IEP-1616 CI unification #1314

sigmaaa · 2025-09-23T12:20:27Z

Description

Consolidated CI build jobs into a single file, reducing code duplication.

Fixes # (IEP-1616)

Type of change

Please delete options that are not relevant.

New feature (non-breaking change which adds functionality)

How has this been tested?

Test Configuration:

ESP-IDF Version:
OS (Windows,Linux and macOS):

Dependent components impacted by this PR:

CI build and publish jobs

Checklist

Summary by CodeRabbit

New Features
- macOS releases now include automated code signing and DMG packaging for easier installation.
Chores
- CI reworked to a macOS-first build-and-publish pipeline with multi-platform artifact uploads and explicit version extraction.
- Per-OS matrix test execution and standardized test-report publishing for clearer test results.
- CI tooling updated (Java, Python, Maven) and build flow modernized.
Removed
- Legacy standalone Windows CI workflow eliminated.

coderabbitai · 2025-09-24T11:19:06Z

Walkthrough

Replaces the single CI workflow with a macOS-focused build_and_publish_macos job (artifact versioning, codesign, DMG creation, multi-OS artifact uploads) and a matrix-driven build_and_test job for per-OS tests and reports; removes the previous Windows-only workflow and updates GH Actions/tool versions and runners.

Changes

Cohort / File(s)	Summary
macOS-centric CI refactor `.github/workflows/ci.yml`	Replaces monolithic build with two jobs: `build_and_publish_macos` (uses `actions/checkout@v4`, Python 3.11, Maven 3.9.6, JDK 21; extracts version, codesigns macOS bundles, creates DMGs, uploads update-site and platform artifacts) and `build_and_test` (matrix-driven per-OS test runners, per-OS workspace paths and test-report naming, centralized Maven test run and test-report publishing).
Windows workflow removal `.github/workflows/ci_windows.yml`	Deletes the prior Windows-only workflow that checked out repo and tools, set up Python/Maven/JDK, ran `mvn verify`, and published JUnit reports; its duties moved into the new matrixed CI in `ci.yml`.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Push/PR
  participant GH as GitHub Actions
  participant Mac as build_and_publish_macos
  participant Sign as Codesign & DMG
  participant Store as Artifact storage
  participant Matrix as build_and_test (matrix)

  Dev->>GH: push / open PR
  GH->>Mac: start macOS publish job
  Mac->>Mac: checkout@v4 → setup Python/Maven/JDK → mvn package
  Mac->>Mac: extract version from built artifacts
  Mac->>Sign: import signing certs → codesign bundles → create DMGs
  Sign->>Store: upload update-site + platform artifacts + DMGs

  note over GH,Matrix: parallel per-OS test matrix (linux/windows/mac)
  GH->>Matrix: start matrix jobs
  Matrix->>Matrix: checkout → setup per-OS tools → mvn verify (tests) with per-OS workspace
  Matrix->>Store: publish per-OS test reports (dynamic names)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

IEP-1615 Update windows runner's JDK to 21 version #1290 — Edits the Windows CI workflow and JDK/setup-java updates (overlaps with removal/replacement of Windows workflow).
IEP-1608 Update test runtime environment to Java 21 #1283 — Aligns project/tooling to Java 21 (matches JDK 21 usage in the new CI).
Updating upload artifacts version #1048 — Changes around artifact upload/action versioning (related to new artifact publishing steps).

Suggested reviewers

kolipakakondal
alirana01
AndriiFilippov

Poem

I’m a rabbit in the CI glen,
I hop through jobs and sign again,
DMGs gleam and artifacts fly,
Tests bound across each OS sky,
A tiny hop — the pipelines grin. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title “IEP-1616 CI unification” concisely captures the main change of unifying continuous integration workflows and ties it back to the relevant ticket. It is brief, clear, and directly reflects the substantive modifications in the CI configuration files without unnecessary detail. Therefore, it meets the criteria for a focused and informative pull request title.

✨ Finishing touches

📝 Generate Docstrings

🧪 Generate unit tests

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch IEP-1616

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 8

🧹 Nitpick comments (4)

.github/workflows/ci.yml (4)

18-23: Enable Maven dependency cache to speed builds

Leverage setup-java’s built-in Maven cache.

Apply this diff:

       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: 'maven'

94-99: Also cache Maven in the matrix job

Same as macOS job for consistency and speed.

Apply this diff:

       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: 'maven'

27-33: Make version extraction deterministic

Parsing filenames is brittle. Prefer Maven to emit the project version.

