ci(mitmproxy): test mitmproxy

[couto]

✅ Checklist

• npx changeset was attached.
• Covered by automatic tests.
• Impact of the changes:
  • ...

📝 Description

Replace this text by a clear and concise description of what this pull request is about and why it is needed. Be sure to explain the problem you're addressing and the solution you're proposing.
For libraries, you can add a code sample of how to use it.
For bug fixes, you can explain the previous behaviour and how it was fixed.
In case of visual features, please attach screenshots or video recordings to demonstrate the changes.

❓ Context

• JIRA or GitHub link:

---

🧐 Checklist for the PR Reviewers

• The code aligns with the requirements described in the linked JIRA or GitHub issue.
• The PR description clearly documents the changes made and explains any technical trade-offs or design decisions.
• There are no undocumented trade-offs, technical debt, or maintainability issues.
• The PR has been tested thoroughly, and any potential edge cases have been considered and handled.
• Any new dependencies have been justified and documented.
• Performance considerations have been taken into account. (changes have been profiled or benchmarked if necessary)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

4 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
ledger-live-github-bot	Ignored	Preview	Jan 30, 2026 2:27pm
native-ui-storybook	Ignored	Preview	Jan 30, 2026 2:27pm
react-ui-storybook	Ignored	Preview	Jan 30, 2026 2:27pm
web-tools	Ignored	Preview	Jan 30, 2026 2:27pm

[ledger-wiz-cspm-secret-detection]

Wiz Scan Summary

Scanner	Findings
Sensitive Data	-
Secrets	-
IaC Misconfigurations	1
SAST Findings	-
Software Management Findings	-
Total	1

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

[github-actions]

❌ Action Required: Monitored Files Changed

The following files in monitored folders have been modified:

• .github/workflows/test-mobile-mock-reusable.yml

Action Required: Please rebase your branch against develop to ensure consistency:

git rebase origin/develop

[Copilot]

Pull request overview

This PR updates the mobile mock test GitHub Actions workflow to add mitmproxy logging for iOS detox tests and to normalize some workflow syntax/formatting.

Changes:

• Standardizes YAML quoting and runs-on/needs array formatting in the reusable mobile test workflow.
• Adds a yaegashi/mitmproxy-logger-action@v1 step to the iOS detox job to start a local mitmproxy instance with CA cert installation and proxy env vars enabled.
• Leaves existing build, detox, and reporting logic intact while wiring mitmproxy in right before the iOS e2e test step.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The passphrase value for yaegashi/mitmproxy-logger-action is hardcoded to a trivial string, which is risky given that mitmproxy will capture potentially sensitive network traffic; this effectively makes the encrypted capture easy to decrypt by anyone with access to the workflow definition. Consider sourcing this passphrase from a GitHub secret (or similar secure configuration) instead of checking it into the workflow file.

Suggested change

	passphrase: "remove-me"
	passphrase: ${{ secrets.MITMPROXY_PASSPHRASE }}

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The mitmproxy step is using a hard-coded passphrase value ("remove-me"), which both weakens the protection of any captured traffic/logs and introduces a secret-like value directly into the workflow definition. It would be safer to either let the action generate its own passphrase or source a strong passphrase from GitHub Actions secrets or an environment variable rather than committing a placeholder string here.

Suggested change

	passphrase: "remove-me"
	passphrase: ${{ secrets.MITMPROXY_PASSPHRASE }}

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

report-bundle-sizes still declares needs: [build-ios, build-android], but the build-ios job has been fully commented out above. GitHub Actions will reject this workflow because needs references a non-existent job; either restore build-ios or remove it from needs and adjust the if condition and bundle size logic accordingly.

[Copilot]

merge-ios-timings depends on detox-tests-ios in both needs and the if condition, but the detox-tests-ios job is now fully commented out. This will cause the workflow to fail validation (unknown job in needs) and makes the iOS timing merge step impossible to run; either re-enable detox-tests-ios or remove it from merge-ios-timings and adjust the condition/logic.

Suggested change

	# needs: [determine-builds, detox-tests-ios]
	# runs-on: ubuntu-24.04
	# if: ${{ !cancelled() && (needs.detox-tests-ios.result == 'success' || needs.detox-tests-ios.result == 'failure') && inputs.max-shards > 1 }}
	needs: [determine-builds]
	runs-on: ubuntu-24.04
	if: ${{ !cancelled() && inputs.max-shards > 1 }}

[Copilot]

The determine-builds outputs ios_native_exists and ios_js_exists still reference steps.check-ios-native and steps.check-ios-js, but those steps are now commented out. As a result these outputs will never be set from a real cache lookup, which breaks any downstream logic relying on them and should be updated (or removed) in line with the disabled iOS cache checks.

