[No QA] chore: bump rock to 0.11.5

[adhorodyski]

@chuckdries @mountiny

Explanation of Change

Following up on this Slack conversation, Rock in 0.9.0 (our current version) does not handle environmental variables correctly. This pull request bumps the version of Rock in the project to the latest release (11.5) to ensure we account for the content of .env in a secure manner. This was fixed in 11.4 here.
At the same time, this makes for a regular chore to stay up to date with latest fixes and performance improvements to the framework.

The new fingerprinting mechanism is the most impactful change in this PR.

Releases page: https://github.com/callstackincubator/rock/releases

Fixed Issues

$
PROPOSAL: https://expensify.slack.com/archives/C08CZDJFJ77/p1759444673926729

Tests

• Make sure the app builds correctly across every environment and remote builds pass as usual.

Offline tests

QA Steps

Same as tests.

PR Author Checklist

• I linked the correct issue in the ### Fixed Issues section above
• I wrote clear testing steps that cover the changes made in this PR
  • I added steps for local testing in the Tests section
  • I added steps for the expected offline behavior in the Offline steps section
  • I added steps for Staging and/or Production testing in the QA steps section
  • I added steps to cover failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
  • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
  • I tested this PR with a High Traffic account against the staging or production API to ensure there are no regressions (e.g. long loading states that impact usability).
• I included screenshots or videos for tests on all platforms
• I ran the tests on all platforms & verified they passed on:
  • Android: Native
  • Android: mWeb Chrome
  • iOS: Native
  • iOS: mWeb Safari
  • MacOS: Chrome / Safari
  • MacOS: Desktop
• I verified there are no console errors (if there's a console error not related to the PR, report it or open an issue for it to be fixed)
• I verified there are no new alerts related to the canBeMissing param for useOnyx
• I followed proper code patterns (see Reviewing the code)
  • I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick)
  • I verified that comments were added to code that is not self explanatory
  • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
  • I verified any copy / text shown in the product is localized by adding it to src/languages/* files and using the translation method
    • If any non-english text was added/modified, I used JaimeGPT to get English > Spanish translation. I then posted it in #expensify-open-source and it was approved by an internal Expensify engineer. Link to Slack message:
  • I verified all numbers, amounts, dates and phone numbers shown in the product are using the localization methods
  • I verified any copy / text that was added to the app is grammatically correct in English. It adheres to proper capitalization guidelines (note: only the first word of header/labels should be capitalized), and is either coming verbatim from figma or has been approved by marketing (in order to get marketing approval, ask the Bug Zero team member to add the Waiting for copy label to the issue)
  • I verified proper file naming conventions were followed for any new files or renamed files. All non-platform specific files are named after what they export and are not named "index.js". All platform-specific files are named for the platform the code supports as outlined in the README.
  • I verified the JSDocs style guidelines (in STYLE.md) were followed
• If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
• I followed the guidelines as stated in the Review Guidelines
• I tested other components that can be impacted by my changes (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar are working as expected)
• I verified all code is DRY (the PR doesn't include any logic written more than once, with the exception of tests)
• I verified any variables that can be defined as constants (ie. in CONST.ts or at the top of the file that uses the constant) are defined as such
• I verified that if a function's arguments changed that all usages have also been updated correctly
• If any new file was added I verified that:
  • The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
• If a new CSS style is added I verified that:
  • A similar style doesn't already exist
  • The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(theme.componentBG))
• If new assets were added or existing ones were modified, I verified that:
  • The assets are optimized and compressed (for SVG files, run npm run compress-svg)
  • The assets load correctly across all supported platforms.
• If the PR modifies code that runs when editing or sending messages, I tested and verified there is no unexpected behavior for all supported markdown - URLs, single line code, code blocks, quotes, headings, bold, strikethrough, and italic.
• If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
• If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
• If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.
• If the PR modifies the UI (e.g. new buttons, new UI components, changing the padding/spacing/sizing, moving components, etc) or modifies the form input styles:
  • I verified that all the inputs inside a form are aligned with each other.
  • I added Design label and/or tagged @Expensify/design so the design team can review the changes.
• If a new page is added, I verified it's using the ScrollView component to make it scrollable when more elements are added to the page.
• I added unit tests for any new feature or bug fix in this PR to help automatically prevent regressions in this user flow.
• If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.

Screenshots/Videos

Android: Native

Android: mWeb Chrome

iOS: Native

iOS: mWeb Safari

MacOS: Chrome / Safari

MacOS: Desktop

[github-actions]

⚠️ This PR is possibly changing native code and/or updating libraries, it may cause problems with HybridApp. Please check if any patch updates are required in the HybridApp repo and run an AdHoc build to verify that HybridApp will not break. Ask Contributor Plus for help if you are not sure how to handle this. ⚠️

[melvin-bot]

@grgia Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

[adhorodyski]

I struggle to understand if the failing GH actions validation is something to be fixed by me? Tried syncing with main but no luck so far.

[chuckdries]

Typechecks are currently failing in main. Will review this shortly

[adhorodyski]

🚨 Before merging, let's trigger both workflows (android+ios) for remote builds from this branch.

[github-actions]

🚧 @chuckdries has triggered a test Expensify/App build. You can view the workflow run here.

[github-actions]

🚧 @mountiny has triggered a test Expensify/App build. You can view the workflow run here.

[mountiny]

@chuckdries for these workflow changes you need to create internal copy of the branch so it has access to the secrets, you cannot run the workflow change from fork

Running it here #72601

[mountiny]

Reviewer Checklist

• I have verified the author checklist is complete (all boxes are checked off).
• I verified the correct issue is linked in the ### Fixed Issues section above
• I verified testing steps are clear and they cover the changes made in this PR
  • I verified the steps for local testing are in the Tests section
  • I verified the steps for Staging and/or Production testing are in the QA steps section
  • I verified the steps cover any possible failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
  • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
• I checked that screenshots or videos are included for tests on all platforms
• I included screenshots or videos for tests on all platforms
• I verified that the composer does not automatically focus or open the keyboard on mobile unless explicitly intended. This includes checking that returning the app from the background does not unexpectedly open the keyboard.
• I verified tests pass on all platforms & I tested again on:
  • Android: HybridApp
  • Android: mWeb Chrome
  • iOS: HybridApp
  • iOS: mWeb Safari
  • MacOS: Chrome / Safari
  • MacOS: Desktop
• If there are any errors in the console that are unrelated to this PR, I either fixed them (preferred) or linked to where I reported them in Slack
• I verified there are no new alerts related to the canBeMissing param for useOnyx
• I verified proper code patterns were followed (see Reviewing the code)
  • I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick).
  • I verified that comments were added to code that is not self explanatory
  • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
  • I verified any copy / text shown in the product is localized by adding it to src/languages/* files and using the translation method
  • I verified all numbers, amounts, dates and phone numbers shown in the product are using the localization methods
  • I verified any copy / text that was added to the app is grammatically correct in English. It adheres to proper capitalization guidelines (note: only the first word of header/labels should be capitalized), and is either coming verbatim from figma or has been approved by marketing (in order to get marketing approval, ask the Bug Zero team member to add the Waiting for copy label to the issue)
  • I verified proper file naming conventions were followed for any new files or renamed files. All non-platform specific files are named after what they export and are not named "index.js". All platform-specific files are named for the platform the code supports as outlined in the README.
  • I verified the JSDocs style guidelines (in STYLE.md) were followed
• If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
• I verified that this PR follows the guidelines as stated in the Review Guidelines
• I verified other components that can be impacted by these changes have been tested, and I retested again (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar have been tested & I retested again)
• I verified all code is DRY (the PR doesn't include any logic written more than once, with the exception of tests)
• I verified any variables that can be defined as constants (ie. in CONST.ts or at the top of the file that uses the constant) are defined as such
• If a new component is created I verified that:
  • A similar component doesn't exist in the codebase
  • All props are defined accurately and each prop has a /** comment above it */
  • The file is named correctly
  • The component has a clear name that is non-ambiguous and the purpose of the component can be inferred from the name alone
  • The only data being stored in the state is data necessary for rendering and nothing else
  • For Class Components, any internal methods passed to components event handlers are bound to this properly so there are no scoping issues (i.e. for onClick={this.submit} the method this.submit should be bound to this in the constructor)
  • Any internal methods bound to this are necessary to be bound (i.e. avoid this.submit = this.submit.bind(this); if this.submit is never passed to a component event handler like onClick)
  • All JSX used for rendering exists in the render method
  • The component has the minimum amount of code necessary for its purpose, and it is broken down into smaller components in order to separate concerns and functions
• If any new file was added I verified that:
  • The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
• If a new CSS style is added I verified that:
  • A similar style doesn't already exist
  • The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(theme.componentBG)
• If the PR modifies code that runs when editing or sending messages, I tested and verified there is no unexpected behavior for all supported markdown - URLs, single line code, code blocks, quotes, headings, bold, strikethrough, and italic.
• If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
• If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
• If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.
• If the PR modifies the UI (e.g. new buttons, new UI components, changing the padding/spacing/sizing, moving components, etc) or modifies the form input styles:
  • I verified that all the inputs inside a form are aligned with each other.
  • I added Design label and/or tagged @Expensify/design so the design team can review the changes.
• If a new page is added, I verified it's using the ScrollView component to make it scrollable when more elements are added to the page.
• For any bug fix or new feature in this PR, I verified that sufficient unit tests are included to prevent regressions in this flow.
• If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.
• I have checked off every checkbox in the PR reviewer checklist, including those that don't apply to this PR.

Screenshots/Videos

Android: HybridApp

Android: mWeb Chrome

iOS: HybridApp

iOS: mWeb Safari

MacOS: Chrome / Safari

MacOS: Desktop

[mountiny]

Sorry I was wrong, this is just package update so no need for internal branch

[mountiny]

I think we shoul dbe good to merge once the actions pass

[mountiny]

@adhorodyski Can you run npm run gh-actions-build and push the changes, sometimes the package json changes will cause this

[chuckdries]

I'm fine merging this - everything works as it did before - but I'm seeing it does not solve the issue we talked about in slack.

1. Have .env set to point at local dev environment
2. Checkout this PR, npm i, npm run pod-install
3. npm run ios
4. Observe app launches in simulator and makes authentication calls against local dev env
5. Uninstall app from simulator
6. Replace contents of your .env with .env.staging, so it should call the staging env
7. npm run ios
8. Observe project fingerprint is the same as it was before so it uses the cached build
9. Observe that signin still calls your local env rather than staging

rock.update.is.calling.local.env.when.it.shouldn.t.mp4

[github-actions]

🧪🧪 Use the links below to test this adhoc build on Android, iOS, Desktop, and Web. Happy testing! 🧪🧪
Built from App PR #72568.

Android 🤖	iOS 🍎
https://ad-hoc-expensify-cash.s3.amazonaws.com/android/72568/index.html	https://ad-hoc-expensify-cash.s3.amazonaws.com/ios/72568/index.html

Desktop 💻	Web 🕸️
https://ad-hoc-expensify-cash.s3.amazonaws.com/desktop/72568/NewExpensify.dmg	https://72568.pr-testing.expensify.com

---

👀 View the workflow run that generated this build 👀

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
see 9 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[adhorodyski]

Let's wait with merging this until we resolve remote builds on main (failing on iOS).

[adhorodyski]

@chuckdries ok I think the problem is within the fingerprint itself for Hybrid. I know it's not perfect (and the hash should reflect a state of the file system) so with the changed root (compared to ND only) it's missing the root .env. Let me try to fix this one.

btw no need for running npm run pod-install manually, Rock does it for you on run:* commands.

edit: as far as I see it's being used here so the variable becomes a part of the build process. I'm looking into this fingerprinting now.

edit2: forget edit1 😅 I'm on the right solution now!

fingerprint: {
  env: ['USE_NGROK'],
}

is the missing part (to the upgrade itself which is crucial because it enabled it) and this is what we should bring in for every env var we really care about. I'll make sure it doesn't break thing with USE_NGROK and it's safe to merge with my next commit. For other ones, we can do followups only after they become problematic.

[adhorodyski]

We need to figure out what we care about from env to resolve this ngrok issue, using fingerprint.env as per this section. I doubt it's the USE_NGROK boolean though? 🤔 Question is what should impact the fingerprint that sits on the ENV between these 2 @chuckdries?

Here are the actions we can take:

• make --local easier to use (pass options to the script) and promote that it's ok to use it (instead of changing some .sh scripts which I agree feels like having to go around smth. --local is a first-class citizen when you actually want to skip the cache)
• add this (or other) env variables into fingerprint.env to account for this local use case

[adhorodyski]

@chuckdries if you can please confirm this sample change fixes it for you, I'd propose merging this PR and making a followup with the env setup - we'll be able to avoid conflicts coming up and separating between the upgrade itself and a config fix.

[chuckdries]

Adding this to rock.config.mjs solves the issue!

fingerprint: {
    env: ['USE_NGROK', 'NGROK_URL', 'SECURE_NGROK_URL'],
},

I think we should apply this change so that users' intended configuration actually works. I think passing --local through the script would be a good nice-to-have, but it is a workaround to the root issue that setting the fingerprint config solves. I'll go ahead and merge this rock upgrade PR and we can make these changes as a follow-up

[OSBotify]

✋ This PR was not deployed to staging yet because QA is ongoing. It will be automatically deployed to staging after the next production release.

[OSBotify]

🚀 Deployed to staging by https://github.com/chuckdries in version: 9.2.32-0 🚀

platform	result
🖥 desktop 🖥	success ✅
🕸 web 🕸	success ✅
🤖 android 🤖	success ✅
🍎 iOS 🍎	success ✅

[adhorodyski]

Is it common for people to leave some values in their local .env files? I want to make sure we don't break remote builds for people that leave this preconfigured and only switch USE_NGROK when they need to actually use it.

[chuckdries]

You need at least NGROK_URL and USE_NGROK to point the app at your dev environment, so anyone doing backend work will likely have those values set for most of the time. So I guess that means if we add those values to the fingerprint config, internal and backend devs would mostly miss out on remote builds? That certainly doesn't seem ideal

[adhorodyski]

Yeah this is my concern. By adding these to the config, if people have them exposed locally to the process via .env they will impact the hash the CLI will produce, definitely missing on the remote cache hits.

You'd have to remember to comment them out completely (so they're different than the default values), I'm worried it'll result in lots of silent cache misses. It makes sense to have a different hash with different env values for these options, but might be bad DX.

I'm working on some improvements to making this run:* workflow more guided, maybe for .env values we should make it more explicit and let you know upfront that you have some that impact the fingerprint? Like if you have NGROK_URL set up to something custom, it might be on purpose, but might be not. To get a remote build, you'd need to comment that one out, and we could hint you into doing it. Just one idea, happy to chat more about this in Slack because I see there might be some loose ends.

[OSBotify]

🚀 Deployed to production by https://github.com/mountiny in version: 9.2.32-6 🚀

platform	result
🖥 desktop 🖥	success ✅
🕸 web 🕸	success ✅
🤖 android 🤖	success ✅
🍎 iOS 🍎	success ✅