feat(e2e-latest): enable New Architecture (RN 0.84)

[abueide]

Summary

Enables New Architecture on the E2E-latest example app (RN 0.84.1) to catch interop issues like the trackDeepLinks crash (#1147) in CI.

Changes

• Enable newArchEnabled=true on Android
• Rewrite settings.gradle for RN 0.84 autolinking (replaces old native_modules.gradle)
• Add kotlin-android plugin, bump Kotlin to 2.1.20
• Simplify iOS Podfile (remove deprecated flags, M1_workaround, deployment target override)
• Bump minSdkVersion to 24 (New Arch requirement)
• Add Detox dependency

Stack

• Part 1: feat(examples): integrate mobile-devtools plugin for all examples (base)
• → Part 2: This PR

Why

RN 0.84 defaults to New Architecture. Testing with it enabled will expose bridging/interop issues before they reach users.

---

🤖 Generated with Claude Code

[semgrep-code-segmentio-2]

Semgrep identified an issue in your code:

GitHub Action jetify-com/devbox-install-action@v0.14.0 uses a mutable version tag instead of a pinned commit SHA, allowing attackers who compromise the action's repository to inject malicious code into your workflow.

More details about this

The GitHub Action jetify-com/devbox-install-action is referenced using a semantic version tag v0.14.0 instead of being pinned to a specific commit SHA.

Exploit scenario:

1. An attacker gains write access to the jetify-com/devbox-install-action repository (either by compromising maintainer credentials or via a social engineering attack)
2. The attacker pushes malicious code to the repository and re-tags the v0.14.0 release or creates a new v0.14.0 tag pointing to their backdoored commit
3. When this workflow runs, GitHub resolves @v0.14.0 to the attacker's new commit
4. The devbox-install-action step executes the attacker's malicious code with access to your repository's source code, secrets, and CI environment
5. The attacker could exfiltrate credentials, inject code into your build, or compromise downstream dependencies

Because you're using a mutable version tag rather than an immutable commit SHA, you have no way to verify that the code running today is the same code that ran yesterday.

To resolve this comment:

✨ Commit fix suggestion

Suggested change

	uses: jetify-com/devbox-install-action@v0.14.0
	uses: jetify-com/devbox-install-action@<full-40-character-commit-sha> # v0.14.0
	# TODO: Replace <full-40-character-commit-sha> with the commit SHA for the trusted v0.14.0 tag from jetify-com/devbox-install-action.

View step-by-step instructions

1. Replace the third-party action reference jetify-com/devbox-install-action@v0.14.0 with the full 40-character commit SHA for the exact action revision you want to trust, for example jetify-com/devbox-install-action@<full-commit-sha>.
2. Keep the same action name and only change the version part after @ so the workflow still uses jetify-com/devbox-install-action, but as an immutable revision.
3. Get the SHA from the action's repository release or tag that matches v0.14.0, and use the commit object behind that tag rather than the tag name itself.
4. Add a comment next to the pinned reference with the original tag for readability, for example uses: jetify-com/devbox-install-action@<full-commit-sha> # v0.14.0. Pinning to a commit SHA prevents the action code from changing without updating this workflow.

Alternatively, if you cannot verify which commit matches v0.14.0, update to a newer trusted release and pin that release's full commit SHA instead.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by third-party-action-not-pinned-to-commit-sha.

Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-segmentio-2]

Semgrep identified an issue in your code:

GitHub Action pinned to version tag instead of commit SHA allows attacker to inject malicious code that runs in your CI/CD pipeline.

More details about this

The GitHub Action jetify-com/devbox-install-action is pinned to the version tag v0.14.0 rather than a full commit SHA. This means the action's code can be updated at any time by the repository maintainers without your workflow noticing the change.

An attacker who compromises the jetify-com/devbox-install-action repository could inject malicious code into the v0.14.0 tag. When your workflow runs, it would execute this compromised action and the attacker could:

1. Execute arbitrary commands in your CI/CD environment
2. Steal secrets or environment variables like IOS_DEVICES, IOS_DEFAULT_DEVICE, or any credentials passed to subsequent steps
3. Modify your build artifacts or inject code into your application
4. Access your repository or deploy credentials

Since you're using this action in a CI/CD pipeline that builds iOS dependencies and runs tests, a compromised action would have full access to your build environment, source code, and any credentials available during the workflow execution.

To resolve this comment:

✨ Commit fix suggestion

Suggested change

	uses: jetify-com/devbox-install-action@v0.14.0
	# TODO: Replace the placeholder below with the verified full 40-character commit SHA for the trusted
	# `v0.14.0` release of `jetify-com/devbox-install-action`. A full SHA is required to make this action
	# reference immutable and satisfy the Semgrep finding.
	uses: jetify-com/devbox-install-action@<full-commit-sha-for-v0.14.0>

View step-by-step instructions

1. Replace the third-party action tag with a full 40-character commit SHA in the uses line for jetify-com/devbox-install-action.
   Change jetify-com/devbox-install-action@v0.14.0 to jetify-com/devbox-install-action@<full-commit-sha-for-v0.14.0>.

2. Get the SHA from the action's repository release or tag that you intend to trust, and pin exactly that commit.
   For example, use the commit behind the v0.14.0 tag, not the tag name itself.

3. Keep the rest of the step unchanged, including the existing with: values such as enable-cache: true and project-path: examples/E2E-compat.
   Pinning to a commit SHA makes the action reference immutable, so the workflow does not silently pick up different code later.

4. Alternatively, if you cannot verify that v0.14.0 points to a trusted commit, update to a newer trusted release first, then pin that release's full commit SHA instead of using a version tag.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by third-party-action-not-pinned-to-commit-sha.

Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-segmentio-2]

Semgrep identified an issue in your code:

The devbox-install-action is pinned to a version tag instead of a commit SHA, allowing attackers who compromise the repository to inject malicious code into your workflow.

More details about this

The jetify-com/devbox-install-action is pinned to a version tag (v0.14.0) rather than a full commit SHA. An attacker who controls the jetify-com/devbox-install-action repository could push malicious code to that tag or force-push the tag to point to a different commit, and your workflow would execute the attacker's code without detection.

Here's how an attacker could exploit this:

1. The attacker gains control of the jetify-com/devbox-install-action repository (by compromising the maintainer's account, for example).
2. They force-push the v0.14.0 tag to point to a new commit containing malicious code—for example, code that exfiltrates repository secrets or injects a backdoor into your build artifacts.
3. On the next workflow run, this step executes the malicious code because @v0.14.0 now resolves to the attacker's commit.
4. The malicious code runs with access to your repository secrets (visible in ${{ secrets.* }}) and can modify your build output, exposing your application to your users.

Using a full commit SHA (like @a1b2c3d4e5f6...) would prevent this because tags can be moved, but commit SHAs are immutable.

To resolve this comment:

✨ Commit fix suggestion

Suggested change

	uses: jetify-com/devbox-install-action@v0.14.0
	# TODO: Replace with the full 40-character commit SHA for jetify-com/devbox-install-action v0.14.0.
	uses: jetify-com/devbox-install-action@<full-commit-sha-for-v0.14.0> # v0.14.0

View step-by-step instructions

1. Replace the third-party action reference with a full 40-character commit SHA instead of the version tag.
   Change uses: jetify-com/devbox-install-action@v0.14.0 to uses: jetify-com/devbox-install-action@<full-commit-sha-for-v0.14.0>.

2. Resolve the SHA from the action repository by opening the v0.14.0 release or tag in jetify-com/devbox-install-action and copying the exact commit ID for that revision.
   Use the full SHA, not a short SHA and not the tag name.

3. Keep the rest of the step unchanged, including the existing with: values such as enable-cache: true and project-path: examples/E2E-latest.
   Pinning to a commit makes the action version immutable, so the workflow cannot silently pick up different code later.

Alternatively, if you need an easier update process, add a comment next to the pinned SHA with the original version, for example # v0.14.0, while still keeping uses: pinned to the full commit SHA.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by third-party-action-not-pinned-to-commit-sha.

Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-segmentio-2]

Semgrep identified an issue in your code:

GitHub action jetify-com/devbox-install-action@v0.14.0 is not pinned to a commit SHA, allowing an attacker who gains repository access to inject malicious code into your CI/CD pipeline.

More details about this

The jetify-com/devbox-install-action action is pinned to a version tag (v0.14.0) instead of a full commit SHA, making it vulnerable to malicious modifications.

How an attacker could exploit this:

1. An attacker gains write access to the jetify-com/devbox-install-action repository (e.g., through compromised credentials or social engineering).
2. The attacker adds malicious code to the repository and tags it as v0.14.0 (overwriting the existing tag or creating the tag if it doesn't yet exist).
3. When your workflow runs and executes uses: jetify-com/devbox-install-action@v0.14.0, GitHub resolves this tag to whatever commit the attacker pushed.
4. The attacker's malicious code runs in your CI/CD environment with access to your repository secrets, environment variables, and build artifacts—potentially stealing credentials, injecting backdoors into your build, or exfiltrating sensitive data.

By pinning to a full commit SHA (e.g., uses: jetify-com/devbox-install-action@abc123def456...), the action reference becomes immutable. The attacker would need to forge a SHA-1 collision to substitute malicious code, which is cryptographically infeasible.

To resolve this comment:

✨ Commit fix suggestion

Suggested change

	uses: jetify-com/devbox-install-action@v0.14.0
	# TODO: Replace with the exact 40-character commit SHA for jetify-com/devbox-install-action v0.14.0.
	uses: jetify-com/devbox-install-action@<full-commit-sha> # v0.14.0

View step-by-step instructions

1. Replace the version tag in the uses value with the full 40-character commit SHA for the exact jetify-com/devbox-install-action release you want to keep using.
   Change jetify-com/devbox-install-action@v0.14.0 to jetify-com/devbox-install-action@<full-commit-sha>.

2. Look up the commit SHA that backs the v0.14.0 tag in the action's repository, and pin to that exact commit instead of the mutable tag.
   Use the action's releases or tag page to find the commit, then update the workflow line to something like uses: jetify-com/devbox-install-action@<40-char-sha>.

3. Keep the existing with: settings unchanged after pinning.
   Pinning by SHA makes the action reference immutable, so a tag move or repository compromise cannot silently change what runs in CI.

Alternatively, if you need easier version updates, add the original version as a comment next to the pinned SHA, for example uses: jetify-com/devbox-install-action@<40-char-sha> # v0.14.0.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by third-party-action-not-pinned-to-commit-sha.

Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-segmentio-2]

Semgrep found 16 github-actions-mutable-action-tag findings:

• .github/workflows/e2e-mobile.yml
  • L30 - Triage
  • L47 - Triage
  • L57 - Triage
  • L85 - Triage
  • L103 - Triage
  • L120 - Triage
  • L130 - Triage
  • L158 - Triage
  • L176 - Triage
  • L190 - Triage
  • 6 more - Triage

GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.