Apply this diff:

       - name: Extract version number
         id: extract_version
         run: |
-          version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/' | head -n 1)
-          echo "VERSION=$version" >> $GITHUB_ENV
-          echo "VERSION=$version" >> $GITHUB_OUTPUT
+          set -euo pipefail
+          version="$(mvn -q help:evaluate -Dexpression=project.version -DforceStdout)"
+          echo "VERSION=$version" >> "$GITHUB_ENV"
+          echo "VERSION=$version" >> "$GITHUB_OUTPUT"

If the product version differs from the root POM version, consider reading it from the relevant module’s POM instead.

53-59: Minor hardening for secret handling and keychain stability

Avoid echo for binary data and keep the keychain unlocked during long builds.

Apply this diff:

-          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+          printf '%s' "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
           /usr/bin/security create-keychain -p espressif build.keychain
           /usr/bin/security default-keychain -s build.keychain
           /usr/bin/security unlock-keychain -p espressif build.keychain
+          /usr/bin/security set-keychain-settings -lut 21600 build.keychain
           /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
           /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2772840 and 405b2a4.

📒 Files selected for processing (2)

.github/workflows/ci.yml (2 hunks)
.github/workflows/ci_windows.yml (0 hunks)

💤 Files with no reviewable changes (1)

.github/workflows/ci_windows.yml

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/ci.yml

85-85: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

.github/workflows/ci.yml

coderabbitai · 2025-09-24T11:27:30Z

.github/workflows/ci.yml

+        env:
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+        run: |


🛠️ Refactor suggestion

Propagate GITHUB_TOKEN to codesign/upload step

The gh CLI relies on GITHUB_TOKEN. Add it to this step’s env to avoid auth issues when uploading artifacts.

Apply this diff:

- name: Codesign and create DMGs (macOS) env: MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

env:

MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}

MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}

run: |

- name: Codesign and create DMGs (macOS)

env:

MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}

MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}

GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

run: |

🤖 Prompt for AI Agents

.github/workflows/ci.yml around lines 49 to 52: the codesign/upload step sets MACOS_CERTIFICATE and MACOS_CERTIFICATE_PWD in env but does not export GITHUB_TOKEN which the gh CLI needs for authentication; update the step's env to include GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} so the gh CLI can authenticate when uploading artifacts.

.github/workflows/ci.yml

coderabbitai · 2025-09-24T11:27:31Z

.github/workflows/ci.yml

+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+


⚠️ Potential issue

Update setup-python to v5 (actionlint failure)

actionlint reports v4 is too old for GitHub Actions’ current runtime. Bump to v5.

Apply this diff:

- - name: Set up Python - uses: actions/setup-python@v4 + - name: Set up Python + uses: actions/setup-python@v5

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

uses: actions/setup-python@v4

with:

python-version: '3.11'

uses: actions/setup-python@v5

with:

python-version: '3.11'

🧰 Tools

🪛 actionlint (1.7.7)

85-85: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

In .github/workflows/ci.yml around lines 85 to 88, the workflow uses actions/setup-python@v4 which actionlint flags as too old; update the action to actions/setup-python@v5 by replacing the uses line accordingly (keep the with: python-version: '3.11' block intact) so the workflow uses the supported v5 release.

.github/workflows/ci.yml

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (4)

.github/workflows/ci.yml (4)

18-23: Enable Maven dependency caching to speed builds

actions/setup-java supports built-in Maven cache; enable it.

Apply this diff:

       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: maven

126-131: Also cache Maven in test matrix job

Same as the macOS job; speeds CI.

Apply this diff:

       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: maven

27-33: Fragile version detection; fail-fast and prefer Maven project.version

Parsing tarball names is brittle and can yield empty VERSION. Prefer Maven’s project.version, with a safe fallback and explicit failure when empty.

Apply this diff:

       - name: Extract version number
         id: extract_version
-        run: |
-          version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/' | head -n 1)
-          echo "VERSION=$version" >> $GITHUB_ENV
-          echo "VERSION=$version" >> $GITHUB_OUTPUT
+        run: |
+          set -euo pipefail
+          # Prefer Maven project.version; fallback to parsing artifacts
+          if version=$(mvn -q -DforceStdout help:evaluate -Dexpression=project.version 2>/dev/null); then
+            :
+          else
+            version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+).*\.tar\.gz/\1/' | sort -V | tail -n1 || true)
+          fi
+          if [ -z "${version:-}" ]; then
+            echo "Failed to determine VERSION" >&2
+            exit 1
+          fi
+          echo "VERSION=$version" >> "$GITHUB_ENV"
+          echo "VERSION=$version" >> "$GITHUB_OUTPUT"

62-91: Harden codesign step and make DMG signing consistent

Use printf to avoid newline issues in base64 decode.
Add set -euo pipefail for robustness.
Don’t pass entitlements when signing DMGs (apply consistently).
Optional: cleanup keychain and cert file.

Apply this diff:

       - name: Codesign Espressif-IDE
         env:
           MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
           MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
         run: |
-          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+          set -euo pipefail
+          printf '%s' "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
           /usr/bin/security create-keychain -p espressif build.keychain
           /usr/bin/security default-keychain -s build.keychain
           /usr/bin/security unlock-keychain -p espressif build.keychain
           /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
           /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain
@@
           echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64"
           $PWD/releng/ide-dmg-builder/ide-dmg-builder.sh
-          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v
+          /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v
           /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
@@
           echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64"
           $PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh
           /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v
           /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
+          /usr/bin/security delete-keychain build.keychain || true
+          rm -f certificate.p12 || true

Note: Consider notarization + stapling to avoid Gatekeeper blocks; can be added later.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 405b2a4 and ab61881.

📒 Files selected for processing (1)

.github/workflows/ci.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/ci.yml

117-117: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (5)

.github/workflows/ci.yml (5)
24-26: Artifact upload usage looks good

Using actions/upload-artifact@v4 with explicit names/paths is correct and robust.

Please confirm the generated artifact paths match Tycho outputs for all target platforms.

Also applies to: 34-61, 92-105

111-111: Self-hosted runner labels are malformed; use an array of labels

Comma-separated labels in a single string won’t match self-hosted runners. Provide labels as an array with per-element expressions.

Apply this diff:
-    runs-on: ${{ matrix.os == 'linux' && 'self-hosted, eclipse, BrnoUBU0004' || 'self-hosted, eclipseUpd, BrnoWIN0007' }}
+    runs-on: [self-hosted, ${{ matrix.os == 'linux' && 'eclipse' || 'eclipseUpd' }}, ${{ matrix.os == 'linux' && 'BrnoUBU0004' || 'BrnoWIN0007' }}]
116-119: Bump setup-python to v5 (actionlint failure)

V4 is flagged as too old; upgrade to v5.

Apply this diff:
-      - name: Set up Python
-        uses: actions/setup-python@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
132-135: Cross-OS shell bug: export breaks on Windows

PowerShell doesn’t support POSIX export. Set env at step level and keep run single-line.

Apply this diff:
-      - name: Run Tests
-        run: |
-          export NO_AT_BRIDGE=1
-          mvn verify -Djarsigner.skip=true -DskipTests=false -DtestWorkspace=${{ matrix.os == 'linux' && '/opt/actions-runner/_work/workspace' || 'C:/actions-runner/_work/workspace' }}
+      - name: Run Tests
+        env:
+          NO_AT_BRIDGE: "1"
+        run: mvn verify -Djarsigner.skip=true -DskipTests=false -DtestWorkspace=${{ matrix.os == 'linux' && '/opt/actions-runner/_work/workspace' || 'C:/actions-runner/_work/workspace' }}
137-143: JUnit report glob is incorrect for Maven Surefire/Failsafe

Use the standard Maven report locations.

Apply this diff:
-          path: tests/*/*/*/TEST-*.xml
+          path: '**/target/*-reports/TEST-*.xml'

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (5)

.github/workflows/ci.yml (5)

146-153: Fix JUnit glob for Maven Surefire/Failsafe

Current pattern won’t find Maven reports.

       - name: Publish Test Reports
         if: ${{ always() }}
         uses: phoenix-actions/test-reporting@v12
         with:
           name: ${{ matrix.reportName }}
-          path: tests/*/*/*/TEST-*.xml
+          path: '**/target/*-reports/TEST-*.xml'
           reporter: java-junit

27-33: Harden version extraction (prefer Maven project.version, add fail‑fast)

Parsing filenames is brittle. Prefer help:evaluate with fallback; fail if empty.

       - name: Extract version number
         id: extract_version
         run: |
-          version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/' | head -n 1)
-          echo "VERSION=$version" >> $GITHUB_ENV
-          echo "VERSION=$version" >> $GITHUB_OUTPUT
+          set -euo pipefail
+          # Prefer Maven project.version; fallback to artifact filename
+          version="$(mvn -q -DforceStdout help:evaluate -Dexpression=project.version | tr -d '\r' || true)"
+          version="${version%-SNAPSHOT}"
+          if [ -z "${version:-}" ]; then
+            version="$(ls -1 releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz \
+              | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+).*/\1/' \
+              | sort -V | head -n1)"
+          fi
+          if [ -z "${version:-}" ]; then
+            echo "Failed to determine VERSION" >&2
+            exit 1
+          fi
+          echo "VERSION=$version" >> "$GITHUB_ENV"
+          echo "VERSION=$version" >> "$GITHUB_OUTPUT"

62-91: Codesign step: add strict mode and cleanup keychain/materials

Fail fast and ensure secrets/artifacts are cleaned up.

