Skip to content

[WIP][No QA] Decouple Sentry uploads from native builds#83268

Closed
roryabraham wants to merge 8 commits intomainfrom
rory-decouple-sentry-upload
Closed

[WIP][No QA] Decouple Sentry uploads from native builds#83268
roryabraham wants to merge 8 commits intomainfrom
rory-decouple-sentry-upload

Conversation

@roryabraham
Copy link
Contributor

@roryabraham roryabraham commented Feb 23, 2026

Separate Sentry uploads from native builds. This improves build resilience and allows us to just retry failed Sentry uploads, not the whole build. In the last few days I've seen builds fail twice due to network errors with Sentry.

This also consolidates the Sentry upload logic.

Fixed Issues

Prepares for #82999

Tests

  • Verify forced native test build uploads sourcemaps, proguard mappings, and dSYMs to Sentry
  • Verify adhoc builds create descriptive Sentry release names
  • Verify staging/production deploys use the version tag as the Sentry release name

QA Steps

No QA — CI workflow changes only.


Summary

Depends on #83244 (fix Android artifact paths).

This PR decouples Sentry uploads from the native build process so that:

  1. Sentry outages don't break builds — uploads happen in a separate, independently retryable job
  2. All platforms use the same upload path — centralized uploadSentry.yml callable workflow
  3. Secure sentry-cli installation — new setupSentryCLI composite action with SHA256 checksum verification (replaces curl | bash)

Changes

  • uploadSentry.yml (new): Callable workflow that downloads build artifacts and uploads sourcemaps (via getsentry/action-release), proguard mappings, and dSYMs (via sentry-cli) to Sentry with retry logic
  • setupSentryCLI/action.yml (new): Composite action for secure sentry-cli binary installation with checksum verification
  • buildAndroid.yml: Disable Sentry auto-upload during Rock build (SENTRY_DISABLE_AUTO_UPLOAD)
  • buildIOS.yml: Disable Sentry auto-upload during Rock build
  • buildWeb.yml: Disable Sentry auto-upload during web build
  • buildAdHoc.yml: Add sentryPrep job for descriptive release names + call uploadSentry.yml
  • deploy.yml: Add uploadSentry job using the version tag as release name

Known Issues

  • Rock Remote Build cache hits don't produce local sourcemaps/proguard/dSYM files, so the separate Sentry upload can only upload web sourcemaps on cache hits. Need to investigate whether Rock can export intermediate build artifacts. This may mean we need to keep SENTRY_AUTH_TOKEN in the Rock build env as a primary mechanism and use this workflow as supplemental.

Made with Cursor

roryabraham and others added 4 commits February 23, 2026 15:46
Sentry uploads currently happen inline during Gradle/Xcode/Webpack builds.
If Sentry is unreachable (e.g. transient DNS failure), the entire build fails.
The Android "clear cache and retry" mechanism made this worse by corrupting
the Gradle environment.

This commit:
- Disables Sentry auto-upload in all platform builds (Android, iOS, Web) by
  setting SENTRY_DISABLE_AUTO_UPLOAD=true instead of passing SENTRY_AUTH_TOKEN
- Removes the flawed Android build retry mechanism
- Creates a new callable uploadSentry.yml workflow that centralizes all Sentry
  upload logic using getsentry/action-release@v3 for sourcemaps and sentry-cli
  for proguard mappings and dSYMs
- Calls uploadSentry.yml from both deploy.yml (staging/production) and
  buildAdHoc.yml (adhoc, inherited by testBuild/testBuildOnPush)
- The uploadSentry job uses continue-on-error at the job level so Sentry
  failures never block builds or deploys

Co-authored-by: Cursor <cursoragent@cursor.com>
Replace `curl | bash` sentry-cli installation with a secure download
from GitHub releases that verifies SHA256 checksums, preventing supply
chain attacks via the install script.

