fix(cli): offer CI secret upload only after a successful first build

[WcaleNieWolny]

Summary

Defers GitHub Actions / GitLab CI secret upload in the build onboarding wizard until after a build has been successfully queued, instead of before. Resolves the UX issue surfaced after #2306 merged.

Original concern: pushing repository secrets before any build has been validated leaves orphan secrets in the user's repo if the credentials turn out to be wrong, and gates user trust on an unproven setup. Discussed with @riderx — agreed to move the step to post-build-success.

What changed

Touches the two onboarding state machines:

• cli/src/build/onboarding/ui/app.tsx (iOS)
• cli/src/build/onboarding/android/ui/app.tsx (Android)

New ordering on both tracks:

save credentials
  → ask-build
    ├─ user skips build  → exit (no secrets pushed)
    ├─ build request OK  → detecting-ci-secrets (if entries) → … → exit
    └─ build request err → exit (no secrets pushed)

Concretely:

1. The saving-credentials handler no longer branches to detecting-ci-secrets. It always proceeds to ask-build, just stashes the CI secret entries in state for later.
2. In requesting-build, after a successful build dispatch (result.success), the wizard now routes to detecting-ci-secrets if there are entries to push; otherwise straight to build-complete.
3. On build failure (either the inline else branch or the outer catch), the wizard goes directly to build-complete — secrets are never offered for a failed build.
4. Every "skip" / "skip upload" / "continue without upload" exit inside the ci-secrets-* flow used to fall back to ask-build. They now fall back to build-complete, because by the time those paths fire the build has already been dispatched.

The ciSecretUploadSummary was already rendered inside the build-complete JSX, so users still see the "Uploaded N env vars to …" confirmation after the post-build path runs.

Why this is a strict UX improvement

• No more orphan secrets in repos whose build never ran or failed.
• No more secrets pushed for a workflow file that doesn't exist yet, which felt cargo-cult.
• Build failure path is shorter and more honest: we don't pretend the user is ready for CI/CD when we haven't even managed to dispatch the build.
• Skipping the build (ask-build → "no") now correctly skips the secrets step too — credentials still get saved locally, exactly as before.

What this PR is not

Out of scope by design (each could be its own follow-up):

• ❌ Pre-flight gh auth status + repo write-access check before collecting credentials
• ❌ Diff-and-confirm UX when the secret name already exists in the target repo (gh secret set silently clobbers today)
• ❌ Cap on AI-debug retry loops on build failure
• ❌ .github/workflows/capgo-build.yml generator
• ❌ Extraction of the secrets-push step into a standalone capgo ci setup command

Test plan

• bun run cli:check (lint + typecheck + build + test) green locally
• bun test/test-ci-secrets.mjs — all 8 existing helpers tests still pass; this PR doesn't touch ci-secrets.ts itself
• Manual: capgo build init --platform ios on a fresh repo with no Capgo credentials — confirm wizard goes save credentials → ask-build, and only offers secret upload after the build is queued
• Manual: same on Android
• Manual: choose "no" at ask-build — confirm wizard exits cleanly without offering secrets
• Manual: cause a build request failure (invalid API key) — confirm wizard exits via build-complete and does NOT offer secrets
• Manual: with no detectable GitHub/GitLab remote — confirm wizard exits via build-complete after the empty discovery, not back into the (no-longer-reachable from this path) ask-build

cc @riderx

Summary by CodeRabbit

• Refactor
  • Deferred CI secret upload/detection until after a build is successfully queued on iOS and Android.
  • Skipping CI setup, target selection, or secret upload now completes onboarding (goes to build complete) instead of prompting another build.
  • Retry after CI secret failures now re-runs CI secret checks rather than returning to the build request step.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b081cc24-0537-4b17-9c97-02ac8577349d

📥 Commits

Reviewing files that changed from the base of the PR and between 871a9f3 and a7fe3e0.

📒 Files selected for processing (2)

• cli/src/build/onboarding/android/ui/app.tsx
• cli/src/build/onboarding/ui/app.tsx

---

📝 Walkthrough

Walkthrough

Both onboarding flows (Android and iOS) are updated to defer CI-secret uploading until after a successful build is queued. Credential saving now consistently advances to the build request step; build success conditionally enters CI-secret detection only when entries exist, otherwise skipping to completion. All CI-secret UI skip paths and detection dead-ends now end the wizard rather than return to the build prompt; retry paths after CI failures re-enter secret checking instead.

Changes

CI-secret uploading deferral in onboarding flows

Layer / File(s)	Summary
Deferred CI-secret offering after build success cli/src/build/onboarding/android/ui/app.tsx, cli/src/build/onboarding/ui/app.tsx	After requesting-build succeeds, CI-secret detection is conditionally entered only when ciSecretEntries exist; otherwise the flow skips directly to build-complete, deferring upload decisions until after the build is queued.
Normalized credential-saving transitions cli/src/build/onboarding/android/ui/app.tsx, cli/src/build/onboarding/ui/app.tsx	Both Android and iOS saving-credentials effects now unconditionally create CI secret entries and always advance to the local ask-build step, removing prior conditional branching.
CI-secret detection and upload completions cli/src/build/onboarding/android/ui/app.tsx, cli/src/build/onboarding/ui/app.tsx	No-target detection and successful upload now route to build-complete instead of ask-build.
CI-secret user skip and cancellation paths cli/src/build/onboarding/android/ui/app.tsx, cli/src/build/onboarding/ui/app.tsx	All skip actions in ci-secrets-setup, ci-secrets-target-select, ask-ci-secrets, and confirm-ci-secret-overwrite now route to build-complete to prevent re-prompting during CI-secret subflows.
Failure recovery re-routes to CI-secret checking cli/src/build/onboarding/android/ui/app.tsx, cli/src/build/onboarding/ui/app.tsx	Retry paths in ci-secrets-failed now re-enter CI-secret detection instead of returning to the build request prompt.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• zinc-builds

Poem

🐰 A wizard once rushed through the flow,
But we said "hold up, let the build grow!"
Now secrets wait 'til the queue's clear,
Skips and no-targets bring the finish near,
Retry paths circle back to check once more.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: deferring CI secret upload until after a successful build, which is the core focus of both file modifications.
Description check	✅ Passed	The description is comprehensive and well-structured, covering summary, changes, rationale, scope, and test plan. However, the test plan section shows incomplete manual testing (unchecked boxes), which is a minor gap.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/cli-ci-secrets-after-build

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 43 untouched benchmarks
⏩ 2 skipped benchmarks¹

---

_{Comparing feat/cli-ci-secrets-after-build (a7fe3e0) with main (9c1f101)}

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[sonarqubecloud]

❌ The last analysis has failed.

See analysis details on SonarQube Cloud