       - name: Codesign Espressif-IDE
         env:
           MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
           MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
         run: |
+          set -euo pipefail
           echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
           /usr/bin/security create-keychain -p espressif build.keychain
           /usr/bin/security default-keychain -s build.keychain
           /usr/bin/security unlock-keychain -p espressif build.keychain
           /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
           /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain
@@
           /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
+          /usr/bin/security lock-keychain build.keychain
+          /usr/bin/security delete-keychain build.keychain || true
+          rm -f certificate.p12

24-26: Avoid double-running tests in build job

Tests also run in build_and_test. Consider skipping here to reduce time.

-      - name: Build with Maven
-        run: mvn clean verify -Djarsigner.skip=true
+      - name: Build with Maven
+        run: mvn clean verify -Djarsigner.skip=true -DskipTests=true

Confirm if any packaging validations depend on tests; if so, keep as-is.

34-40: Fail early if artifact is missing

Upload-artifact should error when no files found to avoid silent green builds.

       - name: Upload build artifacts (update site)
         if: ${{ !cancelled() }}
         uses: actions/upload-artifact@v4
         with:
           name: com.espressif.idf.update-${{ env.VERSION }}
           path: releng/com.espressif.idf.update/target/repository
+          if-no-files-found: error

Apply the same to other upload-artifact steps in this workflow.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ab61881 and efe9977.

📒 Files selected for processing (1)

.github/workflows/ci.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/ci.yml

107-107: could not parse as YAML: yaml: line 107: found character that cannot start any token

(syntax-check)

🪛 YAMLlint (1.37.1)

.github/workflows/ci.yml

[error] 107-107: syntax error: found character '\t' that cannot start any token

(syntax)

🔇 Additional comments (3)

.github/workflows/ci.yml (3)
41-61: Artifacts: sanity-check paths across platforms

Confirm these Windows/Linux archives are produced by the macOS build (Tycho cross-build). If not, these uploads will be empty.

If they’re built elsewhere, switch this step to download artifacts from prior jobs or move packaging to matching OS runners.

125-129: actions/setup-python: bump to v5 (actionlint failure)

v4 is flagged as too old by actionlint. Upgrade to v5.
-      - name: Set up Python
-        uses: actions/setup-python@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
141-145: Make test step cross‑OS safe (avoid POSIX export on Windows)

Use step env instead of export; keep run single‑line for PowerShell compatibility.
-      - name: Run Tests
-        run: |
-          export NO_AT_BRIDGE=1
-		  mvn verify -Djarsigner.skip=true -DskipTests=false -DtestWorkspace="${{ matrix.testWorkspace }}"
+      - name: Run Tests
+        env:
+          NO_AT_BRIDGE: "1"
+        run: mvn verify -Djarsigner.skip=true -DskipTests=false -DtestWorkspace=${{ matrix.testWorkspace }}

.github/workflows/ci.yml

coderabbitai

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/ci.yml (2)
18-26: Enable Maven dependency caching to speed up builds

Add cache: maven to setup-java steps for faster, more reliable builds.
       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: 'maven'
135-140: Enable Maven cache for test job too

Add cache: maven here as well for consistency and speed.
       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: 'maven'

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9f21fec and 0961eca.

📒 Files selected for processing (1)

.github/workflows/ci.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/ci.yml

126-126: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (6)

.github/workflows/ci.yml (6)
34-61: Good switch to upload-artifact action for multi-OS outputs

Using actions/upload-artifact@v4 here resolves prior GH CLI issues and simplifies auth.

92-105: Artifact uploads for DMGs look correct

Names include version and arch, and paths match the builder outputs.

106-120: Matrix structure and runs-on resolution look good

Tabs/indent issues from prior iteration are resolved; per-OS runner label arrays are correct.

