CI/CD Integration

This guide describes the recommended CI shape for releasing SrcPush updates from a bare React Native project.

CI goals

A good pipeline should:

install dependencies deterministically
install the SrcPush CLI
authenticate with an access key stored in CI secrets
materialize signing keys only at runtime
optionally inject real deployment config into tracked placeholders
run explicit release scripts for Android and iOS

Recommended package scripts

Keep the release commands in package.json and let CI invoke them:

{
  "scripts": {
    "srcpush:android:staging": "srcpush release-react YOUR_APP_NAME_ANDROID android -d Staging --privateKeyPath ./keys/private.pem --useHermes",
    "srcpush:android:prod": "srcpush release-react YOUR_APP_NAME_ANDROID android -d Production --privateKeyPath ./keys/private.pem --useHermes",
    "srcpush:ios:staging": "srcpush release-react YOUR_APP_NAME_IOS ios -d Staging --privateKeyPath ./keys/private.pem --plistFile ./ios/YOUR_APP/Info.plist --useHermes",
    "srcpush:ios:prod": "srcpush release-react YOUR_APP_NAME_IOS ios -d Production --privateKeyPath ./keys/private.pem --plistFile ./ios/YOUR_APP/Info.plist --useHermes"
  }
}

Minimal GitHub Actions workflow

name: Release React Update

on:
  workflow_dispatch:

jobs:
  release-react:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: "22"

      - run: yarn install --frozen-lockfile

      - run: npm install -g @srcpush/code-push-cli

      - run: mkdir -p ./keys

      - run: |
          echo "${{ secrets.SRCPUSH_PRIVATE_KEY }}" > ./keys/private.pem
          chmod 600 ./keys/private.pem

      - run: srcpush login --accessKey "${{ secrets.SRCPUSH_ACCESS_KEY }}"

      - run: |
          node scripts/inject-srcpush-config.js \
            --android-strings android/app/src/main/res/values/strings.xml \
            --ios-plist ios/MyApp/Info.plist \
            --deployment-key-android "${{ secrets.SRCPUSH_DEPLOYMENT_KEY_ANDROID }}" \
            --deployment-key-ios "${{ secrets.SRCPUSH_DEPLOYMENT_KEY_IOS }}" \
            --server-url "https://api.srcpush.com"

      - run: yarn srcpush:ios:prod --targetBinaryVersion "$TARGET_BINARY_VERSION"

      - run: yarn srcpush:android:prod --targetBinaryVersion "$TARGET_BINARY_VERSION"

Required secrets

At minimum, store:

SRCPUSH_ACCESS_KEY
SRCPUSH_PRIVATE_KEY
SRCPUSH_DEPLOYMENT_KEY_ANDROID
SRCPUSH_DEPLOYMENT_KEY_IOS

Add a public key secret only if your setup requires signature verification through managed config injection.

Notes on config injection

If tracked native files already contain placeholders, inject the real values during the job instead of committing them.

Example command:

node scripts/inject-srcpush-config.js \
  --android-strings android/app/src/main/res/values/strings.xml \
  --ios-plist ios/MyApp/Info.plist \
  --deployment-key-android "$SRCPUSH_DEPLOYMENT_KEY_ANDROID" \
  --deployment-key-ios "$SRCPUSH_DEPLOYMENT_KEY_IOS" \
  --server-url "https://api.srcpush.com" \
  --public-key-file ./keys/public.pem

Common CI mistakes

storing signing keys in the repository
releasing without authenticating the CLI in the job
forgetting --plistFile for iOS release scripts
using a target binary version that does not match the shipped native build
keeping real deployment values committed in strings.xml or Info.plist

CI goals​

Recommended package scripts​

Minimal GitHub Actions workflow​

Required secrets​

Notes on config injection​

Common CI mistakes​

Next steps​