to WALLETKIT_
W3M_WAGMI_SENTRY_FILE	Renamed to APPKIT_
W3M_WAGMI_ANDROID_INTERNAL_FIREBASE_APP_ID	Moved to variable
WC_INTERNAL_KEYSTORE_NAME	Moved to variable
POS_ANDROID_FIREBASE_APP_ID	Moved to variable
POC_POS_ANDROID_FIREBASE_APP_ID	Moved to variable
APPKIT_ANDROID_PROD_FIREBASE_APP_ID	Moved to variable

Secrets to CREATE

Secret	Value Source
WALLETKIT_SENTRY_FILE	Copy from W3W_SENTRY_FILE
WALLETKIT_IOS_INTERNAL_GOOGLE_SERVICES_FILE	Copy from W3W_IOS_INTERNAL_GOOGLE_SERVICES_FILE
WALLETKIT_IOS_PROD_GOOGLE_SERVICES_FILE	Copy from W3W_IOS_PROD_GOOGLE_SERVICES_FILE
APPKIT_SENTRY_FILE	Copy from W3M_WAGMI_SENTRY_FILE

Variables to CREATE

Variable	Value
WC_INTERNAL_KEYSTORE_NAME	Copy from secret
WALLETKIT_ANDROID_INTERNAL_FIREBASE_APP_ID	Firebase App ID
WALLETKIT_ANDROID_PROD_FIREBASE_APP_ID	Firebase App ID
APPKIT_ANDROID_INTERNAL_FIREBASE_APP_ID	Firebase App ID
APPKIT_ANDROID_PROD_FIREBASE_APP_ID	Firebase App ID
POS_ANDROID_FIREBASE_APP_ID	Firebase App ID
POC_POS_ANDROID_FIREBASE_APP_ID	Firebase App ID

Tests

• Run release actions with all variants and check they all work

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
react-native-examples	Ready	Preview, Comment	Jan 14, 2026 7:50pm

[claude]

Claude finished @ignaciosantise's task in 1m 48s —— View job

---

Review Complete

Found 3 issue(s)

Issue 1: Bash script executes gh API commands without error handling for API failures

ID: create-certi-gh-api-errors-a3f1
File: scripts/create-certificates.sh:33
Severity: MEDIUM
Category: error_handling

The script fetches the master branch SHA using gh api but doesn't validate if the API call succeeds or if the response contains valid data. If the GitHub API fails, returns an error, or the master branch doesn't exist, MASTER_SHA will be empty/invalid, causing the subsequent branch creation to fail silently or with unclear errors.

Recommendation: Add error handling to validate API responses:

MASTER_SHA=$(gh api repos/${CERTS_REPO}/git/ref/heads/master --jq '.object.sha' 2>/dev/null)
if [ -z "$MASTER_SHA" ]; then
  echo "Error: Failed to fetch master branch SHA from ${CERTS_REPO}"
  exit 1
fi

Issue 2: Bash script merges PR automatically without verification of fastlane match success

ID: create-certi-auto-merge-risk-b8c2
File: scripts/create-certificates.sh:56
Severity: MEDIUM
Category: automation_risk

The script automatically merges the PR immediately after creation (lines 56-60) without verifying that the fastlane match command (line 40) actually succeeded in creating valid certificates. If fastlane fails or creates corrupt certificates, the script will still create and auto-merge a PR with broken/incomplete certificate changes.

Recommendation: Add explicit success verification after fastlane match and consider requiring manual review:

# After line 44, add:
if [ $? -ne 0 ]; then
  echo "Error: fastlane match failed"
  echo "Branch ${BRANCH_NAME} created but PR not opened. Review and fix manually."
  exit 1
fi

# For line 56-60, consider removing auto-merge or adding a flag:
# Option 1: Remove auto-merge entirely (safest)
echo "✅ PR created: Review and merge manually when ready"

# Option 2: Add a flag to control auto-merge
if [ "$AUTO_MERGE" = "true" ]; then
  gh pr merge "${BRANCH_NAME}" --repo "${CERTS_REPO}" --merge --delete-branch
fi

Issue 3: Inconsistent handling of google-services-file secret across workflow files

ID: release-andro-inconsistent-gservices-c9d3
File: .github/workflows/release-android-base.yaml:127
Severity: LOW
Category: code_quality

The Android base workflow checks if google-services-file is empty using shell conditionals (line 128: if: ${{ env.google-services-file != '' }}), but this pattern is inconsistent with how the iOS workflow handles the same secret. Additionally, the comment at line 124 says "plain JSON, no base64 encoding needed" but doesn't clarify what happens if the file is malformed JSON.

Recommendation: Add validation for JSON format:

- name: Add Google Services file
  env:
    google-services-file: ${{ secrets.google-services-file }}
  if: ${{ env.google-services-file != '' }}
  run: |
    echo '${{ secrets.google-services-file }}' > ${{ inputs.root-path }}/android/app/google-services.json
    # Validate JSON format
    if ! jq empty ${{ inputs.root-path }}/android/app/google-services.json 2>/dev/null; then
      echo "Error: Invalid JSON in google-services-file secret"
      exit 1
    fi

---

Automated Checks

✅ No external domain URLs detected (all URLs point to approved domains: reown.com, github.com, sentry.io, fastlane.tools)
✅ No static resource cache-control issues detected
✅ No GitHub Actions security issues detected (workflows use workflow_call and workflow_dispatch triggers only)
✅ No WalletConnect Pay architecture violations detected

---

Summary

This PR improves CI maintainability by renaming secrets for consistency (W3W_* → WALLETKIT_, W3M_WAGMI_ → APPKIT_*), moving non-sensitive Firebase App IDs from secrets to variables, and adding comprehensive documentation for certificate management and Google Services file handling.

Key improvements:

• Clearer secret naming conventions align with current product names
• Firebase App IDs as variables enables better debugging (visible in logs)
• New create-certificates.sh script automates fastlane match workflow
• Enhanced README with fastlane setup, certificate creation, and file encoding guides

Found 3 non-blocking issues:

• Script error handling could be more robust
• Auto-merge behavior in certificate script may bypass validation
• Minor JSON validation opportunity in workflow

All issues are low-to-medium severity and don't block merging. The PR substantially improves CI/CD maintainability.

---

[Copilot]

Pull request overview

This PR refactors CI/CD workflows and improves documentation by standardizing secret naming conventions, migrating non-sensitive configuration from secrets to variables, and adding comprehensive guides for certificate management and project setup.

Changes:

• Renamed secrets for consistency (W3W_* → WALLETKIT_, W3M_WAGMI_ → APPKIT_*)
• Moved Firebase App IDs and keystore names from secrets to workflow variables for better transparency
• Added automation script for certificate creation with fastlane match
• Enhanced README with fastlane setup, certificate management, and configuration guides
• Simplified Android google-services file handling to use plain JSON instead of base64

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
scripts/create-certificates.sh	New automation script for creating certificates via fastlane match with PR workflow
dapps/poc-pos-app/app.json	Updated app display name from "WPay" to "WPay PoC" for clarity
README.md	Added comprehensive documentation for fastlane, certificate management, and configuration files
.ruby-version	Added Ruby 3.3.0 version specification for consistency
.github/workflows/release-walletkit.yaml	Updated to use WALLETKIT_* secrets and moved Firebase App IDs to variables
.github/workflows/release-pos.yaml	Moved Firebase App ID from secret to variable
.github/workflows/release-pos-poc.yaml	Moved Firebase App ID to variable and removed unused testflight-groups parameter
.github/workflows/release-ios-base.yaml	Updated comment to clarify base64 encoding for iOS Google Services files
.github/workflows/release-appkit.yaml	Updated to use APPKIT_* secrets and moved Firebase App IDs to variables
.github/workflows/release-android-base.yaml	Changed Firebase App ID to input parameter and simplified Android Google Services file handling to plain JSON
.github/workflow-templates/e2e-template.yaml	Removed unused workflow template
.github/workflow-templates/e2e-template.properties.json	Removed unused workflow template metadata

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[ignaciosantise]

@claude review

[claude]

Claude finished @ignaciosantise's task in 1m 34s —— View job

---

🔄 Incremental Review

• Extract previous review issue IDs
• Read and analyze changed files
• Verify previously reported issues
• Identify new issues
• Run automated checks
• Post final review

---

Previously Reported Issues - Status Update

✅ Resolved Issues:

1. ID: create-certi-gh-api-errors-a3f1 (gh API error handling) - Fixed in lines 58-63 with proper error checking
2. ID: create-certi-auto-merge-risk-b8c2 (auto-merge without validation) - Fixed with fastlane exit code check (lines 76-85) and --auto-merge flag (lines 105-125)

ℹ️ Acknowledged by Author:

3. ID: release-andro-inconsistent-gservices-c9d3 (google-services-file handling) - Author noted will use base64 for all

---

Found 1 issue(s)

Issue 1: AppKit Android workflow missing google-services-file secret configuration

ID: appkit-missing-gservices-d8f4
File: .github/workflows/release-appkit.yaml:49
Severity: MEDIUM
Category: configuration

AppKit Android workflow does not pass google-services-file secret to the base workflow, while WalletKit workflow does (line 49). This inconsistency means AppKit builds will skip Google Services configuration (base workflow checks if: ${{ env.google-services-file != '' }}), potentially causing Firebase features to fail at runtime.

Recommendation: Add the google-services-file secret to AppKit Android job:

secrets:
  env-file: ${{ secrets.APPKIT_ENV_FILE }}
  sentry-file: ${{ secrets.APPKIT_SENTRY_FILE }}
  secrets-file: ${{ secrets.ANDROID_SECRETS_FILE }}
  gsa-key: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_KEY }}
  keystore-name: ${{ inputs.release-type == 'internal' && vars.WC_INTERNAL_KEYSTORE_NAME || vars.WC_PROD_KEYSTORE_NAME }}
  keystore: ${{ inputs.release-type == 'internal' && secrets.WC_INTERNAL_KEYSTORE || secrets.WC_PROD_KEYSTORE }}
  google-services-file: ${{ secrets.APPKIT_ANDROID_GOOGLE_SERVICES_BASE64 }}
  aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }}
  slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}

---

Automated Checks

✅ No external domain URLs detected (all URLs: reown.com, fastlane.tools, github.com, sentry.io, discord.com)
✅ No static resource cache-control issues detected
✅ No GitHub Actions security issues detected (workflows use workflow_call and workflow_dispatch triggers only)
✅ No WalletConnect Pay architecture violations detected

---

Summary

Incremental review confirms previous critical issues in create-certificates.sh have been properly addressed with error handling and an opt-in --auto-merge flag. Secret renaming (W3W_* → WALLETKIT_, W3M_WAGMI_ → APPKIT_*) and Firebase App ID migration to variables improves CI maintainability.

One new configuration issue identified: AppKit Android workflow missing google-services-file secret that WalletKit has. Non-blocking but should be addressed for Firebase feature parity.

---