125-129: Bump setup-python to v5 (actionlint failure)

actions/setup-python@v4 is too old per actionlint; upgrade to v5.
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: '3.11'
147-153: Fix JUnit report glob for Maven Surefire/Failsafe

Use Maven-standard TEST-*.xml locations; current glob likely finds nothing.
         with:
           name: ${{ matrix.reportName }}
-          path: tests/*/*/*/TEST-*.xml
+          path: '**/target/*-reports/TEST-*.xml'
           reporter: java-junit
141-146: NO_AT_BRIDGE not effective; env set in one step doesn’t persist to next

Move NO_AT_BRIDGE to the Maven step’s env (or job env). The current export doesn’t affect the following step.
-      - name: Set NO_AT_BRIDGE
-        if: runner.os == 'linux'
-        run: export NO_AT_BRIDGE=1
-      - name: Run Maven
-        run: mvn verify -Djarsigner.skip=true -DskipTests=false -DtestWorkspace="${{ matrix.testWorkspace }}"
+      - name: Run Maven
+        env:
+          NO_AT_BRIDGE: '1'
+        run: mvn verify -Djarsigner.skip=true -DskipTests=false -DtestWorkspace="${{ matrix.testWorkspace }}"

coderabbitai · 2025-09-24T15:45:45Z

.github/workflows/ci.yml

+      - name: Extract version number
+        id: extract_version
+        run: |
+          version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/' | head -n 1)
+          echo "VERSION=$version" >> $GITHUB_ENV
+          echo "VERSION=$version" >> $GITHUB_OUTPUT
+


⚠️ Potential issue

Harden version extraction; current ls/sed is fragile and nondeterministic

Resolve via Maven-evaluated project.version with strict erroring.

- name: Extract version number id: extract_version - run: | - version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/' | head -n 1) - echo "VERSION=$version" >> $GITHUB_ENV - echo "VERSION=$version" >> $GITHUB_OUTPUT + run: | + set -euo pipefail + version=$(mvn -q -Dexpression=project.version -DforceStdout help:evaluate | tail -n1) + if [ -z "${version:-}" ]; then + echo "Failed to determine version" >&2 + exit 1 + fi + echo "VERSION=$version" >> "$GITHUB_ENV" + echo "VERSION=$version" >> "$GITHUB_OUTPUT"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

- name: Extract version number

id: extract_version

run: |

version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/' | head -n 1)

echo "VERSION=$version" >> $GITHUB_ENV

echo "VERSION=$version" >> $GITHUB_OUTPUT

- name: Extract version number

id: extract_version

run: |

set -euo pipefail

version=$(mvn -q -Dexpression=project.version -DforceStdout help:evaluate | tail -n1)

if [ -z "${version:-}" ]; then

echo "Failed to determine version" >&2

exit 1

fi

echo "VERSION=$version" >> "$GITHUB_ENV"

echo "VERSION=$version" >> "$GITHUB_OUTPUT"

🤖 Prompt for AI Agents

.github/workflows/ci.yml around lines 27 to 33: the current version extraction using ls/sed is fragile and nondeterministic; replace it with a Maven evaluation of project.version (e.g., run mvn help:evaluate -Dexpression=project.version -q -DforceStdout) capture the output into a variable, validate it's non-empty and fail the step with a non-zero exit code if empty, and then export the validated version to both $GITHUB_ENV and $GITHUB_OUTPUT so the workflow uses the canonical Maven project.version reliably.

coderabbitai · 2025-09-24T15:45:45Z

.github/workflows/ci.yml

+      - name: Codesign Espressif-IDE
+        env:
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+        run: |
+          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+          /usr/bin/security create-keychain -p espressif build.keychain
+          /usr/bin/security default-keychain -s build.keychain
+          /usr/bin/security unlock-keychain -p espressif build.keychain
+          /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
+          /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain
+
+          echo "codesigning espressif-ide-macosx.cocoa.x86_64"
+          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v
+          /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app
+
+          echo "codesigning espressif-ide-macosx.cocoa.aarch64"
+          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v
+          /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app
+
+          echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64"
+          $PWD/releng/ide-dmg-builder/ide-dmg-builder.sh
+          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v
+          /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
+
+          echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64"
+          $PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh
+          /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v
+          /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
+


⚠️ Potential issue

Codesigning step: fix secret handling, unify DMG signing, and clean up keychain

Avoid echo injecting newlines into base64; use printf.

DMG signing is inconsistent (entitlements used for x86_64 but not aarch64). Use the same flags for both; entitlements are typically unnecessary for DMGs.

Delete temporary cert and keychain to reduce footprint on runner.

- name: Codesign Espressif-IDE env: MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} run: | - echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 + printf %s "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12 /usr/bin/security create-keychain -p espressif build.keychain /usr/bin/security default-keychain -s build.keychain /usr/bin/security unlock-keychain -p espressif build.keychain /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain echo "codesigning espressif-ide-macosx.cocoa.x86_64" /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app echo "codesigning espressif-ide-macosx.cocoa.aarch64" /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64" $PWD/releng/ide-dmg-builder/ide-dmg-builder.sh - /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v + /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg" -v /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64" $PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg + rm -f certificate.p12 + /usr/bin/security delete-keychain build.keychain || true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

- name: Codesign Espressif-IDE

env:

MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}

MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}

run: |

echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12

/usr/bin/security create-keychain -p espressif build.keychain

/usr/bin/security default-keychain -s build.keychain

/usr/bin/security unlock-keychain -p espressif build.keychain

/usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign

/usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain

echo "codesigning espressif-ide-macosx.cocoa.x86_64"

/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v

/usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app

echo "codesigning espressif-ide-macosx.cocoa.aarch64"

/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v

/usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app

echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64"

$PWD/releng/ide-dmg-builder/ide-dmg-builder.sh

/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v

/usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg

echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64"

$PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh

/usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v

/usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg

- name: Codesign Espressif-IDE

env:

MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}

MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}

run: |

printf %s "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12

/usr/bin/security create-keychain -p espressif build.keychain

/usr/bin/security default-keychain -s build.keychain

/usr/bin/security unlock-keychain -p espressif build.keychain

/usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign

/usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain

echo "codesigning espressif-ide-macosx.cocoa.x86_64"

/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement \

--options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" \

$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v

/usr/bin/codesign -v -vvv --deep \

$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app

echo "codesigning espressif-ide-macosx.cocoa.aarch64"

/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement \

--options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" \

$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v

/usr/bin/codesign -v -vvv --deep \

$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app

echo "Creating dmg for espressif-ide-macosx.cocoa-x86_64"

$PWD/releng/ide-dmg-builder/ide-dmg-builder.sh

/usr/bin/codesign --options runtime --force \

-s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" \

"$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg" -v

/usr/bin/codesign -v -vvv --deep \

$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg

echo "Creating dmg for espressif-ide-macosx.cocoa-aarch64"

$PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh

/usr/bin/codesign --options runtime --force \

-s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" \

$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v

/usr/bin/codesign -v -vvv --deep \

$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg

rm -f certificate.p12

/usr/bin/security delete-keychain build.keychain || true

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)
18-23: Optional: enable Maven dependency caching

Speeds up builds across both jobs.
       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: 'maven'
Also applies to: 135-140

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0961eca and b5af544.

📒 Files selected for processing (1)

.github/workflows/ci.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/ci.yml

126-126: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

GitHub Check: build_and_test (windows, self-hosted, eclipseUpd, BrnoWIN0007, C:/actions-runner/_work/workspace,...
GitHub Check: build_and_publish_macos

🔇 Additional comments (5)

.github/workflows/ci.yml (5)

27-33: Harden version extraction; use Maven-evaluated project.version

Current ls/sed is fragile and can yield empty/incorrect versions. Prefer mvn help:evaluate.

       - name: Extract version number
         id: extract_version
-        run: |
-          version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/' | head -n 1)
-          echo "VERSION=$version" >> $GITHUB_ENV
-          echo "VERSION=$version" >> $GITHUB_OUTPUT
+        run: |
+          set -euo pipefail
+          version="$(mvn -q -Dexpression=project.version -DforceStdout help:evaluate | tail -n1)"
+          if [ -z "${version:-}" ]; then
+            echo "Failed to determine version" >&2
+            exit 1
+          fi
+          echo "VERSION=$version" >> "$GITHUB_ENV"
+          echo "VERSION=$version" >> "$GITHUB_OUTPUT"

62-91: Codesigning: fix base64 decode, unify DMG signing, and clean up keychain

Use printf to avoid newline issues, avoid entitlements for DMGs, quote paths, and remove temporary creds/keychain.

       - name: Codesign Espressif-IDE
         env:
           MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
           MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
         run: |
-          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+          printf %s "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
           /usr/bin/security create-keychain -p espressif build.keychain
           /usr/bin/security default-keychain -s build.keychain
           /usr/bin/security unlock-keychain -p espressif build.keychain
-          /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
+          /usr/bin/security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
           /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain
 
           echo "codesigning espressif-ide-macosx.cocoa.x86_64"
-          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v
-          /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app
+          /usr/bin/codesign --entitlements "$PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement" --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app" -v
+          /usr/bin/codesign -v -vvv --deep "$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app"
 
           echo "codesigning espressif-ide-macosx.cocoa.aarch64"
-          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v
-          /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app
+          /usr/bin/codesign --entitlements "$PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement" --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app" -v
+          /usr/bin/codesign -v -vvv --deep "$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app"
 
           echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64"
-          $PWD/releng/ide-dmg-builder/ide-dmg-builder.sh
-          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v
-          /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
+          "$PWD/releng/ide-dmg-builder/ide-dmg-builder.sh"
+          /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg" -v
+          /usr/bin/codesign -v -vvv --deep "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg"
 
           echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64"
-          $PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh
-          /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v
-          /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
+          "$PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh"
+          /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg" -v
+          /usr/bin/codesign -v -vvv --deep "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg"
+          rm -f certificate.p12
+          /usr/bin/security delete-keychain build.keychain || true

147-153: Fix JUnit report glob for Maven Surefire/Failsafe

Use canonical Maven report paths to ensure results are found.

       - name: Publish Test Reports
         if: ${{ always() }}
         uses: phoenix-actions/test-reporting@v12
         with:
           name: ${{ matrix.reportName }}
-          path: tests/*/*/*/TEST-*.xml
+          path: '**/target/*-reports/TEST-*.xml'
           reporter: java-junit

125-129: Update setup-python to v5 (actionlint failure)

v4 is too old for current runners; upgrade to v5.

       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: '3.11'

141-146: NO_AT_BRIDGE export doesn’t persist across steps; move to Run Maven env

Environment set in one run step isn’t available in subsequent steps. Set it on the Maven step (conditionally for Linux).

-      - name: Set NO_AT_BRIDGE
-        if: runner.os == 'linux'
-        run: export NO_AT_BRIDGE=1
       - name: Run Maven
-        run: mvn verify "-Djarsigner.skip=true" "-DskipTests=false" "-DtestWorkspace=${{ matrix.testWorkspace }}"
+        env:
+          NO_AT_BRIDGE: ${{ runner.os == 'Linux' && '1' || '' }}
+        run: mvn verify "-Djarsigner.skip=true" "-DskipTests=false" "-DtestWorkspace=${{ matrix.testWorkspace }}"

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/ci.yml (2)
18-23: Enable Maven dependency caching to speed builds

Add cache: maven to setup-java to leverage GH cache for ~/.m2.
       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: 'maven'
143-148: Enable Maven caching in test job as well

Same caching improvement for the test matrix.
       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: '21'
           distribution: 'temurin'
+          cache: 'maven'

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b5af544 and 83e77ba.

📒 Files selected for processing (1)

.github/workflows/ci.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/ci.yml

134-134: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: build_and_test (windows, self-hosted, eclipseUpd, BrnoWIN0007, C:/actions-runner/_work/workspace,...
GitHub Check: build_and_test (linux, self-hosted, eclipse, BrnoUBU0004, /opt/actions-runner/_work/workspace, Li...
GitHub Check: build_and_publish_macos

🔇 Additional comments (8)

.github/workflows/ci.yml (8)

27-33: Harden version detection: use Maven-evaluated project.version

The ls/sed approach is fragile and non-deterministic if multiple files match. Query Maven for the canonical version.

       - name: Extract version number
         id: extract_version
-        run: |
-          version=$(ls releng/com.espressif.idf.product/target/products/Espressif-IDE-*.tar.gz | sed -E 's/.*Espressif-IDE-([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/' | head -n 1)
-          echo "VERSION=$version" >> $GITHUB_ENV
-          echo "VERSION=$version" >> $GITHUB_OUTPUT
+        run: |
+          set -euo pipefail
+          version=$(mvn -q -Dexpression=project.version -DforceStdout help:evaluate | tail -n1)
+          if [ -z "${version:-}" ]; then
+            echo "Failed to determine version" >&2
+            exit 1
+          fi
+          echo "VERSION=$version" >> "$GITHUB_ENV"
+          echo "VERSION=$version" >> "$GITHUB_OUTPUT"

34-61: Artifact uploads via actions/upload-artifact look good

Switching to actions/upload-artifact is correct and simplifies auth/robustness.

62-91: Codesign step: safer secret handling, consistent DMG signing, and cleanup

Avoid echo adding a newline when decoding base64; use printf.
Use consistent flags for DMG signing; entitlements are not needed for DMGs.
Quote paths.
Delete the temporary cert and keychain.

       - name: Codesign Espressif-IDE
         env:
           MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
           MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
         run: |
-          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+          printf %s "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
           /usr/bin/security create-keychain -p espressif build.keychain
           /usr/bin/security default-keychain -s build.keychain
           /usr/bin/security unlock-keychain -p espressif build.keychain
-          /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
+          /usr/bin/security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
           /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain

           echo "codesigning espressif-ide-macosx.cocoa.x86_64"
-          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v
-          /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app
+          /usr/bin/codesign --entitlements "$PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement" --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app" -v
+          /usr/bin/codesign -v -vvv --deep "$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app"

           echo "codesigning espressif-ide-macosx.cocoa.aarch64"
-          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v
-          /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app
+          /usr/bin/codesign --entitlements "$PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement" --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app" -v
+          /usr/bin/codesign -v -vvv --deep "$PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app"

           echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64"
-          $PWD/releng/ide-dmg-builder/ide-dmg-builder.sh
-          /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v
-          /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
+          "$PWD/releng/ide-dmg-builder/ide-dmg-builder.sh"
+          /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg" -v
+          /usr/bin/codesign -v -vvv --deep "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg"

           echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64"
-          $PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh
-          /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v
-          /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
+          "$PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh"
+          /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg" -v
+          /usr/bin/codesign -v -vvv --deep "$PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg"
+          rm -f certificate.p12
+          /usr/bin/security delete-keychain build.keychain || true

92-105: DMG artifact upload steps look correct

Names and paths align with the codesign output and VERSION usage.

106-120: Matrix and runner labels are correctly structured

YAML structure and runs-on label arrays look good; this should match self-hosted runners reliably.

155-161: Fix JUnit glob for Maven Surefire/Failsafe reports

Current pattern likely misses results. Use target/*-reports.

       - name: Publish Test Reports
         if: ${{ always() }}
         uses: phoenix-actions/test-reporting@v12
         with:
           name: ${{ matrix.reportName }}
-          path: tests/*/*/*/TEST-*.xml
+          path: '**/target/*-reports/TEST-*.xml'
           reporter: java-junit

149-154: NO_AT_BRIDGE is not propagated; set it on the Maven step and drop the export step

Environment set in one step doesn’t persist to the next. Move NO_AT_BRIDGE to the Run Maven step (export is unnecessary and shell-specific).

-      - name: Set NO_AT_BRIDGE
-        if: runner.os == 'linux'
-        run: export NO_AT_BRIDGE=1
-      - name: Run Maven
-        run: mvn verify "-Djarsigner.skip=true" "-DskipTests=false" "-DtestWorkspace=${{ matrix.testWorkspace }}"
+      - name: Run Maven
+        env:
+          NO_AT_BRIDGE: ${{ runner.os == 'Linux' && '1' || '' }}
+        run: mvn verify "-Djarsigner.skip=true" "-DskipTests=false" "-DtestWorkspace=${{ matrix.testWorkspace }}"

133-137: Update setup-python to v5 (actionlint failure)

actions/setup-python@v4 is no longer supported on GitHub-hosted runners.

       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: '3.11'

kolipakakondal

Thanks for the PR. LGTM

feat: testing ci unification

84f4b56

sigmaaa self-assigned this Sep 23, 2025

feat: providing a strategy matrix to avoid repetition

405b2a4

coderabbitai bot reviewed Sep 24, 2025

View reviewed changes

fix: fixing ci yaml and formatting

ab61881

coderabbitai bot reviewed Sep 24, 2025

View reviewed changes

sigmaaa added 2 commits September 24, 2025 17:38

feat: Refactor CI matrix for custom runner and test config

efe9977

fix: removing tabs that breaks yml file

9f21fec

coderabbitai bot reviewed Sep 24, 2025

View reviewed changes

.github/workflows/ci.yml Show resolved Hide resolved

sigmaaa added 2 commits September 24, 2025 18:35

fix: replace bash if condition

0961eca

fix: fixing run maven line for windows

b5af544

coderabbitai bot reviewed Sep 24, 2025

View reviewed changes

sigmaaa added 3 commits September 24, 2025 21:29

fix: adding clone dependency

884baca

fix: removing the auto tab

03f73b3

fix: removing bad indentation

83e77ba

coderabbitai bot reviewed Sep 24, 2025

View reviewed changes

sigmaaa requested review from alirana01 and kolipakakondal September 29, 2025 07:31

sigmaaa changed the title ~~WIP: IEP-1616 CI unification~~ IEP-1616 CI unification Sep 29, 2025

kolipakakondal approved these changes Oct 6, 2025

View reviewed changes

IEP-1616 CI unification #1314

Are you sure you want to change the base?

IEP-1616 CI unification #1314

Conversation

sigmaaa commented Sep 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Type of change

How has this been tested?

Dependent components impacted by this PR:

Checklist

Summary by CodeRabbit

Uh oh!

coderabbitai bot commented Sep 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Possibly related PRs

Suggested reviewers

Poem

Pre-merge checks and finishing touches

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot Sep 24, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot Sep 24, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Sep 24, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Sep 24, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

kolipakakondal left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

sigmaaa commented Sep 23, 2025 •

edited

Loading

coderabbitai bot commented Sep 24, 2025 •

edited

Loading