Co-authored-by: Cursor <cursoragent@cursor.com>
Instead of auto-generating release names from the git SHA, construct
a human-readable name that includes App PR #, Mobile-Expensify PR #,
and short commit hashes. For example: adhoc-app83244-6d9d97b-me1234-abc1234

Co-authored-by: Cursor <cursoragent@cursor.com>
Pass the version tag (e.g. 9.0.35-0 for production, 9.0.35-0-staging
for staging) as the Sentry release name instead of auto-generating from
the git SHA.

Co-authored-by: Cursor <cursoragent@cursor.com>
roryabraham and others added 2 commits February 24, 2026 13:41
The change to replace SENTRY_AUTH_TOKEN with SENTRY_DISABLE_AUTO_UPLOAD
was lost during the merge with main. This restores consistency with the
iOS and web builds.

Co-authored-by: Cursor <cursoragent@cursor.com>
@roryabraham roryabraham changed the title [WIP][No QA] Decouple Sentry uploads from native builds [No QA] Decouple Sentry uploads from native builds Feb 24, 2026
@roryabraham roryabraham marked this pull request as ready for review February 24, 2026 21:43
@roryabraham roryabraham requested a review from a team as a code owner February 24, 2026 21:43
@roryabraham

This comment has been minimized.

@melvin-bot melvin-bot bot requested review from Valforte and removed request for a team February 24, 2026 21:44
@melvin-bot
Copy link

melvin-bot bot commented Feb 24, 2026

@Valforte Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

chatgpt-codex-connector[bot]

This comment was marked as resolved.

chatgpt-codex-connector[bot]

This comment was marked as resolved.

The Sentry SDK reports events under `new.expensify@<version>` (from
package.json), so uploaded sourcemaps must use the same release name.

Instead of passing a release name from callers, uploadSentry.yml now
computes it from the checked-out package.json. This eliminates the
sentryPrep job in buildAdHoc.yml and removes the release input
parameter entirely.

Co-authored-by: Cursor <cursoragent@cursor.com>
@roryabraham roryabraham changed the title [No QA] Decouple Sentry uploads from native builds [WIP][No QA] Decouple Sentry uploads from native builds Feb 24, 2026
@roryabraham

This comment has been minimized.

chatgpt-codex-connector[bot]

This comment was marked as resolved.

For ad-hoc builds the artifacts are built from inputs.APP_REF, not
github.sha. Pass the ref through so the checkout matches the built
code and the derived release name is correct.

Co-authored-by: Cursor <cursoragent@cursor.com>
@roryabraham

This comment has been minimized.

Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1dbdc3a99a

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

@roryabraham

This comment has been minimized.

Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1dbdc3a99a

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

@github-actions
Copy link
Contributor

🚧 @roryabraham has triggered a test Expensify/App build. You can view the workflow run here.

@github-actions

This comment has been minimized.

@github-actions
Copy link
Contributor

🚧 @roryabraham has triggered a test Expensify/App build. You can view the workflow run here.

@github-actions
Copy link
Contributor

🧪🧪 Use the links below to test this adhoc build on Android, iOS, and Web. Happy testing! 🧪🧪
Built from App PR #83268 Mobile-Expensify PR Expensify/Mobile-Expensify#13875.

Android 🤖 iOS 🍎
https://ad-hoc-expensify-cash.s3.us-east-1.amazonaws.com/rock-artifacts/ad-hoc/rock-android-Adhoc-1dbdc3a-75846f8-d5957faeef3a1a076d6a59285246454a87c98e09/index.html ⏩ SKIPPED ⏩
Android The build for iOS was skipped
Web 🕸️
⏩ SKIPPED ⏩
The build for Web was skipped

👀 View the workflow run that generated this build 👀

@roryabraham
Copy link
Contributor Author

Going to close this for #focus

@roryabraham roryabraham deleted the rory-decouple-sentry-upload branch February 26, 2026 23:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant