From 99e9e8989f1b3d85023ee9cbcdf4b0df13805098 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Mon, 25 Aug 2025 12:28:10 +0200
Subject: [PATCH 01/26] add scaffold actions for remote adhocs

---
 .../workflows/ad-hoc-remote-build-android.yml |  81 ++++++++++++++
 .github/workflows/ad-hoc-remote-build-ios.yml |  82 ++++++++++++++
 .github/workflows/testBuild.yml               | 101 +++++++++---------
 3 files changed, 211 insertions(+), 53 deletions(-)
 create mode 100644 .github/workflows/ad-hoc-remote-build-android.yml
 create mode 100644 .github/workflows/ad-hoc-remote-build-ios.yml

diff --git a/.github/workflows/ad-hoc-remote-build-android.yml b/.github/workflows/ad-hoc-remote-build-android.yml
new file mode 100644
index 000000000000..dbe2909f285d
--- /dev/null
+++ b/.github/workflows/ad-hoc-remote-build-android.yml
@@ -0,0 +1,81 @@
+name: Ad-Hoc Remote Build Android
+
+on:
+  workflow_dispatch:
+  push:
+    branches-ignore: [staging, production]
+    paths-ignore: ['docs/**', 'contributingGuides/**', 'help/**', '.github/**', 'scripts/**', 'tests/**']
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+  build:
+    runs-on: ${{ github.repository_owner == 'Expensify' && 'ubuntu-latest-xl' || 'ubuntu-latest' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - variant: 'Adhoc'
+            is_hybrid_build: true
+
+    steps:
+      - name: Checkout
+        # v4
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+        with:
+          submodules: ${{ matrix.is_hybrid_build || false }}
+          token: ${{ secrets.OS_BOTIFY_TOKEN }}
+
+      - name: Configure MapBox SDK
+        run: ./scripts/setup-mapbox-sdk.sh ${{ secrets.MAPBOX_SDK_DOWNLOAD_TOKEN }}
+
+      - name: Setup Node
+        uses: ./.github/actions/composite/setupNode
+        with:
+          IS_HYBRID_BUILD: ${{ matrix.is_hybrid_build && 'true' || 'false' }}
+
+      - name: Install 1Password CLI  
+        uses: 1password/install-cli-action@143a85f84a90555d121cde2ff5872e393a47ab9f
+
+      - name: Load files from 1Password
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+        run: |
+          op read "op://${{ vars.OP_VAULT }}/upload-key.keystore/upload-key.keystore" --force --out-file ./upload-key.keystore
+          cp ./upload-key.keystore Mobile-Expensify/Android
+
+      - name: Load Android upload keystore credentials from 1Password
+        id: load-credentials
+        uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0
+        with:
+          export-env: false
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          ANDROID_UPLOAD_KEYSTORE_PASSWORD: op://${{ vars.OP_VAULT }}/Repository-Secrets/ANDROID_UPLOAD_KEYSTORE_PASSWORD
+          ANDROID_UPLOAD_KEYSTORE_ALIAS: op://${{ vars.OP_VAULT }}/Repository-Secrets/ANDROID_UPLOAD_KEYSTORE_ALIAS
+          ANDROID_UPLOAD_KEY_PASSWORD: op://${{ vars.OP_VAULT }}/Repository-Secrets/ANDROID_UPLOAD_KEY_PASSWORD   
+      
+      - name: Convert keystore to base64
+        id: keystore-base64
+        run: |
+          echo "keystore_content=$(base64 -w 0 Mobile-Expensify/Android/upload-key.keystore)" >> $GITHUB_OUTPUT    
+    
+      
+      - name: AdHoc RNEF Remote Build - Android
+        # rnef v2
+        uses: callstackincubator/android@d9a81f860e436ff2971323990244e32830dcabd1
+        env:
+          IS_HYBRID_APP: ${{ matrix.is_hybrid_build }}
+        with:
+          variant: ${{ matrix.variant }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          re-sign: true
+          # ad-hoc: true
+          keystore-base64: ${{ steps.keystore-base64.outputs.keystore_content }}
+          keystore-store-file: 'upload-key.keystore'
+          keystore-store-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_PASSWORD }}
+          keystore-key-alias: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_ALIAS }}
+          keystore-key-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEY_PASSWORD }}
+          rnef-build-extra-params: '--extra-params -PreactNativeArchitectures=arm64-v8a,x86_64'
diff --git a/.github/workflows/ad-hoc-remote-build-ios.yml b/.github/workflows/ad-hoc-remote-build-ios.yml
new file mode 100644
index 000000000000..e4d0bbaa702c
--- /dev/null
+++ b/.github/workflows/ad-hoc-remote-build-ios.yml
@@ -0,0 +1,82 @@
+name: Ad-Hoc Remote Build iOS
+
+on:
+  workflow_dispatch:
+  push:
+    branches-ignore: [staging, production]
+    paths-ignore: ['docs/**', 'contributingGuides/**', 'help/**', '.github/**', 'scripts/**', 'tests/**']
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+  build:
+    runs-on: ${{ github.repository_owner == 'Expensify' && 'macos-15-xlarge' || 'macos-15' }}
+    env:
+      DEVELOPER_DIR: /Applications/Xcode_16.4.0.app/Contents/Developer
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - scheme: 'Expensify AdHoc'
+            configuration: 'DebugAdHoc'
+            is_hybrid_build: true
+    steps:
+      - name: Checkout
+        # v4
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+        with:
+          submodules: ${{ matrix.is_hybrid_build || false }}
+          token: ${{ secrets.OS_BOTIFY_TOKEN }}
+
+      - name: Configure MapBox SDK
+        run: ./scripts/setup-mapbox-sdk.sh ${{ secrets.MAPBOX_SDK_DOWNLOAD_TOKEN }}
+
+      - name: Setup Node
+        uses: ./.github/actions/composite/setupNode
+        with:
+          IS_HYBRID_BUILD: ${{ matrix.is_hybrid_build && 'true' || 'false' }}
+
+      - name: Install 1Password CLI  
+        uses: 1password/install-cli-action@143a85f84a90555d121cde2ff5872e393a47ab9f
+
+      - name: Load files from 1Password
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+        run: |
+          op read "op://${{ vars.OP_VAULT }}/OldApp_AdHoc/OldApp_AdHoc.mobileprovision" --force --out-file ./OldApp_AdHoc.mobileprovision
+          op read "op://${{ vars.OP_VAULT }}/New Expensify Distribution Certificate/Certificates.p12" --force --out-file ./Certificates.p12
+          op read "op://${{ vars.OP_VAULT }}/OldApp_AdHoc_Share_Extension/OldApp_AdHoc_Share_Extension.mobileprovision" --force --out-file ./OldApp_AdHoc_Share_Extension.mobileprovision
+          op read "op://${{ vars.OP_VAULT }}/OldApp_AdHoc_Notification_Service/OldApp_AdHoc_Notification_Service.mobileprovision" --force --out-file ./OldApp_AdHoc_Notification_Service.mobileprovision
+      
+      - name: Load certificate and convert to base64
+        id: load-certificate
+        run: |
+          echo "certificate-base64=$(base64 -i ./Certificates.p12)" >> "$GITHUB_OUTPUT"
+      - name: Load provisioning profile and convert to base64
+        id: load-provisioning-profile
+        run: |
+          echo "profile-base64=$(base64 -i ./OldApp_AdHoc.mobileprovision)" >> "$GITHUB_OUTPUT"
+
+      - name: RNEF Remote Build - iOS
+        # rnef v2
+        uses: callstackincubator/ios@7847e0676242cefa801cba8ede6736140b7bae91 
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          IS_HYBRID_APP: ${{ matrix.is_hybrid_build }}
+        with:
+          destination: device
+          github-token: ${{ github.token }}
+          re-sign: true
+          # ad-hoc: true
+          scheme: ${{ matrix.scheme }}
+          configuration: ${{ matrix.configuration }}
+          certificate-base64: ${{ steps.load-certificate.outputs.certificate-base64}}
+          # not sure if we have in the secrets on gh
+          certificate-password: ${{ secrets.CERTIFICATE_PASSWORD || '' }}
+          provisioning-profile-base64: ${{ steps.load-provisioning-profile.outputs.profile-base64}}
+          # not sure if we have in the secrets on gh
+          keychain-password: ${{ secrets.KEYCHAIN_PASSWORD || '' }}
+          provisioning-profile-name: '(OldApp) AdHoc'
+          comment-bot: false
diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index 103c4cd0281b..38a79714ac3e 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -334,35 +334,28 @@ jobs:
           ANDROID_UPLOAD_KEYSTORE_ALIAS: op://${{ vars.OP_VAULT }}/Repository-Secrets/ANDROID_UPLOAD_KEYSTORE_ALIAS
           ANDROID_UPLOAD_KEY_PASSWORD: op://${{ vars.OP_VAULT }}/Repository-Secrets/ANDROID_UPLOAD_KEY_PASSWORD
 
-      - name: Build Android app
-        id: build
-        env:
-          ANDROID_UPLOAD_KEYSTORE_PASSWORD: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_PASSWORD }}
-          ANDROID_UPLOAD_KEYSTORE_ALIAS: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_ALIAS }}
-          ANDROID_UPLOAD_KEY_PASSWORD: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEY_PASSWORD }}
-        run: bundle exec fastlane android build_adhoc_hybrid
-
-      - name: Configure AWS Credentials
-        # v4
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
+      - name: Convert keystore to base64
+        id: keystore-base64
+        run: |
+          echo "keystore_content=$(base64 -w 0 Mobile-Expensify/Android/upload-key.keystore)" >> $GITHUB_OUTPUT 
 
-      - name: Upload Android AdHoc build to S3
-        run: bundle exec fastlane android upload_s3
+      - name: AdHoc RNEF Remote Build - Android
+        # rnef v2
+        uses: callstackincubator/android@d9a81f860e436ff2971323990244e32830dcabd1
         env:
-          S3_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          S3_BUCKET: ad-hoc-expensify-cash
-          S3_REGION: us-east-1
-
-      - name: Export S3 path
-        id: exportAndroidS3Path
-        run: |
-          # $s3APKPath is set from within the Fastfile, android upload_s3 lane
-          echo "S3_APK_PATH=$s3APKPath" >> "$GITHUB_OUTPUT"
+          IS_HYBRID_APP: true
+        with:
+          variant: 'Adhoc'
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          re-sign: true
+          # ad-hoc: true
+          keystore-base64: ${{ steps.keystore-base64.outputs.keystore_content }}
+          keystore-store-file: 'upload-key.keystore'
+          keystore-store-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_PASSWORD }}
+          keystore-key-alias: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_ALIAS }}
+          keystore-key-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEY_PASSWORD }}
+          comment-bot: true
+          rnef-build-extra-params: '--extra-params -PreactNativeArchitectures=arm64-v8a,x86_64'
 
   iosHybrid:
     name: Build and deploy iOS for testing
@@ -447,34 +440,36 @@ jobs:
           op read "op://${{ vars.OP_VAULT }}/OldApp_AdHoc_Notification_Service/OldApp_AdHoc_Notification_Service.mobileprovision" --force --out-file ./OldApp_AdHoc_Notification_Service.mobileprovision
           op read "op://${{ vars.OP_VAULT }}/New Expensify Distribution Certificate/Certificates.p12" --force --out-file ./Certificates.p12
 
-      - name: Build AdHoc app
-        run: bundle exec fastlane ios build_adhoc_hybrid
-
-      - name: Configure AWS Credentials
-        # v4
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
+      - name: Load certificate and convert to base64
+        id: load-certificate
+        run: |
+          echo "certificate-base64=$(base64 -i ./Certificates.p12)" >> "$GITHUB_OUTPUT"
+      - name: Load provisioning profile and convert to base64
+        id: load-provisioning-profile
+        run: |
+          echo "profile-base64=$(base64 -i ./OldApp_AdHoc.mobileprovision)" >> "$GITHUB_OUTPUT"
 
-      - name: Upload AdHoc build to S3
-        run: bundle exec fastlane ios upload_s3
+      - name: RNEF Remote Build - iOS
+        # rnef v2
+        uses: callstackincubator/ios@7847e0676242cefa801cba8ede6736140b7bae91 
         env:
-          S3_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          S3_BUCKET: ad-hoc-expensify-cash
-          S3_REGION: us-east-1
-
-      - name: Export iOS path
-        id: export-ios-path
-        run: |
-          content_ios="$(cat ./ios_paths.json)"
-          content_ios="${content_ios//'%'/'%25'}"
-          content_ios="${content_ios//$'\n'/'%0A'}"
-          content_ios="${content_ios//$'\r'/'%0D'}"
-          ios_path=$(echo "$content_ios" | jq -r '.html_path')
-          echo "IOS_PATH=$ios_path" >> "$GITHUB_OUTPUT"
+          GITHUB_TOKEN: ${{ github.token }}
+          IS_HYBRID_APP: true
+        with:
+          destination: device
+          github-token: ${{ github.token }}
+          re-sign: true
+          # ad-hoc: true
+          scheme: 'Expensify AdHoc'
+          configuration: 'DebugAdHoc'
+          certificate-base64: ${{ steps.load-certificate.outputs.certificate-base64}}
+          # not sure if we have in the secrets on gh
+          certificate-password: ${{ secrets.CERTIFICATE_PASSWORD || '' }}
+          provisioning-profile-base64: ${{ steps.load-provisioning-profile.outputs.profile-base64}}
+          # not sure if we have in the secrets on gh
+          keychain-password: ${{ secrets.KEYCHAIN_PASSWORD || '' }}
+          provisioning-profile-name: '(OldApp) AdHoc'
+          comment-bot: true
 
   postGithubComment:
     runs-on: ubuntu-latest

From 59ded222250df70da3c696f9f0816b1c8872c691 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Tue, 9 Sep 2025 13:49:04 +0200
Subject: [PATCH 02/26] adjust change after rnef to rock refactor

---
 .../workflows/ad-hoc-remote-build-android.yml    |  8 ++++----
 .github/workflows/ad-hoc-remote-build-ios.yml    |  8 ++++----
 .github/workflows/testBuild.yml                  | 16 ++++++++--------
 3 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/ad-hoc-remote-build-android.yml b/.github/workflows/ad-hoc-remote-build-android.yml
index dbe2909f285d..92b017b31b26 100644
--- a/.github/workflows/ad-hoc-remote-build-android.yml
+++ b/.github/workflows/ad-hoc-remote-build-android.yml
@@ -63,9 +63,9 @@ jobs:
           echo "keystore_content=$(base64 -w 0 Mobile-Expensify/Android/upload-key.keystore)" >> $GITHUB_OUTPUT    
     
       
-      - name: AdHoc RNEF Remote Build - Android
-        # rnef v2
-        uses: callstackincubator/android@d9a81f860e436ff2971323990244e32830dcabd1
+      - name: Rock Remote Build - Android
+        # rock v3
+        uses: callstackincubator/android@1a7d52dfe3ca195ccbe5ad2f06c15f2fc3835115
         env:
           IS_HYBRID_APP: ${{ matrix.is_hybrid_build }}
         with:
@@ -78,4 +78,4 @@ jobs:
           keystore-store-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_PASSWORD }}
           keystore-key-alias: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_ALIAS }}
           keystore-key-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEY_PASSWORD }}
-          rnef-build-extra-params: '--extra-params -PreactNativeArchitectures=arm64-v8a,x86_64'
+          rock-build-extra-params: '--extra-params -PreactNativeArchitectures=arm64-v8a,x86_64'
diff --git a/.github/workflows/ad-hoc-remote-build-ios.yml b/.github/workflows/ad-hoc-remote-build-ios.yml
index e4d0bbaa702c..072784b37e12 100644
--- a/.github/workflows/ad-hoc-remote-build-ios.yml
+++ b/.github/workflows/ad-hoc-remote-build-ios.yml
@@ -59,9 +59,9 @@ jobs:
         run: |
           echo "profile-base64=$(base64 -i ./OldApp_AdHoc.mobileprovision)" >> "$GITHUB_OUTPUT"
 
