Skip to content

Conversation

@sigmaaa
Copy link
Collaborator

@sigmaaa sigmaaa commented Sep 23, 2025

Description

Consolidated CI build jobs into a single file, reducing code duplication.

Fixes # (IEP-1616)

Type of change

Please delete options that are not relevant.

  • New feature (non-breaking change which adds functionality)

How has this been tested?

Test Configuration:

  • ESP-IDF Version:
  • OS (Windows,Linux and macOS):

Dependent components impacted by this PR:

CI build and publish jobs

Checklist

  • PR Self Reviewed
  • Applied Code formatting
  • Added Documentation
  • Added Unit Test
  • Verified on all platforms - Windows,Linux and macOS

Summary by CodeRabbit

  • New Features

    • macOS releases now include automated code signing and DMG packaging for easier installation.
  • Chores

    • CI reworked to a macOS-first build-and-publish pipeline with multi-platform artifact uploads and explicit version extraction.
    • Per-OS matrix test execution and standardized test-report publishing for clearer test results.
    • CI tooling updated (Java, Python, Maven) and build flow modernized.
  • Removed

    • Legacy standalone Windows CI workflow eliminated.

@sigmaaa sigmaaa self-assigned this Sep 23, 2025
@coderabbitai
Copy link

coderabbitai bot commented Sep 24, 2025

Walkthrough

Replaces the single CI workflow with a macOS-focused build_and_publish_macos job (artifact versioning, codesign, DMG creation, multi-OS artifact uploads) and a matrix-driven build_and_test job for per-OS tests and reports; removes the previous Windows-only workflow and updates GH Actions/tool versions and runners.

Changes

Cohort / File(s) Summary
macOS-centric CI refactor
.github/workflows/ci.yml
Replaces monolithic build with two jobs: build_and_publish_macos (uses actions/checkout@v4, Python 3.11, Maven 3.9.6, JDK 21; extracts version, codesigns macOS bundles, creates DMGs, uploads update-site and platform artifacts) and build_and_test (matrix-driven per-OS test runners, per-OS workspace paths and test-report naming, centralized Maven test run and test-report publishing).
Windows workflow removal
.github/workflows/ci_windows.yml
Deletes the prior Windows-only workflow that checked out repo and tools, set up Python/Maven/JDK, ran mvn verify, and published JUnit reports; its duties moved into the new matrixed CI in ci.yml.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Push/PR
  participant GH as GitHub Actions
  participant Mac as build_and_publish_macos
  participant Sign as Codesign & DMG
  participant Store as Artifact storage
  participant Matrix as build_and_test (matrix)

  Dev->>GH: push / open PR
  GH->>Mac: start macOS publish job
  Mac->>Mac: checkout@v4 → setup Python/Maven/JDK → mvn package
  Mac->>Mac: extract version from built artifacts
  Mac->>Sign: import signing certs → codesign bundles → create DMGs
  Sign->>Store: upload update-site + platform artifacts + DMGs

  note over GH,Matrix: parallel per-OS test matrix (linux/windows/mac)
  GH->>Matrix: start matrix jobs
  Matrix->>Matrix: checkout → setup per-OS tools → mvn verify (tests) with per-OS workspace
  Matrix->>Store: publish per-OS test reports (dynamic names)
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

Suggested reviewers

  • kolipakakondal
  • alirana01
  • AndriiFilippov

Poem

I’m a rabbit in the CI glen,
I hop through jobs and sign again,
DMGs gleam and artifacts fly,
Tests bound across each OS sky,
A tiny hop — the pipelines grin. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title “IEP-1616 CI unification” concisely captures the main change of unifying continuous integration workflows and ties it back to the relevant ticket. It is brief, clear, and directly reflects the substantive modifications in the CI configuration files without unnecessary detail. Therefore, it meets the criteria for a focused and informative pull request title.
✨ Finishing touches
  • 📝 Generate Docstrings
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch IEP-1616

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

  • Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
  • Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

🧹 Nitpick comments (4)
.github/workflows/ci.yml (4)

18-23: Enable Maven dependency cache to speed builds

Leverage setup-java’s built-in Maven cache.

Apply this diff:

       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: 'maven'

94-99: Also cache Maven in the matrix job

Same as macOS job for consistency and speed.

Apply this diff:

       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: 'maven'

27-33: Make version extraction deterministic

Parsing filenames is brittle. Prefer Maven to emit the project version.

Apply this diff:

       - name: Extract version number
         id: extract_version
         run: |
-          version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/' | head -n 1)
-          echo "VERSION=$version" >> $GITHUB_ENV
-          echo "VERSION=$version" >> $GITHUB_OUTPUT
+          set -euo pipefail
+          version="$(mvn -q help:evaluate -Dexpression=project.version -DforceStdout)"
+          echo "VERSION=$version" >> "$GITHUB_ENV"
+          echo "VERSION=$version" >> "$GITHUB_OUTPUT"

If the product version differs from the root POM version, consider reading it from the relevant module’s POM instead.


53-59: Minor hardening for secret handling and keychain stability

Avoid echo for binary data and keep the keychain unlocked during long builds.

Apply this diff:

-          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+          printf '%s' "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
           /usr/bin/security create-keychain -p espressif build.keychain
           /usr/bin/security default-keychain -s build.keychain
           /usr/bin/security unlock-keychain -p espressif build.keychain
+          /usr/bin/security set-keychain-settings -lut 21600 build.keychain
           /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
           /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2772840 and 405b2a4.

📒 Files selected for processing (2)
  • .github/workflows/ci.yml (2 hunks)
  • .github/workflows/ci_windows.yml (0 hunks)
💤 Files with no reviewable changes (1)
  • .github/workflows/ci_windows.yml
🧰 Additional context used
🪛 actionlint (1.7.7)
.github/workflows/ci.yml

85-85: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

Comment on lines +49 to +52
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Propagate GITHUB_TOKEN to codesign/upload step

The gh CLI relies on GITHUB_TOKEN. Add it to this step’s env to avoid auth issues when uploading artifacts.

Apply this diff:

       - name: Codesign and create DMGs (macOS)
         env:
           MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
           MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
- name: Codesign and create DMGs (macOS)
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
🤖 Prompt for AI Agents
.github/workflows/ci.yml around lines 49 to 52: the codesign/upload step sets
MACOS_CERTIFICATE and MACOS_CERTIFICATE_PWD in env but does not export
GITHUB_TOKEN which the gh CLI needs for authentication; update the step's env to
include GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} so the gh CLI can authenticate
when uploading artifacts.

Comment on lines +85 to +88
uses: actions/setup-python@v4
with:
python-version: '3.11'

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Update setup-python to v5 (actionlint failure)

actionlint reports v4 is too old for GitHub Actions’ current runtime. Bump to v5.

Apply this diff:

-      - name: Set up Python
-        uses: actions/setup-python@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/setup-python@v4
with:
python-version: '3.11'
uses: actions/setup-python@v5
with:
python-version: '3.11'
🧰 Tools
🪛 actionlint (1.7.7)

85-85: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents
In .github/workflows/ci.yml around lines 85 to 88, the workflow uses
actions/setup-python@v4 which actionlint flags as too old; update the action to
actions/setup-python@v5 by replacing the uses line accordingly (keep the with:
python-version: '3.11' block intact) so the workflow uses the supported v5
release.

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (4)
.github/workflows/ci.yml (4)

18-23: Enable Maven dependency caching to speed builds

actions/setup-java supports built-in Maven cache; enable it.

Apply this diff:

       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: maven

126-131: Also cache Maven in test matrix job

Same as the macOS job; speeds CI.

Apply this diff:

       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: maven

27-33: Fragile version detection; fail-fast and prefer Maven project.version

Parsing tarball names is brittle and can yield empty VERSION. Prefer Maven’s project.version, with a safe fallback and explicit failure when empty.

Apply this diff:

       - name: Extract version number
         id: extract_version
-        run: |
-          version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/' | head -n 1)
-          echo "VERSION=$version" >> $GITHUB_ENV
-          echo "VERSION=$version" >> $GITHUB_OUTPUT
+        run: |
+          set -euo pipefail
+          # Prefer Maven project.version; fallback to parsing artifacts
+          if version=$(mvn -q -DforceStdout help:evaluate -Dexpression=project.version 2>/dev/null); then
+            :
+          else
+            version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+).*\.tar\.gz/\1/' | sort -V | tail -n1 || true)
+          fi
+          if [ -z "${version:-}" ]; then
+            echo "Failed to determine VERSION" >&2
+            exit 1
+          fi
+          echo "VERSION=$version" >> "$GITHUB_ENV"
+          echo "VERSION=$version" >> "$GITHUB_OUTPUT"

62-91: Harden codesign step and make DMG signing consistent

  • Use printf to avoid newline issues in base64 decode.
  • Add set -euo pipefail for robustness.
  • Don’t pass entitlements when signing DMGs (apply consistently).
  • Optional: cleanup keychain and cert file.

Apply this diff:

       - name: Codesign Espressif-IDE
         env:
           MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
           MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
         run: |
-          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+          set -euo pipefail
+          printf '%s' "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
           /usr/bin/security create-keychain -p espressif build.keychain
           /usr/bin/security default-keychain -s build.keychain
           /usr/bin/security unlock-keychain -p espressif build.keychain
           /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
           /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain
@@
           echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64"
           $PWD/releng/ide-dmg-builder/ide-dmg-builder.sh
-          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v
+          /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v
           /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
@@
           echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64"
           $PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh
           /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v
           /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
+          /usr/bin/security delete-keychain build.keychain || true
+          rm -f certificate.p12 || true

Note: Consider notarization + stapling to avoid Gatekeeper blocks; can be added later.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 405b2a4 and ab61881.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml (2 hunks)
🧰 Additional context used
🪛 actionlint (1.7.7)
.github/workflows/ci.yml

117-117: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (5)
.github/workflows/ci.yml (5)

24-26: Artifact upload usage looks good

Using actions/upload-artifact@v4 with explicit names/paths is correct and robust.

Please confirm the generated artifact paths match Tycho outputs for all target platforms.

Also applies to: 34-61, 92-105


111-111: Self-hosted runner labels are malformed; use an array of labels

Comma-separated labels in a single string won’t match self-hosted runners. Provide labels as an array with per-element expressions.

Apply this diff:

-    runs-on: ${{ matrix.os == 'linux' && 'self-hosted, eclipse, BrnoUBU0004' || 'self-hosted, eclipseUpd, BrnoWIN0007' }}
+    runs-on: [self-hosted, ${{ matrix.os == 'linux' && 'eclipse' || 'eclipseUpd' }}, ${{ matrix.os == 'linux' && 'BrnoUBU0004' || 'BrnoWIN0007' }}]

116-119: Bump setup-python to v5 (actionlint failure)

V4 is flagged as too old; upgrade to v5.

Apply this diff:

-      - name: Set up Python
-        uses: actions/setup-python@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5

132-135: Cross-OS shell bug: export breaks on Windows

PowerShell doesn’t support POSIX export. Set env at step level and keep run single-line.

Apply this diff:

-      - name: Run Tests
-        run: |
-          export NO_AT_BRIDGE=1
-          mvn verify -Djarsigner.skip=true -DskipTests=false -DtestWorkspace=${{ matrix.os == 'linux' && '/opt/actions-runner/_work/workspace' || 'C:/actions-runner/_work/workspace' }}
+      - name: Run Tests
+        env:
+          NO_AT_BRIDGE: "1"
+        run: mvn verify -Djarsigner.skip=true -DskipTests=false -DtestWorkspace=${{ matrix.os == 'linux' && '/opt/actions-runner/_work/workspace' || 'C:/actions-runner/_work/workspace' }}

137-143: JUnit report glob is incorrect for Maven Surefire/Failsafe

Use the standard Maven report locations.

Apply this diff:

-          path: tests/*/*/*/TEST-*.xml
+          path: '**/target/*-reports/TEST-*.xml'

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (5)
.github/workflows/ci.yml (5)

146-153: Fix JUnit glob for Maven Surefire/Failsafe

Current pattern won’t find Maven reports.

       - name: Publish Test Reports
         if: ${{ always() }}
         uses: phoenix-actions/test-reporting@v12
         with:
           name: ${{ matrix.reportName }}
-          path: tests/*/*/*/TEST-*.xml
+          path: '**/target/*-reports/TEST-*.xml'
           reporter: java-junit

27-33: Harden version extraction (prefer Maven project.version, add fail‑fast)

Parsing filenames is brittle. Prefer help:evaluate with fallback; fail if empty.

       - name: Extract version number
         id: extract_version
         run: |
-          version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/' | head -n 1)
-          echo "VERSION=$version" >> $GITHUB_ENV
-          echo "VERSION=$version" >> $GITHUB_OUTPUT
+          set -euo pipefail
+          # Prefer Maven project.version; fallback to artifact filename
+          version="$(mvn -q -DforceStdout help:evaluate -Dexpression=project.version | tr -d '\r' || true)"
+          version="${version%-SNAPSHOT}"
+          if [ -z "${version:-}" ]; then
+            version="$(ls -1 releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz \
+              | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+).*/\1/' \
+              | sort -V | head -n1)"
+          fi
+          if [ -z "${version:-}" ]; then
+            echo "Failed to determine VERSION" >&2
+            exit 1
+          fi
+          echo "VERSION=$version" >> "$GITHUB_ENV"
+          echo "VERSION=$version" >> "$GITHUB_OUTPUT"

62-91: Codesign step: add strict mode and cleanup keychain/materials

Fail fast and ensure secrets/artifacts are cleaned up.

       - name: Codesign Espressif-IDE
         env:
           MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
           MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
         run: |
+          set -euo pipefail
           echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
           /usr/bin/security create-keychain -p espressif build.keychain
           /usr/bin/security default-keychain -s build.keychain
           /usr/bin/security unlock-keychain -p espressif build.keychain
           /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
           /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain
@@
           /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
+          /usr/bin/security lock-keychain build.keychain
+          /usr/bin/security delete-keychain build.keychain || true
+          rm -f certificate.p12

24-26: Avoid double-running tests in build job

Tests also run in build_and_test. Consider skipping here to reduce time.

-      - name: Build with Maven
-        run: mvn clean verify -Djarsigner.skip=true
+      - name: Build with Maven
+        run: mvn clean verify -Djarsigner.skip=true -DskipTests=true

Confirm if any packaging validations depend on tests; if so, keep as-is.


34-40: Fail early if artifact is missing

Upload-artifact should error when no files found to avoid silent green builds.

       - name: Upload build artifacts (update site)
         if: ${{ !cancelled() }}
         uses: actions/upload-artifact@v4
         with:
           name: com.espressif.idf.update-${{ env.VERSION }}
           path: releng/com.espressif.idf.update/target/repository
+          if-no-files-found: error

Apply the same to other upload-artifact steps in this workflow.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ab61881 and efe9977.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml (2 hunks)
🧰 Additional context used
🪛 actionlint (1.7.7)
.github/workflows/ci.yml

107-107: could not parse as YAML: yaml: line 107: found character that cannot start any token

(syntax-check)

🪛 YAMLlint (1.37.1)
.github/workflows/ci.yml

[error] 107-107: syntax error: found character '\t' that cannot start any token

(syntax)

🔇 Additional comments (3)
.github/workflows/ci.yml (3)

41-61: Artifacts: sanity-check paths across platforms

Confirm these Windows/Linux archives are produced by the macOS build (Tycho cross-build). If not, these uploads will be empty.

If they’re built elsewhere, switch this step to download artifacts from prior jobs or move packaging to matching OS runners.


125-129: actions/setup-python: bump to v5 (actionlint failure)

v4 is flagged as too old by actionlint. Upgrade to v5.

-      - name: Set up Python
-        uses: actions/setup-python@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5

141-145: Make test step cross‑OS safe (avoid POSIX export on Windows)

Use step env instead of export; keep run single‑line for PowerShell compatibility.

-      - name: Run Tests
-        run: |
-          export NO_AT_BRIDGE=1
-		  mvn verify -Djarsigner.skip=true -DskipTests=false -DtestWorkspace="${{ matrix.testWorkspace }}"
+      - name: Run Tests
+        env:
+          NO_AT_BRIDGE: "1"
+        run: mvn verify -Djarsigner.skip=true -DskipTests=false -DtestWorkspace=${{ matrix.testWorkspace }}

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (2)
.github/workflows/ci.yml (2)

18-26: Enable Maven dependency caching to speed up builds

Add cache: maven to setup-java steps for faster, more reliable builds.

       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: 'maven'

135-140: Enable Maven cache for test job too

Add cache: maven here as well for consistency and speed.

       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: 'maven'
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9f21fec and 0961eca.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml (2 hunks)
🧰 Additional context used
🪛 actionlint (1.7.7)
.github/workflows/ci.yml

126-126: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (6)
.github/workflows/ci.yml (6)

34-61: Good switch to upload-artifact action for multi-OS outputs

Using actions/upload-artifact@v4 here resolves prior GH CLI issues and simplifies auth.


92-105: Artifact uploads for DMGs look correct

Names include version and arch, and paths match the builder outputs.


106-120: Matrix structure and runs-on resolution look good

Tabs/indent issues from prior iteration are resolved; per-OS runner label arrays are correct.


125-129: Bump setup-python to v5 (actionlint failure)

actions/setup-python@v4 is too old per actionlint; upgrade to v5.

       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: '3.11'

147-153: Fix JUnit report glob for Maven Surefire/Failsafe

Use Maven-standard TEST-*.xml locations; current glob likely finds nothing.

         with:
           name: ${{ matrix.reportName }}
-          path: tests/*/*/*/TEST-*.xml
+          path: '**/target/*-reports/TEST-*.xml'
           reporter: java-junit

141-146: NO_AT_BRIDGE not effective; env set in one step doesn’t persist to next

Move NO_AT_BRIDGE to the Maven step’s env (or job env). The current export doesn’t affect the following step.

-      - name: Set NO_AT_BRIDGE
-        if: runner.os == 'linux'
-        run: export NO_AT_BRIDGE=1
-      - name: Run Maven
-        run: mvn verify -Djarsigner.skip=true -DskipTests=false -DtestWorkspace="${{ matrix.testWorkspace }}"
+      - name: Run Maven
+        env:
+          NO_AT_BRIDGE: '1'
+        run: mvn verify -Djarsigner.skip=true -DskipTests=false -DtestWorkspace="${{ matrix.testWorkspace }}"

Comment on lines +27 to +33
- name: Extract version number
id: extract_version
run: |
version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/' | head -n 1)
echo "VERSION=$version" >> $GITHUB_ENV
echo "VERSION=$version" >> $GITHUB_OUTPUT
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Harden version extraction; current ls/sed is fragile and nondeterministic

Resolve via Maven-evaluated project.version with strict erroring.

       - name: Extract version number
         id: extract_version
-        run: |
-          version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/' | head -n 1)
-          echo "VERSION=$version" >> $GITHUB_ENV
-          echo "VERSION=$version" >> $GITHUB_OUTPUT
+        run: |
+          set -euo pipefail
+          version=$(mvn -q -Dexpression=project.version -DforceStdout help:evaluate | tail -n1)
+          if [ -z "${version:-}" ]; then
+            echo "Failed to determine version" >&2
+            exit 1
+          fi
+          echo "VERSION=$version" >> "$GITHUB_ENV"
+          echo "VERSION=$version" >> "$GITHUB_OUTPUT"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Extract version number
id: extract_version
run: |
version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/' | head -n 1)
echo "VERSION=$version" >> $GITHUB_ENV
echo "VERSION=$version" >> $GITHUB_OUTPUT
- name: Extract version number
id: extract_version
run: |
set -euo pipefail
version=$(mvn -q -Dexpression=project.version -DforceStdout help:evaluate | tail -n1)
if [ -z "${version:-}" ]; then
echo "Failed to determine version" >&2
exit 1
fi
echo "VERSION=$version" >> "$GITHUB_ENV"
echo "VERSION=$version" >> "$GITHUB_OUTPUT"
🤖 Prompt for AI Agents
.github/workflows/ci.yml around lines 27 to 33: the current version extraction
using ls/sed is fragile and nondeterministic; replace it with a Maven evaluation
of project.version (e.g., run mvn help:evaluate -Dexpression=project.version -q
-DforceStdout) capture the output into a variable, validate it's non-empty and
fail the step with a non-zero exit code if empty, and then export the validated
version to both $GITHUB_ENV and $GITHUB_OUTPUT so the workflow uses the
canonical Maven project.version reliably.

Comment on lines +62 to +91
- name: Codesign Espressif-IDE
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
/usr/bin/security create-keychain -p espressif build.keychain
/usr/bin/security default-keychain -s build.keychain
/usr/bin/security unlock-keychain -p espressif build.keychain
/usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
/usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain
echo "codesigning espressif-ide-macosx.cocoa.x86_64"
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v
/usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app
echo "codesigning espressif-ide-macosx.cocoa.aarch64"
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v
/usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app
echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64"
$PWD/releng/ide-dmg-builder/ide-dmg-builder.sh
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v
/usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64"
$PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh
/usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v
/usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Codesigning step: fix secret handling, unify DMG signing, and clean up keychain

  • Avoid echo injecting newlines into base64; use printf.
  • DMG signing is inconsistent (entitlements used for x86_64 but not aarch64). Use the same flags for both; entitlements are typically unnecessary for DMGs.
  • Delete temporary cert and keychain to reduce footprint on runner.
       - name: Codesign Espressif-IDE
         env:
           MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
           MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
         run: |
-          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+          printf %s "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
           /usr/bin/security create-keychain -p espressif build.keychain
           /usr/bin/security default-keychain -s build.keychain
           /usr/bin/security unlock-keychain -p espressif build.keychain
           /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
           /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain

           echo "codesigning espressif-ide-macosx.cocoa.x86_64"
           /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v
           /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app

           echo "codesigning espressif-ide-macosx.cocoa.aarch64"
           /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v
           /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app

           echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64"
           $PWD/releng/ide-dmg-builder/ide-dmg-builder.sh
-          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v
+          /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg" -v
           /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg

           echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64"
           $PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh
           /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v
           /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
+          rm -f certificate.p12
+          /usr/bin/security delete-keychain build.keychain || true
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Codesign Espressif-IDE
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
/usr/bin/security create-keychain -p espressif build.keychain
/usr/bin/security default-keychain -s build.keychain
/usr/bin/security unlock-keychain -p espressif build.keychain
/usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
/usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain
echo "codesigning espressif-ide-macosx.cocoa.x86_64"
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v
/usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app
echo "codesigning espressif-ide-macosx.cocoa.aarch64"
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v
/usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app
echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64"
$PWD/releng/ide-dmg-builder/ide-dmg-builder.sh
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v
/usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64"
$PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh
/usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v
/usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
- name: Codesign Espressif-IDE
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
printf %s "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
/usr/bin/security create-keychain -p espressif build.keychain
/usr/bin/security default-keychain -s build.keychain
/usr/bin/security unlock-keychain -p espressif build.keychain
/usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
/usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain
echo "codesigning espressif-ide-macosx.cocoa.x86_64"
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement \
--options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" \
$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v
/usr/bin/codesign -v -vvv --deep \
$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app
echo "codesigning espressif-ide-macosx.cocoa.aarch64"
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement \
--options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" \
$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v
/usr/bin/codesign -v -vvv --deep \
$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app
echo "Creating dmg for espressif-ide-macosx.cocoa-x86_64"
$PWD/releng/ide-dmg-builder/ide-dmg-builder.sh
/usr/bin/codesign --options runtime --force \
-s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" \
"$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg" -v
/usr/bin/codesign -v -vvv --deep \
$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
echo "Creating dmg for espressif-ide-macosx.cocoa-aarch64"
$PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh
/usr/bin/codesign --options runtime --force \
-s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" \
$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v
/usr/bin/codesign -v -vvv --deep \
$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
rm -f certificate.p12
/usr/bin/security delete-keychain build.keychain || true

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)

18-23: Optional: enable Maven dependency caching

Speeds up builds across both jobs.

       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: 'maven'

Also applies to: 135-140

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0961eca and b5af544.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml (2 hunks)
🧰 Additional context used
🪛 actionlint (1.7.7)
.github/workflows/ci.yml

126-126: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: build_and_test (windows, self-hosted, eclipseUpd, BrnoWIN0007, C:/actions-runner/_work/workspace,...
  • GitHub Check: build_and_publish_macos
🔇 Additional comments (5)
.github/workflows/ci.yml (5)

27-33: Harden version extraction; use Maven-evaluated project.version

Current ls/sed is fragile and can yield empty/incorrect versions. Prefer mvn help:evaluate.

       - name: Extract version number
         id: extract_version
-        run: |
-          version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/' | head -n 1)
-          echo "VERSION=$version" >> $GITHUB_ENV
-          echo "VERSION=$version" >> $GITHUB_OUTPUT
+        run: |
+          set -euo pipefail
+          version="$(mvn -q -Dexpression=project.version -DforceStdout help:evaluate | tail -n1)"
+          if [ -z "${version:-}" ]; then
+            echo "Failed to determine version" >&2
+            exit 1
+          fi
+          echo "VERSION=$version" >> "$GITHUB_ENV"
+          echo "VERSION=$version" >> "$GITHUB_OUTPUT"

62-91: Codesigning: fix base64 decode, unify DMG signing, and clean up keychain

Use printf to avoid newline issues, avoid entitlements for DMGs, quote paths, and remove temporary creds/keychain.

       - name: Codesign Espressif-IDE
         env:
           MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
           MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
         run: |
-          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+          printf %s "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
           /usr/bin/security create-keychain -p espressif build.keychain
           /usr/bin/security default-keychain -s build.keychain
           /usr/bin/security unlock-keychain -p espressif build.keychain
-          /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
+          /usr/bin/security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
           /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain
 
           echo "codesigning espressif-ide-macosx.cocoa.x86_64"
-          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v
-          /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app
+          /usr/bin/codesign --entitlements "$PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement" --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app" -v
+          /usr/bin/codesign -v -vvv --deep "$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app"
 
           echo "codesigning espressif-ide-macosx.cocoa.aarch64"
-          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v
-          /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app
+          /usr/bin/codesign --entitlements "$PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement" --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app" -v
+          /usr/bin/codesign -v -vvv --deep "$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app"
 
           echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64"
-          $PWD/releng/ide-dmg-builder/ide-dmg-builder.sh
-          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v
-          /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
+          "$PWD/releng/ide-dmg-builder/ide-dmg-builder.sh"
+          /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg" -v
+          /usr/bin/codesign -v -vvv --deep "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg"
 
           echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64"
-          $PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh
-          /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v
-          /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
+          "$PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh"
+          /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg" -v
+          /usr/bin/codesign -v -vvv --deep "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg"
+          rm -f certificate.p12
+          /usr/bin/security delete-keychain build.keychain || true

147-153: Fix JUnit report glob for Maven Surefire/Failsafe

Use canonical Maven report paths to ensure results are found.

       - name: Publish Test Reports
         if: ${{ always() }}
         uses: phoenix-actions/test-reporting@v12
         with:
           name: ${{ matrix.reportName }}
-          path: tests/*/*/*/TEST-*.xml
+          path: '**/target/*-reports/TEST-*.xml'
           reporter: java-junit

125-129: Update setup-python to v5 (actionlint failure)

v4 is too old for current runners; upgrade to v5.

       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: '3.11'

141-146: NO_AT_BRIDGE export doesn’t persist across steps; move to Run Maven env

Environment set in one run step isn’t available in subsequent steps. Set it on the Maven step (conditionally for Linux).

-      - name: Set NO_AT_BRIDGE
-        if: runner.os == 'linux'
-        run: export NO_AT_BRIDGE=1
       - name: Run Maven
-        run: mvn verify "-Djarsigner.skip=true" "-DskipTests=false" "-DtestWorkspace=${{ matrix.testWorkspace }}"
+        env:
+          NO_AT_BRIDGE: ${{ runner.os == 'Linux' && '1' || '' }}
+        run: mvn verify "-Djarsigner.skip=true" "-DskipTests=false" "-DtestWorkspace=${{ matrix.testWorkspace }}"

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (2)
.github/workflows/ci.yml (2)

18-23: Enable Maven dependency caching to speed builds

Add cache: maven to setup-java to leverage GH cache for ~/.m2.

       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: 'maven'

143-148: Enable Maven caching in test job as well

Same caching improvement for the test matrix.

       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: 'maven'
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b5af544 and 83e77ba.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml (2 hunks)
🧰 Additional context used
🪛 actionlint (1.7.7)
.github/workflows/ci.yml

134-134: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: build_and_test (windows, self-hosted, eclipseUpd, BrnoWIN0007, C:/actions-runner/_work/workspace,...
  • GitHub Check: build_and_test (linux, self-hosted, eclipse, BrnoUBU0004, /opt/actions-runner/_work/workspace, Li...
  • GitHub Check: build_and_publish_macos
🔇 Additional comments (8)
.github/workflows/ci.yml (8)

27-33: Harden version detection: use Maven-evaluated project.version

The ls/sed approach is fragile and non-deterministic if multiple files match. Query Maven for the canonical version.

       - name: Extract version number
         id: extract_version
-        run: |
-          version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/' | head -n 1)
-          echo "VERSION=$version" >> $GITHUB_ENV
-          echo "VERSION=$version" >> $GITHUB_OUTPUT
+        run: |
+          set -euo pipefail
+          version=$(mvn -q -Dexpression=project.version -DforceStdout help:evaluate | tail -n1)
+          if [ -z "${version:-}" ]; then
+            echo "Failed to determine version" >&2
+            exit 1
+          fi
+          echo "VERSION=$version" >> "$GITHUB_ENV"
+          echo "VERSION=$version" >> "$GITHUB_OUTPUT"

34-61: Artifact uploads via actions/upload-artifact look good

Switching to actions/upload-artifact is correct and simplifies auth/robustness.


62-91: Codesign step: safer secret handling, consistent DMG signing, and cleanup

  • Avoid echo adding a newline when decoding base64; use printf.
  • Use consistent flags for DMG signing; entitlements are not needed for DMGs.
  • Quote paths.
  • Delete the temporary cert and keychain.
       - name: Codesign Espressif-IDE
         env:
           MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
           MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
         run: |
-          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+          printf %s "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
           /usr/bin/security create-keychain -p espressif build.keychain
           /usr/bin/security default-keychain -s build.keychain
           /usr/bin/security unlock-keychain -p espressif build.keychain
-          /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
+          /usr/bin/security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
           /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain

           echo "codesigning espressif-ide-macosx.cocoa.x86_64"
-          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v
-          /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app
+          /usr/bin/codesign --entitlements "$PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement" --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app" -v
+          /usr/bin/codesign -v -vvv --deep "$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app"

           echo "codesigning espressif-ide-macosx.cocoa.aarch64"
-          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v
-          /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app
+          /usr/bin/codesign --entitlements "$PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement" --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app" -v
+          /usr/bin/codesign -v -vvv --deep "$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app"

           echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64"
-          $PWD/releng/ide-dmg-builder/ide-dmg-builder.sh
-          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v
-          /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
+          "$PWD/releng/ide-dmg-builder/ide-dmg-builder.sh"
+          /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg" -v
+          /usr/bin/codesign -v -vvv --deep "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg"

           echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64"
-          $PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh
-          /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v
-          /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
+          "$PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh"
+          /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg" -v
+          /usr/bin/codesign -v -vvv --deep "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg"
+          rm -f certificate.p12
+          /usr/bin/security delete-keychain build.keychain || true

92-105: DMG artifact upload steps look correct

Names and paths align with the codesign output and VERSION usage.


106-120: Matrix and runner labels are correctly structured

YAML structure and runs-on label arrays look good; this should match self-hosted runners reliably.


155-161: Fix JUnit glob for Maven Surefire/Failsafe reports

Current pattern likely misses results. Use target/*-reports.

       - name: Publish Test Reports
         if: ${{ always() }}
         uses: phoenix-actions/test-reporting@v12
         with:
           name: ${{ matrix.reportName }}
-          path: tests/*/*/*/TEST-*.xml
+          path: '**/target/*-reports/TEST-*.xml'
           reporter: java-junit

149-154: NO_AT_BRIDGE is not propagated; set it on the Maven step and drop the export step

Environment set in one step doesn’t persist to the next. Move NO_AT_BRIDGE to the Run Maven step (export is unnecessary and shell-specific).

-      - name: Set NO_AT_BRIDGE
-        if: runner.os == 'linux'
-        run: export NO_AT_BRIDGE=1
-      - name: Run Maven
-        run: mvn verify "-Djarsigner.skip=true" "-DskipTests=false" "-DtestWorkspace=${{ matrix.testWorkspace }}"
+      - name: Run Maven
+        env:
+          NO_AT_BRIDGE: ${{ runner.os == 'Linux' && '1' || '' }}
+        run: mvn verify "-Djarsigner.skip=true" "-DskipTests=false" "-DtestWorkspace=${{ matrix.testWorkspace }}"

133-137: Update setup-python to v5 (actionlint failure)

actions/setup-python@v4 is no longer supported on GitHub-hosted runners.

       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: '3.11'

@sigmaaa sigmaaa changed the title WIP: IEP-1616 CI unification IEP-1616 CI unification Sep 29, 2025
Copy link
Collaborator

@kolipakakondal kolipakakondal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR. LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants