Skip to content

In the app and CI

GitHub Action

Run rndl validate and rndl routes on every pull request: inline annotations with diagnostic codes, a job summary, SARIF in the Security tab, and a red check when a link would break.

The rndl deep-link checks action validates a domain's universal-link (AASA) and Android App Links files, cross-checks them against your app's route table, annotates the pull request inline with any findings, and uploads a SARIF report to GitHub code scanning.

The action is distributed from the repo and is not published to npm.

Usage

name: Deep links
on: [pull_request]
 
permissions:
  contents: read
  security-events: write # required to upload SARIF to code scanning
 
jobs:
  deeplinks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
      - uses: deeplink-devtools/react-native-deeplink-devtools/packages/action@main
        with:
          domain: example.com
          app-dir: src/app # Expo Router; or use `config:` for React Navigation
          package: com.example.app

Node 22+ must be set up before the step, since the action runs the CLI with npx.

Leave domain empty to run a routes-only check (inspect the route table without fetching any .well-known files). Point app-dir or config at your app to enable the routes scan and the AASA route cross-check.

Inputs

InputDefaultDescription
domain(empty)Domain to validate (AASA + assetlinks.json). Empty runs a routes-only check.
package(empty)Expected Android package name. Falls back to app.json when omitted.
sha256(empty)Expected SHA-256 signing-cert fingerprint to look for in assetlinks.json.
app-dir(empty)Expo Router app directory. Enables the routes scan and the AASA route cross-check.
config(empty)React Navigation linking module (module[#export]). Enables the routes scan and cross-check.
working-directory.Directory to run rndl in.
versionlatestVersion of react-native-deeplink-devtools to run via npx.
cli-command(empty)Advanced: override the rndl invocation (for example, a local build path). Defaults to npx of the pinned version.
sarif-filerndl.sarifPath (relative to working-directory) to write the SARIF report to.
upload-sariftrueUpload the SARIF report to GitHub code scanning (needs security-events: write).
fail-onerrorFail the job on error (default) or on warn (errors and warnings).

What you get

  • Inline annotations. Every diagnostic becomes a GitHub annotation on the pull request: errors and warnings from the validator, plus informational notes (for example, Apple's AASA CDN caching). Each annotation carries the diagnostic code (AASA_MISSING_ROUTE, ASSETLINKS_FINGERPRINT_MISMATCH, and so on) and the concrete fix.
  • A job summary table of all findings.
  • SARIF in the Security tab when upload-sarif is on and security-events: write is granted.
  • A red check when fail-on is met, so a broken universal link stops the merge.

The diagnostic codes are the same ones rndl validate prints locally, so a red CI check reproduces on your machine with one command.