-      - name: RNEF Remote Build - iOS
-        # rnef v2
-        uses: callstackincubator/ios@7847e0676242cefa801cba8ede6736140b7bae91 
+      - name: Rock Remote Build - iOS
+        # rock v3
+        uses: callstackincubator/ios@08a533dbeda6adec39f94d08d820091514d1f7af
         env:
           GITHUB_TOKEN: ${{ github.token }}
           IS_HYBRID_APP: ${{ matrix.is_hybrid_build }}
@@ -69,7 +69,7 @@ jobs:
           destination: device
           github-token: ${{ github.token }}
           re-sign: true
-          # ad-hoc: true
+          ad-hoc: true
           scheme: ${{ matrix.scheme }}
           configuration: ${{ matrix.configuration }}
           certificate-base64: ${{ steps.load-certificate.outputs.certificate-base64}}
diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index 38a79714ac3e..1ecbf8d3a0b8 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -339,9 +339,9 @@ jobs:
         run: |
           echo "keystore_content=$(base64 -w 0 Mobile-Expensify/Android/upload-key.keystore)" >> $GITHUB_OUTPUT 
 
-      - name: AdHoc RNEF Remote Build - Android
-        # rnef v2
-        uses: callstackincubator/android@d9a81f860e436ff2971323990244e32830dcabd1
+      - name: Rock Remote Build - Android
+        # rock v3
+        uses: callstackincubator/android@1a7d52dfe3ca195ccbe5ad2f06c15f2fc3835115
         env:
           IS_HYBRID_APP: true
         with:
@@ -355,7 +355,7 @@ jobs:
           keystore-key-alias: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_ALIAS }}
           keystore-key-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEY_PASSWORD }}
           comment-bot: true
-          rnef-build-extra-params: '--extra-params -PreactNativeArchitectures=arm64-v8a,x86_64'
+          rock-build-extra-params: '--extra-params -PreactNativeArchitectures=arm64-v8a,x86_64'
 
   iosHybrid:
     name: Build and deploy iOS for testing
@@ -449,9 +449,9 @@ jobs:
         run: |
           echo "profile-base64=$(base64 -i ./OldApp_AdHoc.mobileprovision)" >> "$GITHUB_OUTPUT"
 
-      - name: RNEF Remote Build - iOS
-        # rnef v2
-        uses: callstackincubator/ios@7847e0676242cefa801cba8ede6736140b7bae91 
+      - name: Rock Remote Build - iOS
+        # rock v3
+        uses: callstackincubator/ios@08a533dbeda6adec39f94d08d820091514d1f7af
         env:
           GITHUB_TOKEN: ${{ github.token }}
           IS_HYBRID_APP: true
@@ -459,7 +459,7 @@ jobs:
           destination: device
           github-token: ${{ github.token }}
           re-sign: true
-          # ad-hoc: true
+          ad-hoc: true
           scheme: 'Expensify AdHoc'
           configuration: 'DebugAdHoc'
           certificate-base64: ${{ steps.load-certificate.outputs.certificate-base64}}

From a2a8724af638fe85c48f4dd786410cbff249a0af Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Thu, 11 Sep 2025 15:27:34 +0200
Subject: [PATCH 03/26] add ag-hoc flags to android

---
 .github/workflows/ad-hoc-remote-build-android.yml | 2 +-
 .github/workflows/testBuild.yml                   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ad-hoc-remote-build-android.yml b/.github/workflows/ad-hoc-remote-build-android.yml
index 92b017b31b26..0d677b41ce03 100644
--- a/.github/workflows/ad-hoc-remote-build-android.yml
+++ b/.github/workflows/ad-hoc-remote-build-android.yml
@@ -72,7 +72,7 @@ jobs:
           variant: ${{ matrix.variant }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
           re-sign: true
-          # ad-hoc: true
+          ad-hoc: true
           keystore-base64: ${{ steps.keystore-base64.outputs.keystore_content }}
           keystore-store-file: 'upload-key.keystore'
           keystore-store-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_PASSWORD }}
diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index 1ecbf8d3a0b8..fdeeed8614dd 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -348,7 +348,7 @@ jobs:
           variant: 'Adhoc'
           github-token: ${{ secrets.GITHUB_TOKEN }}
           re-sign: true
-          # ad-hoc: true
+          ad-hoc: true
           keystore-base64: ${{ steps.keystore-base64.outputs.keystore_content }}
           keystore-store-file: 'upload-key.keystore'
           keystore-store-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_PASSWORD }}

From 6a73b5a9f763622bb6010e86055804fdb36c9e83 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Tue, 16 Sep 2025 15:25:36 +0200
Subject: [PATCH 04/26] remove adhoc build on every merge to main

---
 .../workflows/ad-hoc-remote-build-android.yml | 81 ------------------
 .github/workflows/ad-hoc-remote-build-ios.yml | 82 -------------------
 2 files changed, 163 deletions(-)
 delete mode 100644 .github/workflows/ad-hoc-remote-build-android.yml
 delete mode 100644 .github/workflows/ad-hoc-remote-build-ios.yml