Suggested change

	ios_native_exists: ${{ steps.check-ios-native.outputs.cache-hit }}
	ios_js_exists: ${{ steps.check-ios-js.outputs.cache-hit }}
	ios_native_exists: 'false'
	ios_js_exists: 'false'

[Copilot]

The test-pod-lockfile job's if condition depends on needs.determine-builds.outputs.ios_native_exists == 'true', but the ios_native_exists output is now wired to a commented-out check-ios-native step and will never become 'true'. This effectively disables the pod lockfile test even when an iOS native build cache exists; consider either updating how ios_native_exists is computed or explicitly deciding (and documenting) that this job should be skipped.

[Copilot]

The mitmproxy step hardcodes a passphrase: "remove-me" in the workflow, which is effectively a credential checked into the repo. For better security hygiene, this passphrase should be managed via GitHub Actions secrets or other secure configuration, even if it is only used for CI test traffic.

Suggested change

	passphrase: "remove-me"
	passphrase: "${{ secrets.MITMPROXY_PASSPHRASE }}"

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The mitmproxy CA certificate is being pushed into /system/etc/security/cacerts as mitmproxy.pem, but Android’s system trust store expects CA files to use the subject-hash-based filename convention (e.g. <hash>.0) rather than arbitrary names, otherwise the cert will be ignored. To ensure the emulator actually trusts mitmproxy, generate the proper hashed filename (using openssl x509 -subject_hash_old or an equivalent mechanism) before pushing/moving the cert into the system CA directory instead of renaming it to mitmproxy.pem.

Suggested change

	mv ${{steps.mitmproxy.outputs.cacert-path}} mitmproxy.pem
	adb root
	adb remount
	adb push mitmproxy.pem /sdcard/
	adb shell "mv /sdcard/mitmproxy.pem /system/etc/security/cacerts/"
	adb shell "chmod 644 /system/etc/security/cacerts/mitmproxy.pem"
	CACERT_PATH=${{ steps.mitmproxy.outputs.cacert-path }}
	HASH=$(openssl x509 -inform PEM -subject_hash_old -in "$CACERT_PATH" | head -n 1)
	CERT_FILENAME="${HASH}.0"
	cp "$CACERT_PATH" "$CERT_FILENAME"
	adb root
	adb remount
	adb push "$CERT_FILENAME" /sdcard/
	adb shell "mv /sdcard/$CERT_FILENAME /system/etc/security/cacerts/"
	adb shell "chmod 644 /system/etc/security/cacerts/$CERT_FILENAME"

[Copilot]

Commenting out the iOS build/test and related timing/bundle-size/pod-lockfile jobs (build-ios, detox-tests-ios, merge-ios-timings, report-bundle-sizes, test-pod-lockfile) means this reusable workflow now only exercises Android paths when invoked from the main PR/push workflows, dropping iOS CI coverage and size checks entirely. If the intent is just to experiment with mitmproxy for Android, it would be safer to either gate these changes behind an input flag or keep the iOS jobs enabled so that existing iOS build/test guarantees are not lost when this workflow is used in build-and-test-pr.yml / build-and-test-push.yml.

[Copilot]

This step runs ADB commands even when no emulator is running: the previous reactivecircus/android-emulator-runner step both runs only when steps.detox-avd.outputs.cache-hit != 'true' and tears down the emulator once its script completes, while this step has no if condition at all. As a result, on cache hits there is never an emulator started in this job, and even on cache misses the emulator is already shut down by the time this runs, so adb root/adb remount/adb push are expected to fail. To reliably provision the cert, these ADB commands should be executed while the emulator is still alive (e.g. inside the script invoked by android-emulator-runner or in a separate android-emulator-runner step with its own script), and/or this step should share the same conditional as the AVD creation step.

Suggested change

	run: |
	mv ${{steps.mitmproxy.outputs.cacert-path}} mitmproxy.pem
	adb root
	adb remount
	adb push mitmproxy.pem /sdcard/
	adb shell "mv /sdcard/mitmproxy.pem /system/etc/security/cacerts/"
	adb shell "chmod 644 /system/etc/security/cacerts/mitmproxy.pem"
	uses: reactivecircus/android-emulator-runner@v2
	with:
	api-level: ${{ env.AVD_API }}
	arch: ${{ env.AVD_ARCH }}
	profile: ${{ env.AVD_PROFILE }}
	target: ${{ env.AVD_TARGET }}
	avd-name: ${{ env.AVD_NAME }}
	cores: ${{ env.AVD_CORES }}
	ram-size: ${{ env.AVD_RAM_SIZE }}
	disable-linux-hw-accel: false
	emulator-options: ${{ env.AVD_OPTIONS }} -writable-system
	script: |
	mv ${{steps.mitmproxy.outputs.cacert-path}} mitmproxy.pem
	adb root
	adb remount
	adb push mitmproxy.pem /sdcard/
	adb shell "mv /sdcard/mitmproxy.pem /system/etc/security/cacerts/"
	adb shell "chmod 644 /system/etc/security/cacerts/mitmproxy.pem"

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The mise_toml configuration defines mitmproxy = "{{ get_env(name='MIMTPROXY_VERSION', default='12.2.1') }}", but the environment variable name appears to be misspelled (MIMTPROXY_VERSION instead of MITMPROXY_VERSION). As written, any MITMPROXY_VERSION env var will be ignored and mitmproxy will always resolve to the hard-coded default, so the intended version override mechanism will not work.

Suggested change

	mitmproxy = "{{ get_env(name='MIMTPROXY_VERSION', default='12.2.1') }}"
	mitmproxy = "{{ get_env(name='MITMPROXY_VERSION', default='12.2.1') }}"

[Copilot]

The mitmproxy CA certificate is pushed into /system/etc/security/cacerts/ as mitmproxy-ca.pem, but Android's system trust store expects PEM-encoded certificates whose filenames are the OpenSSL subject hash with a numeric suffix (for example <hash>.0). Without renaming the file to the expected hash-based name, the emulator is unlikely to recognize and trust this CA, defeating the purpose of provisioning mitmproxy; consider computing the hash-based filename (or using c_rehash-style logic) and renaming the certificate accordingly.

Suggested change

	adb root
	adb remount
	adb push ~/.mitmproxy/mitmproxy-ca.pem /sdcard/
	adb shell "mv /sdcard/mitmproxy-ca.pem /system/etc/security/cacerts/"
	adb shell "chmod 644 /system/etc/security/cacerts/mitmproxy-ca.pem"
	set -euo pipefail
	CERT_PATH="$HOME/.mitmproxy/mitmproxy-ca.pem"
	# Compute the OpenSSL subject hash used by Android for CA filenames.
	# Try the "old" hash format first (OpenSSL 1.0-style), then fall back to the default.
	HASH="$(openssl x509 -in "$CERT_PATH" -subject_hash_old -noout 2>/dev/null || openssl x509 -in "$CERT_PATH" -subject_hash -noout)"
	DEST_NAME="${HASH}.0"
	adb root
	adb remount
	adb push "$CERT_PATH" "/system/etc/security/cacerts/${DEST_NAME}"
	adb shell "chmod 644 /system/etc/security/cacerts/${DEST_NAME}"

[Copilot]

Several entire jobs (e.g. build-ios, detox-tests-ios, report-bundle-sizes, merge-*-timings, test-pod-lockfile) are now fully commented out, leaving large blocks of dead configuration in this reusable workflow. If these paths are intentionally disabled for mitmproxy experiments, consider either removing them or gating them behind an input flag (or if: condition) rather than long-lived commented code, to keep the workflow easier to maintain and reduce the risk of these stale blocks drifting from the active configuration.

Suggested change

	# build-ios:
	# name: "iOS Build"
	# needs: [determine-builds]
	# uses: LedgerHQ/ledger-live/.github/workflows/test-mobile-build-ios-reusable.yml@develop
	# with:
	# ref: ${{ inputs.ref || github.sha }}
	# macos-specificity-runner-label: ${{ inputs.macos-specificity-runner-label }}
	# disable-turbo-cache: ${{ inputs.disable-turbo-cache || false }}
	# build-ios-js: ${{ needs.determine-builds.outputs.ios_js_exists == 'false' }}
	# build-ios-native: ${{ needs.determine-builds.outputs.ios_native_exists == 'false' }}
	# ios-native-cache-key: ${{ needs.determine-builds.outputs.ios_native_key }}
	# ios-js-cache-key: ${{ needs.determine-builds.outputs.ios_js_key }}
	# secrets: inherit