diff --git a/.github/workflows/ad-hoc-remote-build-android.yml b/.github/workflows/ad-hoc-remote-build-android.yml
deleted file mode 100644
index 0d677b41ce03..000000000000
--- a/.github/workflows/ad-hoc-remote-build-android.yml
+++ /dev/null
@@ -1,81 +0,0 @@
-name: Ad-Hoc Remote Build Android
-
-on:
-  workflow_dispatch:
-  push:
-    branches-ignore: [staging, production]
-    paths-ignore: ['docs/**', 'contributingGuides/**', 'help/**', '.github/**', 'scripts/**', 'tests/**']
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
-
-jobs:
-  build:
-    runs-on: ${{ github.repository_owner == 'Expensify' && 'ubuntu-latest-xl' || 'ubuntu-latest' }}
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - variant: 'Adhoc'
-            is_hybrid_build: true
-
-    steps:
-      - name: Checkout
-        # v4
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
-        with:
-          submodules: ${{ matrix.is_hybrid_build || false }}
-          token: ${{ secrets.OS_BOTIFY_TOKEN }}
-
-      - name: Configure MapBox SDK
-        run: ./scripts/setup-mapbox-sdk.sh ${{ secrets.MAPBOX_SDK_DOWNLOAD_TOKEN }}
-
-      - name: Setup Node
-        uses: ./.github/actions/composite/setupNode
-        with:
-          IS_HYBRID_BUILD: ${{ matrix.is_hybrid_build && 'true' || 'false' }}
-
-      - name: Install 1Password CLI  
-        uses: 1password/install-cli-action@143a85f84a90555d121cde2ff5872e393a47ab9f
-
-      - name: Load files from 1Password
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-        run: |
-          op read "op://${{ vars.OP_VAULT }}/upload-key.keystore/upload-key.keystore" --force --out-file ./upload-key.keystore
-          cp ./upload-key.keystore Mobile-Expensify/Android
-
-      - name: Load Android upload keystore credentials from 1Password
-        id: load-credentials
-        uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0
-        with:
-          export-env: false
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          ANDROID_UPLOAD_KEYSTORE_PASSWORD: op://${{ vars.OP_VAULT }}/Repository-Secrets/ANDROID_UPLOAD_KEYSTORE_PASSWORD
-          ANDROID_UPLOAD_KEYSTORE_ALIAS: op://${{ vars.OP_VAULT }}/Repository-Secrets/ANDROID_UPLOAD_KEYSTORE_ALIAS
-          ANDROID_UPLOAD_KEY_PASSWORD: op://${{ vars.OP_VAULT }}/Repository-Secrets/ANDROID_UPLOAD_KEY_PASSWORD   
-      
-      - name: Convert keystore to base64
-        id: keystore-base64
-        run: |
-          echo "keystore_content=$(base64 -w 0 Mobile-Expensify/Android/upload-key.keystore)" >> $GITHUB_OUTPUT    
-    
-      
-      - name: Rock Remote Build - Android
-        # rock v3
-        uses: callstackincubator/android@1a7d52dfe3ca195ccbe5ad2f06c15f2fc3835115
-        env:
-          IS_HYBRID_APP: ${{ matrix.is_hybrid_build }}
-        with:
-          variant: ${{ matrix.variant }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          re-sign: true
-          ad-hoc: true
-          keystore-base64: ${{ steps.keystore-base64.outputs.keystore_content }}
-          keystore-store-file: 'upload-key.keystore'
-          keystore-store-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_PASSWORD }}
-          keystore-key-alias: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_ALIAS }}
-          keystore-key-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEY_PASSWORD }}
-          rock-build-extra-params: '--extra-params -PreactNativeArchitectures=arm64-v8a,x86_64'
diff --git a/.github/workflows/ad-hoc-remote-build-ios.yml b/.github/workflows/ad-hoc-remote-build-ios.yml
deleted file mode 100644
index 072784b37e12..000000000000
--- a/.github/workflows/ad-hoc-remote-build-ios.yml
+++ /dev/null
@@ -1,82 +0,0 @@
-name: Ad-Hoc Remote Build iOS
-
-on:
-  workflow_dispatch:
-  push:
-    branches-ignore: [staging, production]
-    paths-ignore: ['docs/**', 'contributingGuides/**', 'help/**', '.github/**', 'scripts/**', 'tests/**']
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
-
-jobs:
-  build:
-    runs-on: ${{ github.repository_owner == 'Expensify' && 'macos-15-xlarge' || 'macos-15' }}
-    env:
-      DEVELOPER_DIR: /Applications/Xcode_16.4.0.app/Contents/Developer
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - scheme: 'Expensify AdHoc'
-            configuration: 'DebugAdHoc'
-            is_hybrid_build: true
-    steps:
-      - name: Checkout
-        # v4
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
-        with:
-          submodules: ${{ matrix.is_hybrid_build || false }}
-          token: ${{ secrets.OS_BOTIFY_TOKEN }}
-
-      - name: Configure MapBox SDK
-        run: ./scripts/setup-mapbox-sdk.sh ${{ secrets.MAPBOX_SDK_DOWNLOAD_TOKEN }}
-
-      - name: Setup Node
-        uses: ./.github/actions/composite/setupNode
-        with:
-          IS_HYBRID_BUILD: ${{ matrix.is_hybrid_build && 'true' || 'false' }}
-
-      - name: Install 1Password CLI  
-        uses: 1password/install-cli-action@143a85f84a90555d121cde2ff5872e393a47ab9f
-
-      - name: Load files from 1Password
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-        run: |
-          op read "op://${{ vars.OP_VAULT }}/OldApp_AdHoc/OldApp_AdHoc.mobileprovision" --force --out-file ./OldApp_AdHoc.mobileprovision
-          op read "op://${{ vars.OP_VAULT }}/New Expensify Distribution Certificate/Certificates.p12" --force --out-file ./Certificates.p12
-          op read "op://${{ vars.OP_VAULT }}/OldApp_AdHoc_Share_Extension/OldApp_AdHoc_Share_Extension.mobileprovision" --force --out-file ./OldApp_AdHoc_Share_Extension.mobileprovision
-          op read "op://${{ vars.OP_VAULT }}/OldApp_AdHoc_Notification_Service/OldApp_AdHoc_Notification_Service.mobileprovision" --force --out-file ./OldApp_AdHoc_Notification_Service.mobileprovision
-      
-      - name: Load certificate and convert to base64
-        id: load-certificate
-        run: |
-          echo "certificate-base64=$(base64 -i ./Certificates.p12)" >> "$GITHUB_OUTPUT"
-      - name: Load provisioning profile and convert to base64
-        id: load-provisioning-profile
-        run: |
-          echo "profile-base64=$(base64 -i ./OldApp_AdHoc.mobileprovision)" >> "$GITHUB_OUTPUT"
-
-      - name: Rock Remote Build - iOS
-        # rock v3
-        uses: callstackincubator/ios@08a533dbeda6adec39f94d08d820091514d1f7af
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          IS_HYBRID_APP: ${{ matrix.is_hybrid_build }}
-        with:
-          destination: device
-          github-token: ${{ github.token }}
-          re-sign: true
-          ad-hoc: true
-          scheme: ${{ matrix.scheme }}
-          configuration: ${{ matrix.configuration }}
-          certificate-base64: ${{ steps.load-certificate.outputs.certificate-base64}}
-          # not sure if we have in the secrets on gh
-          certificate-password: ${{ secrets.CERTIFICATE_PASSWORD || '' }}
-          provisioning-profile-base64: ${{ steps.load-provisioning-profile.outputs.profile-base64}}
-          # not sure if we have in the secrets on gh
-          keychain-password: ${{ secrets.KEYCHAIN_PASSWORD || '' }}
-          provisioning-profile-name: '(OldApp) AdHoc'
-          comment-bot: false

From 11978733bc39f583c0cd884415da2862cfcdf8b1 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Tue, 16 Sep 2025 15:40:12 +0200
Subject: [PATCH 05/26] adjust apps build urls

---
 .github/workflows/testBuild.yml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index fdeeed8614dd..2901635a794e 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -257,7 +257,7 @@ jobs:
     needs: [prep, getMobileExpensifyPR, getMobileExpensifyRef]
     runs-on: ubuntu-latest-xl
     outputs:
-      S3_APK_PATH: ${{ steps.exportAndroidS3Path.outputs.S3_APK_PATH }}
+      ROCK_APK_PATH: ${{ steps.rock-remote-build-android.outputs.artifact-url }}
     steps:
       - name: Checkout
         # v4
@@ -340,6 +340,7 @@ jobs:
           echo "keystore_content=$(base64 -w 0 Mobile-Expensify/Android/upload-key.keystore)" >> $GITHUB_OUTPUT 
 
       - name: Rock Remote Build - Android
+        id: rock-remote-build-android
         # rock v3
         uses: callstackincubator/android@1a7d52dfe3ca195ccbe5ad2f06c15f2fc3835115
         env:
@@ -365,7 +366,7 @@ jobs:
       DEVELOPER_DIR: /Applications/Xcode_16.4.0.app/Contents/Developer
     runs-on: macos-15-xlarge
     outputs:
-      IOS_PATH: ${{ steps.export-ios-path.outputs.IOS_PATH }}
+      ROCK_IOS_PATH: ${{ steps.rock-remote-build-ios.outputs.artifact-url }}
     steps:
       - name: Checkout
         # v4
@@ -450,6 +451,7 @@ jobs:
           echo "profile-base64=$(base64 -i ./OldApp_AdHoc.mobileprovision)" >> "$GITHUB_OUTPUT"
 
       - name: Rock Remote Build - iOS
+        id: rock-remote-build-ios
         # rock v3
         uses: callstackincubator/ios@08a533dbeda6adec39f94d08d820091514d1f7af
         env:
@@ -499,9 +501,9 @@ jobs:
           DESKTOP: ${{ needs.desktop.result }}
           IOS: ${{ needs.iosHybrid.result }}
           WEB: ${{ needs.web.result }}
-          ANDROID_LINK: ${{ needs.androidHybrid.outputs.S3_APK_PATH }}
+          ANDROID_LINK: ${{ needs.androidHybrid.outputs.ROCK_APK_PATH }}
           DESKTOP_LINK: https://ad-hoc-expensify-cash.s3.amazonaws.com/desktop/${{ inputs.APP_PULL_REQUEST_NUMBER }}/NewExpensify.dmg
-          IOS_LINK: ${{ needs.iosHybrid.outputs.IOS_PATH }}
+          IOS_LINK: ${{ needs.iosHybrid.outputs.ROCK_IOS_PATH }}
           WEB_LINK: https://${{ inputs.APP_PULL_REQUEST_NUMBER }}.pr-testing.expensify.com
 
       - name: Publish links to apps for download on Expensify/Mobile-Expensify PR
@@ -513,5 +515,5 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
           ANDROID: ${{ needs.androidHybrid.result }}
           IOS: ${{ needs.iosHybrid.result }}
-          ANDROID_LINK: ${{ needs.androidHybrid.outputs.S3_APK_PATH }}
-          IOS_LINK: ${{ needs.iosHybrid.outputs.IOS_PATH }}
+          ANDROID_LINK: ${{ needs.androidHybrid.outputs.ROCK_APK_PATH }}
+          IOS_LINK: ${{ needs.iosHybrid.outputs.ROCK_IOS_PATH }}

From 04bcab5e03e668efa961709dc03ebf02efc339c5 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Tue, 16 Sep 2025 17:51:49 +0200
Subject: [PATCH 06/26] fix lint for wokflow

---
 .github/workflows/testBuild.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index 2901635a794e..ce10408d0e56 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -337,7 +337,7 @@ jobs:
       - name: Convert keystore to base64
         id: keystore-base64
         run: |
-          echo "keystore_content=$(base64 -w 0 Mobile-Expensify/Android/upload-key.keystore)" >> $GITHUB_OUTPUT 
+          echo "keystore_content=$(base64 -w 0 Mobile-Expensify/Android/upload-key.keystore)" >> "$GITHUB_OUTPUT" 
 
       - name: Rock Remote Build - Android
         id: rock-remote-build-android

From 9b11a77e064173b6bc29e774cf5501a010976bb1 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Thu, 18 Sep 2025 13:57:35 +0200
Subject: [PATCH 07/26] take base64 certificate from 1password

---
 .github/workflows/testBuild.yml | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index ce10408d0e56..a3ea564eee1a 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -333,11 +333,7 @@ jobs:
           ANDROID_UPLOAD_KEYSTORE_PASSWORD: op://${{ vars.OP_VAULT }}/Repository-Secrets/ANDROID_UPLOAD_KEYSTORE_PASSWORD
           ANDROID_UPLOAD_KEYSTORE_ALIAS: op://${{ vars.OP_VAULT }}/Repository-Secrets/ANDROID_UPLOAD_KEYSTORE_ALIAS
           ANDROID_UPLOAD_KEY_PASSWORD: op://${{ vars.OP_VAULT }}/Repository-Secrets/ANDROID_UPLOAD_KEY_PASSWORD
-
-      - name: Convert keystore to base64
-        id: keystore-base64
-        run: |
-          echo "keystore_content=$(base64 -w 0 Mobile-Expensify/Android/upload-key.keystore)" >> "$GITHUB_OUTPUT" 
+          ANDROID_UPLOAD_KEYSTORE_BASE64: op://${{ vars.OP_VAULT }}/upload-key.keystore/base64
 
       - name: Rock Remote Build - Android
         id: rock-remote-build-android
@@ -350,7 +346,7 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           re-sign: true
           ad-hoc: true
-          keystore-base64: ${{ steps.keystore-base64.outputs.keystore_content }}
+          keystore-base64: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_BASE64 }}
           keystore-store-file: 'upload-key.keystore'
           keystore-store-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_PASSWORD }}
           keystore-key-alias: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_ALIAS }}
@@ -441,10 +437,18 @@ jobs:
           op read "op://${{ vars.OP_VAULT }}/OldApp_AdHoc_Notification_Service/OldApp_AdHoc_Notification_Service.mobileprovision" --force --out-file ./OldApp_AdHoc_Notification_Service.mobileprovision
           op read "op://${{ vars.OP_VAULT }}/New Expensify Distribution Certificate/Certificates.p12" --force --out-file ./Certificates.p12
 
-      - name: Load certificate and convert to base64
-        id: load-certificate
-        run: |
-          echo "certificate-base64=$(base64 -i ./Certificates.p12)" >> "$GITHUB_OUTPUT"
+      - name: Load iOS credentials from 1Password
+        id: load-credentials
+        # v2
+        uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0
+        with:
+          export-env: false
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          APPLE_CERTIFICATE_BASE64: op://${{ vars.OP_VAULT }}/New Expensify Distribution Certificate/base64
+          # We need to add the provisioning profile to the 1Password vault
+          # APPLE_PROVISIONING_PROFILE_BASE64: op://${{ vars.OP_VAULT }}/New Expensify Distribution Certificate/base64
+      
       - name: Load provisioning profile and convert to base64
         id: load-provisioning-profile
         run: |
@@ -464,10 +468,11 @@ jobs:
           ad-hoc: true
           scheme: 'Expensify AdHoc'
           configuration: 'DebugAdHoc'
-          certificate-base64: ${{ steps.load-certificate.outputs.certificate-base64}}
+          certificate-base64: ${{ steps.load-certificate.outputs.APPLE_CERTIFICATE_BASE64}}
+          # NEED to take it from load-credentials
+          # provisioning-profile-base64: ${{ steps.load-provisioning-profile.outputs.APPLE_PROVISIONING_PROFILE_BASE64}}
           # not sure if we have in the secrets on gh
           certificate-password: ${{ secrets.CERTIFICATE_PASSWORD || '' }}
-          provisioning-profile-base64: ${{ steps.load-provisioning-profile.outputs.profile-base64}}
           # not sure if we have in the secrets on gh
           keychain-password: ${{ secrets.KEYCHAIN_PASSWORD || '' }}
           provisioning-profile-name: '(OldApp) AdHoc'

From bfce94a6689f5df0fe2f57d364cfc532f9f9171c Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Thu, 18 Sep 2025 14:26:05 +0200
Subject: [PATCH 08/26] adjust load credential naming

---
 .github/workflows/testBuild.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index a3ea564eee1a..15ecb5fdb439 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -468,7 +468,7 @@ jobs:
           ad-hoc: true
           scheme: 'Expensify AdHoc'
           configuration: 'DebugAdHoc'
-          certificate-base64: ${{ steps.load-certificate.outputs.APPLE_CERTIFICATE_BASE64}}
+          certificate-base64: ${{ steps.load-credentials.outputs.APPLE_CERTIFICATE_BASE64}}
           # NEED to take it from load-credentials
           # provisioning-profile-base64: ${{ steps.load-provisioning-profile.outputs.APPLE_PROVISIONING_PROFILE_BASE64}}
           # not sure if we have in the secrets on gh

From 7dc2e78ed74a41e4128e97633c1040211d346e6f Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Tue, 23 Sep 2025 19:43:30 +0200
Subject: [PATCH 09/26] load additional credentials from 1Pass

---
 .github/workflows/testBuild.yml | 27 +++++++--------------------
 1 file changed, 7 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index 15ecb5fdb439..88347bb02211 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -428,15 +428,6 @@ jobs:
         # v1
         uses: 1password/install-cli-action@143a85f84a90555d121cde2ff5872e393a47ab9f
 
-      - name: Load files from 1Password
-        env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-        run: |
-          op read "op://${{ vars.OP_VAULT }}/OldApp_AdHoc/OldApp_AdHoc.mobileprovision" --force --out-file ./OldApp_AdHoc.mobileprovision
-          op read "op://${{ vars.OP_VAULT }}/OldApp_AdHoc_Share_Extension/OldApp_AdHoc_Share_Extension.mobileprovision" --force --out-file ./OldApp_AdHoc_Share_Extension.mobileprovision
-          op read "op://${{ vars.OP_VAULT }}/OldApp_AdHoc_Notification_Service/OldApp_AdHoc_Notification_Service.mobileprovision" --force --out-file ./OldApp_AdHoc_Notification_Service.mobileprovision
-          op read "op://${{ vars.OP_VAULT }}/New Expensify Distribution Certificate/Certificates.p12" --force --out-file ./Certificates.p12
-
       - name: Load iOS credentials from 1Password
         id: load-credentials
         # v2
@@ -446,13 +437,9 @@ jobs:
         env:
           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
           APPLE_CERTIFICATE_BASE64: op://${{ vars.OP_VAULT }}/New Expensify Distribution Certificate/base64
-          # We need to add the provisioning profile to the 1Password vault
-          # APPLE_PROVISIONING_PROFILE_BASE64: op://${{ vars.OP_VAULT }}/New Expensify Distribution Certificate/base64
-      
-      - name: Load provisioning profile and convert to base64
-        id: load-provisioning-profile
-        run: |
-          echo "profile-base64=$(base64 -i ./OldApp_AdHoc.mobileprovision)" >> "$GITHUB_OUTPUT"
+          MAIN_PROVISIONING_PROFILE_BASE64: op://${{ vars.OP_VAULT }}/OldApp_AdHoc/OldApp_AdHoc.mobileprovision
+          SHARE_PROVISIONING_PROFILE_BASE64: op://${{ vars.OP_VAULT }}/OldApp_AdHoc_Share_Extension/OldApp_AdHoc_Share_Extension.mobileprovision
+          NOTIFICATION_PROVISIONING_PROFILE_BASE64: op://${{ vars.OP_VAULT }}/OldApp_AdHoc_Notification_Service/OldApp_AdHoc_Notification_Service.mobileprovision
 
       - name: Rock Remote Build - iOS
         id: rock-remote-build-ios
@@ -469,14 +456,14 @@ jobs:
           scheme: 'Expensify AdHoc'
           configuration: 'DebugAdHoc'
           certificate-base64: ${{ steps.load-credentials.outputs.APPLE_CERTIFICATE_BASE64}}
-          # NEED to take it from load-credentials
-          # provisioning-profile-base64: ${{ steps.load-provisioning-profile.outputs.APPLE_PROVISIONING_PROFILE_BASE64}}
-          # not sure if we have in the secrets on gh
+          provisioning-profile-base64: ${{ steps.load-credentials.outputs.MAIN_PROVISIONING_PROFILE_BASE64}}
           certificate-password: ${{ secrets.CERTIFICATE_PASSWORD || '' }}
-          # not sure if we have in the secrets on gh
           keychain-password: ${{ secrets.KEYCHAIN_PASSWORD || '' }}
           provisioning-profile-name: '(OldApp) AdHoc'
           comment-bot: true
+          rock-build-extra-params: |
+            PROVISIONING_PROFILE_SPECIFIER_ShareExtension=${{ steps.load-credentials.outputs.SHARE_PROVISIONING_PROFILE_BASE64 }}
+            PROVISIONING_PROFILE_SPECIFIER_NotificationService=${{ steps.load-credentials.outputs.NOTIFICATION_PROVISIONING_PROFILE_BASE64 }}
 
   postGithubComment:
     runs-on: ubuntu-latest

From e73dea59f600e3e898a6282a0d1051b87071c038 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Mon, 29 Sep 2025 14:25:57 +0200
Subject: [PATCH 10/26] adjust android adhoc build to use file instead of
 base64

---
 .github/workflows/testBuild.yml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index 88347bb02211..28ba6d8ddd22 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -333,20 +333,17 @@ jobs:
           ANDROID_UPLOAD_KEYSTORE_PASSWORD: op://${{ vars.OP_VAULT }}/Repository-Secrets/ANDROID_UPLOAD_KEYSTORE_PASSWORD
           ANDROID_UPLOAD_KEYSTORE_ALIAS: op://${{ vars.OP_VAULT }}/Repository-Secrets/ANDROID_UPLOAD_KEYSTORE_ALIAS
           ANDROID_UPLOAD_KEY_PASSWORD: op://${{ vars.OP_VAULT }}/Repository-Secrets/ANDROID_UPLOAD_KEY_PASSWORD
-          ANDROID_UPLOAD_KEYSTORE_BASE64: op://${{ vars.OP_VAULT }}/upload-key.keystore/base64
 
       - name: Rock Remote Build - Android
         id: rock-remote-build-android
-        # rock v3
-        uses: callstackincubator/android@1a7d52dfe3ca195ccbe5ad2f06c15f2fc3835115
+        uses: callstackincubator/android@8c2cb70c209cc7f832130b6e49bcbcaa7ad62613 # v3
         env:
           IS_HYBRID_APP: true
         with:
           variant: 'Adhoc'
           github-token: ${{ secrets.GITHUB_TOKEN }}
           re-sign: true
-          ad-hoc: true
-          keystore-base64: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_BASE64 }}
+          keystore-file: './upload-key.keystore'
           keystore-store-file: 'upload-key.keystore'
           keystore-store-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_PASSWORD }}
           keystore-key-alias: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_ALIAS }}

From caad4d55031f7dea86dbdd283b937d6bfc7ee7bc Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Mon, 29 Sep 2025 15:35:40 +0200
Subject: [PATCH 11/26] adjust ios adhoc build to use files instead of base64

---
 .github/workflows/testBuild.yml | 42 +++++++++++++++++++--------------
 1 file changed, 24 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index 28ba6d8ddd22..e932fd0a809b 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -425,23 +425,19 @@ jobs:
         # v1
         uses: 1password/install-cli-action@143a85f84a90555d121cde2ff5872e393a47ab9f
 
-      - name: Load iOS credentials from 1Password
-        id: load-credentials
-        # v2
-        uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0
-        with:
-          export-env: false
+
+      - name: Load files from 1Password
         env:
           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          APPLE_CERTIFICATE_BASE64: op://${{ vars.OP_VAULT }}/New Expensify Distribution Certificate/base64
-          MAIN_PROVISIONING_PROFILE_BASE64: op://${{ vars.OP_VAULT }}/OldApp_AdHoc/OldApp_AdHoc.mobileprovision
-          SHARE_PROVISIONING_PROFILE_BASE64: op://${{ vars.OP_VAULT }}/OldApp_AdHoc_Share_Extension/OldApp_AdHoc_Share_Extension.mobileprovision
-          NOTIFICATION_PROVISIONING_PROFILE_BASE64: op://${{ vars.OP_VAULT }}/OldApp_AdHoc_Notification_Service/OldApp_AdHoc_Notification_Service.mobileprovision
+        run: |
+          op read "op://${{ vars.OP_VAULT }}/OldApp_AdHoc/OldApp_AdHoc.mobileprovision" --force --out-file ./OldApp_AdHoc.mobileprovision
+          op read "op://${{ vars.OP_VAULT }}/OldApp_AdHoc_Share_Extension/OldApp_AdHoc_Share_Extension.mobileprovision" --force --out-file ./OldApp_AdHoc_Share_Extension.mobileprovision
+          op read "op://${{ vars.OP_VAULT }}/OldApp_AdHoc_Notification_Service/OldApp_AdHoc_Notification_Service.mobileprovision" --force --out-file ./OldApp_AdHoc_Notification_Service.mobileprovision
+          op read "op://${{ vars.OP_VAULT }}/New Expensify Distribution Certificate/Certificates.p12" --force --out-file ./Certificates.p12
 
       - name: Rock Remote Build - iOS
         id: rock-remote-build-ios
-        # rock v3
-        uses: callstackincubator/ios@08a533dbeda6adec39f94d08d820091514d1f7af
+        uses: callstackincubator/ios@0b4a5a6e4d6865d697bd5f277460088501982a5e # v3
         env:
           GITHUB_TOKEN: ${{ github.token }}
           IS_HYBRID_APP: true
@@ -452,15 +448,25 @@ jobs:
           ad-hoc: true
           scheme: 'Expensify AdHoc'
           configuration: 'DebugAdHoc'
-          certificate-base64: ${{ steps.load-credentials.outputs.APPLE_CERTIFICATE_BASE64}}
-          provisioning-profile-base64: ${{ steps.load-credentials.outputs.MAIN_PROVISIONING_PROFILE_BASE64}}
+          certificate-file: './Certificates.p12'
           certificate-password: ${{ secrets.CERTIFICATE_PASSWORD || '' }}
           keychain-password: ${{ secrets.KEYCHAIN_PASSWORD || '' }}
-          provisioning-profile-name: '(OldApp) AdHoc'
+          provisioning-profiles: |
+            [
+              {
+                "name": "OldApp_AdHoc",
+                "file": "./OldApp_AdHoc.mobileprovision"
+              },
+              {
+                "name": "OldApp_AdHoc_Share_Extension",
+                "file": "./OldApp_AdHoc_Share_Extension.mobileprovision"
+              },
+              {
+                "name": "OldApp_AdHoc_Notification_Service",
+                "file": "./OldApp_AdHoc_Notification_Service.mobileprovision"
+              }
+            ]
           comment-bot: true
-          rock-build-extra-params: |
-            PROVISIONING_PROFILE_SPECIFIER_ShareExtension=${{ steps.load-credentials.outputs.SHARE_PROVISIONING_PROFILE_BASE64 }}
-            PROVISIONING_PROFILE_SPECIFIER_NotificationService=${{ steps.load-credentials.outputs.NOTIFICATION_PROVISIONING_PROFILE_BASE64 }}
 
   postGithubComment:
     runs-on: ubuntu-latest

From e790d50efd7438db469b93da5bf248b604a71178 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Mon, 29 Sep 2025 17:48:45 +0200
Subject: [PATCH 12/26] disable comment bot on testBuild

---
 .github/workflows/testBuild.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index e932fd0a809b..9fe26e09b484 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -348,7 +348,7 @@ jobs:
           keystore-store-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_PASSWORD }}
           keystore-key-alias: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_ALIAS }}
           keystore-key-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEY_PASSWORD }}
-          comment-bot: true
+          comment-bot: false
           rock-build-extra-params: '--extra-params -PreactNativeArchitectures=arm64-v8a,x86_64'
 
   iosHybrid:
@@ -466,7 +466,7 @@ jobs:
                 "file": "./OldApp_AdHoc_Notification_Service.mobileprovision"
               }
             ]
-          comment-bot: true
+          comment-bot: false
 
   postGithubComment:
     runs-on: ubuntu-latest

From b91537ad18daeb052b27f60ceb3c405fef96ec10 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Thu, 2 Oct 2025 17:31:48 +0200
Subject: [PATCH 13/26] fix: set github token in env only

---
 .github/workflows/testBuild.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index 9fe26e09b484..bb9e0869c249 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -339,9 +339,9 @@ jobs:
         uses: callstackincubator/android@8c2cb70c209cc7f832130b6e49bcbcaa7ad62613 # v3
         env:
           IS_HYBRID_APP: true
+          GITHUB_TOKEN: ${{ github.token }}
         with:
           variant: 'Adhoc'
-          github-token: ${{ secrets.GITHUB_TOKEN }}
           re-sign: true
           keystore-file: './upload-key.keystore'
           keystore-store-file: 'upload-key.keystore'
@@ -443,7 +443,6 @@ jobs:
           IS_HYBRID_APP: true
         with:
           destination: device
-          github-token: ${{ github.token }}
           re-sign: true
           ad-hoc: true
           scheme: 'Expensify AdHoc'

From 593f4c97ae990f4a1b9775ad1d724c1dc25f68c7 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Tue, 7 Oct 2025 12:46:15 +0200
Subject: [PATCH 14/26] add custom keystore path to android testBuild

---
 .github/workflows/testBuild.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index bb9e0869c249..c091ab02f038 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -336,7 +336,7 @@ jobs:
 
       - name: Rock Remote Build - Android
         id: rock-remote-build-android
-        uses: callstackincubator/android@8c2cb70c209cc7f832130b6e49bcbcaa7ad62613 # v3
+        uses: callstackincubator/android@e8cf87fb2d45c48986c72ee9761307ac66c162e9 # v3
         env:
           IS_HYBRID_APP: true
           GITHUB_TOKEN: ${{ github.token }}
@@ -348,6 +348,7 @@ jobs:
           keystore-store-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_PASSWORD }}
           keystore-key-alias: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_ALIAS }}
           keystore-key-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEY_PASSWORD }}
+          keystore-path: 'tools/buildtools/upload-key.keystore'
           comment-bot: false
           rock-build-extra-params: '--extra-params -PreactNativeArchitectures=arm64-v8a,x86_64'
 

From c254cc6a5f1548b327c3f40f6ed0cb93ba0a129c Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Tue, 7 Oct 2025 12:49:28 +0200
Subject: [PATCH 15/26] remove keychain and certificate password in ios test
 build

---
 .github/workflows/testBuild.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index c091ab02f038..fc0663ba82e8 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -438,7 +438,7 @@ jobs:
 
       - name: Rock Remote Build - iOS
         id: rock-remote-build-ios
-        uses: callstackincubator/ios@0b4a5a6e4d6865d697bd5f277460088501982a5e # v3
+        uses: callstackincubator/ios@a7bfe11072018efa42c5a8c6719c9f09f4268bac # v3
         env:
           GITHUB_TOKEN: ${{ github.token }}
           IS_HYBRID_APP: true
@@ -449,8 +449,6 @@ jobs:
           scheme: 'Expensify AdHoc'
           configuration: 'DebugAdHoc'
           certificate-file: './Certificates.p12'
-          certificate-password: ${{ secrets.CERTIFICATE_PASSWORD || '' }}
-          keychain-password: ${{ secrets.KEYCHAIN_PASSWORD || '' }}
           provisioning-profiles: |
             [
               {

From 951391ab40c505aeaa0ee49733930cef9107b035 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Wed, 8 Oct 2025 12:54:38 +0200
Subject: [PATCH 16/26] adjust keystore-path, use proper configuration name

---
 .github/workflows/testBuild.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index fc0663ba82e8..1fbdba32d23a 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -348,7 +348,8 @@ jobs:
           keystore-store-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_PASSWORD }}
           keystore-key-alias: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEYSTORE_ALIAS }}
           keystore-key-password: ${{ steps.load-credentials.outputs.ANDROID_UPLOAD_KEY_PASSWORD }}
-          keystore-path: 'tools/buildtools/upload-key.keystore'
+          # Specify the path (relative to the Android source directory) where the keystore should be placed.
+          keystore-path: '../tools/buildtools/upload-key.keystore'
           comment-bot: false
           rock-build-extra-params: '--extra-params -PreactNativeArchitectures=arm64-v8a,x86_64'
 
@@ -447,7 +448,7 @@ jobs:
           re-sign: true
           ad-hoc: true
           scheme: 'Expensify AdHoc'
-          configuration: 'DebugAdHoc'
+          configuration: 'AdHoc'
           certificate-file: './Certificates.p12'
           provisioning-profiles: |
             [

From 41cbd727cbc03aeff34b08d939dfa3760c713b46 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Wed, 8 Oct 2025 13:33:22 +0200
Subject: [PATCH 17/26] update certificates names on iOS

---
 .github/workflows/testBuild.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index 1fbdba32d23a..ba4456cbacbd 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -453,15 +453,15 @@ jobs:
           provisioning-profiles: |
             [
               {
-                "name": "OldApp_AdHoc",
+                "name": "(OldApp) AdHoc",
                 "file": "./OldApp_AdHoc.mobileprovision"
               },
               {
-                "name": "OldApp_AdHoc_Share_Extension",
+                "name": "(OldApp) AdHoc: Share Extension",
                 "file": "./OldApp_AdHoc_Share_Extension.mobileprovision"
               },
               {
-                "name": "OldApp_AdHoc_Notification_Service",
+                "name": "(OldApp) AdHoc: Notification Service",
                 "file": "./OldApp_AdHoc_Notification_Service.mobileprovision"
               }
             ]

From 9907c1c8f17726d59305e988b10991eb107924c4 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Wed, 8 Oct 2025 17:31:57 +0200
Subject: [PATCH 18/26] add additional logging on android, support special
 characters on ios

---
 .github/workflows/testBuild.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index ba4456cbacbd..52a093fe8832 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -336,7 +336,7 @@ jobs:
 
       - name: Rock Remote Build - Android
         id: rock-remote-build-android
-        uses: callstackincubator/android@e8cf87fb2d45c48986c72ee9761307ac66c162e9 # v3
+        uses: callstackincubator/android@3f426e3e42c81fd35e683dbc78ab22ef816006cb # v3
         env:
           IS_HYBRID_APP: true
           GITHUB_TOKEN: ${{ github.token }}
@@ -439,7 +439,7 @@ jobs:
 
       - name: Rock Remote Build - iOS
         id: rock-remote-build-ios
-        uses: callstackincubator/ios@a7bfe11072018efa42c5a8c6719c9f09f4268bac # v3
+        uses: callstackincubator/ios@b90708fea39c05315c7bab075352fce395b07112 # v3
         env:
           GITHUB_TOKEN: ${{ github.token }}
           IS_HYBRID_APP: true

From 1aa38d3dd1bd607a9f85676f59a2d22f051e2932 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Wed, 8 Oct 2025 18:15:38 +0200
Subject: [PATCH 19/26] add android param

---
 .github/workflows/testBuild.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index 52a093fe8832..981cc96d00df 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -342,6 +342,7 @@ jobs:
           GITHUB_TOKEN: ${{ github.token }}
         with:
           variant: 'Adhoc'
+          sign: true
           re-sign: true
           keystore-file: './upload-key.keystore'
           keystore-store-file: 'upload-key.keystore'

From 51da0c6feaea0ada1cacad47488b0fa3f03b93f6 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Wed, 8 Oct 2025 18:34:32 +0200
Subject: [PATCH 20/26] update ios actiob for special characters

---
 .github/workflows/testBuild.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index 981cc96d00df..1acf2630c782 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -440,7 +440,7 @@ jobs:
 
       - name: Rock Remote Build - iOS
         id: rock-remote-build-ios
-        uses: callstackincubator/ios@b90708fea39c05315c7bab075352fce395b07112 # v3
+        uses: callstackincubator/ios@29e2f8ca5f70d07f0c255ad03f30c44d1196db85 # v3
         env:
           GITHUB_TOKEN: ${{ github.token }}
           IS_HYBRID_APP: true

From b5e786aa0a6c8606458b99896d8b850fbeb7def4 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Thu, 9 Oct 2025 14:35:04 +0200
Subject: [PATCH 21/26] update rock action commit hash

---
 .github/workflows/testBuild.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index 1acf2630c782..f91a77668da2 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -336,7 +336,7 @@ jobs:
 
       - name: Rock Remote Build - Android
         id: rock-remote-build-android
-        uses: callstackincubator/android@3f426e3e42c81fd35e683dbc78ab22ef816006cb # v3
+        uses: callstackincubator/android@8f91b6c5dd7d2778b353f0758d7020213e7f6bc1 # v3
         env:
           IS_HYBRID_APP: true
           GITHUB_TOKEN: ${{ github.token }}
@@ -440,7 +440,7 @@ jobs:
 
       - name: Rock Remote Build - iOS
         id: rock-remote-build-ios
-        uses: callstackincubator/ios@29e2f8ca5f70d07f0c255ad03f30c44d1196db85 # v3
+        uses: callstackincubator/ios@e33de1b69ca51fce36f27f7ee4bf0ea4ac5352a9 # v3
         env:
           GITHUB_TOKEN: ${{ github.token }}
           IS_HYBRID_APP: true

From db547a7ee954896a600c5646489817f9824bea6e Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Tue, 14 Oct 2025 14:01:20 +0200
Subject: [PATCH 22/26] add mapping for bundle IDs to provisioning profile
 names on ios,

---
 .github/workflows/testBuild.yml | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index f91a77668da2..e09ad52802c4 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -336,7 +336,7 @@ jobs:
 
       - name: Rock Remote Build - Android
         id: rock-remote-build-android
-        uses: callstackincubator/android@8f91b6c5dd7d2778b353f0758d7020213e7f6bc1 # v3
+        uses: callstackincubator/android@1ef36f7321e2f263a260e51aeda432b03165e5f1 # v3
         env:
           IS_HYBRID_APP: true
           GITHUB_TOKEN: ${{ github.token }}
@@ -438,6 +438,28 @@ jobs:
           op read "op://${{ vars.OP_VAULT }}/OldApp_AdHoc_Notification_Service/OldApp_AdHoc_Notification_Service.mobileprovision" --force --out-file ./OldApp_AdHoc_Notification_Service.mobileprovision
           op read "op://${{ vars.OP_VAULT }}/New Expensify Distribution Certificate/Certificates.p12" --force --out-file ./Certificates.p12
 
+      - name: Create ExportOptions.plist
+        run: |
+          cat > ExportOptions.plist << 'EOF'
+          <?xml version="1.0" encoding="UTF-8"?>
+          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+          <plist version="1.0">
+          <dict>
+            <key>method</key>
+            <string>ad-hoc</string>
+            <key>provisioningProfiles</key>
+            <dict>
+              <key>com.expensify.expensifylite.adhoc</key>
+              <string>(OldApp) AdHoc</string>
+              <key>com.expensify.expensifylite.adhoc.SmartScanExtension</key>
+              <string>(OldApp) AdHoc: Share Extension</string>
+              <key>com.expensify.expensifylite.adhoc.NotificationServiceExtension</key>
+              <string>(OldApp) AdHoc: Notification Service</string>
+            </dict>
+          </dict>
+          </plist>
+          EOF
+      
       - name: Rock Remote Build - iOS
         id: rock-remote-build-ios
         uses: callstackincubator/ios@e33de1b69ca51fce36f27f7ee4bf0ea4ac5352a9 # v3
@@ -467,6 +489,7 @@ jobs:
               }
             ]
           comment-bot: false
+          rock-build-extra-params: '--export-options-plist ./ExportOptions.plist'
 
   postGithubComment:
     runs-on: ubuntu-latest

From f04e89d18c688ead801952d1b58cbf316b054578 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Tue, 14 Oct 2025 16:33:09 +0200
Subject: [PATCH 23/26] add absolute path when creating ExportOptions.plist

---
 .github/workflows/testBuild.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index e09ad52802c4..c2797ef8affe 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -440,7 +440,7 @@ jobs:
 
       - name: Create ExportOptions.plist
         run: |
-          cat > ExportOptions.plist << 'EOF'
+          cat > Mobile-Expensify/iOS/ExportOptions.plist << 'EOF'
           <?xml version="1.0" encoding="UTF-8"?>
           <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
           <plist version="1.0">
@@ -489,7 +489,6 @@ jobs:
               }
             ]
           comment-bot: false
-          rock-build-extra-params: '--export-options-plist ./ExportOptions.plist'
 
   postGithubComment:
     runs-on: ubuntu-latest

From 6762c369cfa66d15bc1f17f365bf242b0ded3f28 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Wed, 15 Oct 2025 12:10:31 +0200
Subject: [PATCH 24/26] add fix with for downloading cache for ios

---
 .github/workflows/testBuild.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index c2797ef8affe..59d5d358c918 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -462,7 +462,7 @@ jobs:
       
       - name: Rock Remote Build - iOS
         id: rock-remote-build-ios
-        uses: callstackincubator/ios@e33de1b69ca51fce36f27f7ee4bf0ea4ac5352a9 # v3
+        uses: callstackincubator/ios@69e6797a036045db47a43f22bcd20350c25898e1 # v3
         env:
           GITHUB_TOKEN: ${{ github.token }}
           IS_HYBRID_APP: true

From d392e6713615e60ed8d9f614453c1d041d107880 Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Wed, 15 Oct 2025 12:12:29 +0200
Subject: [PATCH 25/26] update android commit hash

---
 .github/workflows/testBuild.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index 59d5d358c918..a5e08ff37a77 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -336,7 +336,7 @@ jobs:
 
       - name: Rock Remote Build - Android
         id: rock-remote-build-android
-        uses: callstackincubator/android@1ef36f7321e2f263a260e51aeda432b03165e5f1 # v3
+        uses: callstackincubator/android@1585a4a0b32801c26d2dae67a09f0df530df25c0 # v3
         env:
           IS_HYBRID_APP: true
           GITHUB_TOKEN: ${{ github.token }}

From bb6d63e4151cd69931043f0a7f5427b30bc7a8ed Mon Sep 17 00:00:00 2001
From: Tomasz Lesniakiewicz <tlesniakiewicz@gmail.com>
Date: Wed, 15 Oct 2025 15:10:42 +0200
Subject: [PATCH 26/26] use most recent ios action commit hash

---
 .github/workflows/testBuild.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/testBuild.yml b/.github/workflows/testBuild.yml
index a5e08ff37a77..01c620412b8f 100644
--- a/.github/workflows/testBuild.yml
+++ b/.github/workflows/testBuild.yml
@@ -462,7 +462,7 @@ jobs:
       
       - name: Rock Remote Build - iOS
         id: rock-remote-build-ios
-        uses: callstackincubator/ios@69e6797a036045db47a43f22bcd20350c25898e1 # v3
+        uses: callstackincubator/ios@79778c5739839044d2ca5af75ace7ba0467b5366 # v3
         env:
           GITHUB_TOKEN: ${{ github.token }}
           IS_HYBRID_APP: true