Conversation
birtles
force-pushed
the
safari-ci
branch
3 times, most recently
from
9e0c089 to
d0a4c91
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ba789143ad
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
In the build_macos job, checkout uses the default workflow SHA instead of the commit created by bump (release-it pushes a new commit), so this job can produce iOS/macOS Safari artifacts from the previous revision while release tags and publishes needs.bump.outputs.sha. This can ship mismatched binaries/version metadata in the same release; set checkout ref to ${{ needs.bump.outputs.sha }} so all jobs build the same commit.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
This PR automates Safari build creation as part of the release workflow. Previously, Safari builds had to be created manually on a Mac. Now they are built automatically when triggering a release.
Changes:
- Adds export configuration plists for iOS and macOS Safari builds
- Modifies release-it configuration to disable automatic tagging and GitHub release creation
- Restructures the release workflow into three jobs: version bump, Safari builds, and release creation
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| xcode13/ExportOptions-iOS.plist | Adds export configuration for iOS Safari app with App Store Connect settings and provisioning profiles |
| xcode13/ExportOptions-Mac.plist | Adds export configuration for macOS Safari app with App Store Connect settings and provisioning profiles (contains typo) |
| .release-it.json | Simplifies configuration to only bump version and push commit, removing hooks and GitHub release logic now handled by workflow |
| .github/workflows/release.yml | Restructures workflow into separate jobs for version bump, macOS builds (with signing and export), and release creation with artifact handling |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| - name: Build assets | ||
| run: | | ||
| pnpm install |
There was a problem hiding this comment.
The pnpm install command is missing the '--frozen-lockfile' flag. For consistency with the bump job (line 40) and to ensure reproducible builds, consider using 'pnpm install --frozen-lockfile' instead of just 'pnpm install'.
| pnpm install | |
| pnpm install --frozen-lockfile |
| <key>jp.co.birchill.tenten-ja-reader</key> | ||
| <string>10ten Japanese Reader App Store Connect (Mac)</string> | ||
| <key>jp.co.birchill.tenten-ja-reader.Extension</key> | ||
| <string>10ten Japanese Reader Extension App Store ConnectM</string> |
There was a problem hiding this comment.
The provisioning profile name appears to have a typo. It should likely be "10ten Japanese Reader Extension App Store Connect (Mac)" to match the pattern on line 14, rather than "ConnectM".
| <string>10ten Japanese Reader Extension App Store ConnectM</string> | |
| <string>10ten Japanese Reader Extension App Store Connect (Mac)</string> |
| run: | | ||
| # Save the cert and profiles to temp files | ||
| echo -n "$CERT_BASE64" | base64 --decode > cert.p12 | ||
| echo -n "$MAC_INSTALLER_CERT_BASE64" | base64 --decode > mac-installer.p12 | ||
| echo -n "$PROFILE_IOS" | base64 --decode > ios.mobileprovision | ||
| echo -n "$PROFILE_IOS_EXT" | base64 --decode > ios-ext.mobileprovision | ||
| echo -n "$PROFILE_MAC" | base64 --decode > mac.provisionprofile | ||
| echo -n "$PROFILE_MAC_EXT" | base64 --decode > mac-ext.provisionprofile | ||
|
|
||
| # Create a temporary keychain and import the .p12 certificate | ||
| security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain-db | ||
| security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain-db | ||
| security import cert.p12 -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k build.keychain-db | ||
| security import mac-installer.p12 -P "$MAC_INSTALLER_CERT_PASSWORD" -A -t cert -f pkcs12 -k build.keychain-db | ||
| security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" build.keychain-db | ||
| security list-keychain -d user -s build.keychain-db | ||
|
|
||
| # Install provisioning profiles | ||
| mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles | ||
| cp ios.mobileprovision ~/Library/MobileDevice/Provisioning\ Profiles/ | ||
| cp ios-ext.mobileprovision ~/Library/MobileDevice/Provisioning\ Profiles/ | ||
| cp mac.provisionprofile ~/Library/MobileDevice/Provisioning\ Profiles/ | ||
| cp mac-ext.provisionprofile ~/Library/MobileDevice/Provisioning\ Profiles/ |
There was a problem hiding this comment.
Sensitive files (cert.p12, mac-installer.p12, and provisioning profiles) are not cleaned up after use. These temporary files contain sensitive certificates and profiles that should be removed after installation. Consider adding a cleanup step or using a trap to ensure these files are deleted even if the build fails.
| security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain-db | ||
| security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain-db | ||
| security import cert.p12 -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k build.keychain-db | ||
| security import mac-installer.p12 -P "$MAC_INSTALLER_CERT_PASSWORD" -A -t cert -f pkcs12 -k build.keychain-db | ||
| security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" build.keychain-db | ||
| security list-keychain -d user -s build.keychain-db |
There was a problem hiding this comment.
The temporary keychain 'build.keychain-db' is created but never deleted. After the build completes (or fails), the keychain should be removed to avoid leaving sensitive cryptographic material on the runner. Consider adding a cleanup step that runs even on failure, such as using a separate job step with 'if: always()' or adding cleanup commands after the export steps.
| -exportPath $GITHUB_WORKSPACE/build/10ten-ja-reader.ipa | ||
|
|
||
| - name: Export Mac app package | ||
| run: | | ||
| xcodebuild -exportArchive \ | ||
| -archivePath $GITHUB_WORKSPACE/build/10ten-mac.xcarchive \ | ||
| -exportOptionsPlist "xcode13/ExportOptions-Mac.plist" \ | ||
| -exportPath $GITHUB_WORKSPACE/build/10ten-ja-reader.pkg |
There was a problem hiding this comment.
The exportPath is set to a directory path ending in '.ipa', but xcodebuild's -exportArchive expects a directory path, not a file path. The .ipa file will be created inside this directory. This means the actual file path will be something like '$GITHUB_WORKSPACE/build/10ten-ja-reader.ipa/10ten Japanese Reader.ipa', which won't match the artifact upload pattern '*.ipa'. The exportPath should be set to just '$GITHUB_WORKSPACE/build' or a proper directory name.
| -exportPath $GITHUB_WORKSPACE/build/10ten-ja-reader.ipa | |
| - name: Export Mac app package | |
| run: | | |
| xcodebuild -exportArchive \ | |
| -archivePath $GITHUB_WORKSPACE/build/10ten-mac.xcarchive \ | |
| -exportOptionsPlist "xcode13/ExportOptions-Mac.plist" \ | |
| -exportPath $GITHUB_WORKSPACE/build/10ten-ja-reader.pkg | |
| -exportPath $GITHUB_WORKSPACE/build | |
| - name: Export Mac app package | |
| run: | | |
| xcodebuild -exportArchive \ | |
| -archivePath $GITHUB_WORKSPACE/build/10ten-mac.xcarchive \ | |
| -exportOptionsPlist "xcode13/ExportOptions-Mac.plist" \ | |
| -exportPath $GITHUB_WORKSPACE/build |
| -exportPath $GITHUB_WORKSPACE/build/10ten-ja-reader.ipa | ||
|
|
||
| - name: Export Mac app package | ||
| run: | | ||
| xcodebuild -exportArchive \ | ||
| -archivePath $GITHUB_WORKSPACE/build/10ten-mac.xcarchive \ | ||
| -exportOptionsPlist "xcode13/ExportOptions-Mac.plist" \ | ||
| -exportPath $GITHUB_WORKSPACE/build/10ten-ja-reader.pkg |
There was a problem hiding this comment.
The exportPath is set to a directory path ending in '.pkg', but xcodebuild's -exportArchive expects a directory path, not a file path. The .pkg file will be created inside this directory. This means the actual file path will be something like '$GITHUB_WORKSPACE/build/10ten-ja-reader.pkg/10ten Japanese Reader.pkg', which won't match the artifact upload pattern '*.pkg'. The exportPath should be set to just '$GITHUB_WORKSPACE/build' or a proper directory name.
| -exportPath $GITHUB_WORKSPACE/build/10ten-ja-reader.ipa | |
| - name: Export Mac app package | |
| run: | | |
| xcodebuild -exportArchive \ | |
| -archivePath $GITHUB_WORKSPACE/build/10ten-mac.xcarchive \ | |
| -exportOptionsPlist "xcode13/ExportOptions-Mac.plist" \ | |
| -exportPath $GITHUB_WORKSPACE/build/10ten-ja-reader.pkg | |
| -exportPath $GITHUB_WORKSPACE/build | |
| - name: Export Mac app package | |
| run: | | |
| xcodebuild -exportArchive \ | |
| -archivePath $GITHUB_WORKSPACE/build/10ten-mac.xcarchive \ | |
| -exportOptionsPlist "xcode13/ExportOptions-Mac.plist" \ | |
| -exportPath $GITHUB_WORKSPACE/build |
| echo -n "$PROFILE_MAC" | base64 --decode > mac.provisionprofile | ||
| echo -n "$PROFILE_MAC_EXT" | base64 --decode > mac-ext.provisionprofile | ||
|
|
||
| # Create a temporary keychain and import the .p12 certificate |
There was a problem hiding this comment.
The keychain creation command will fail if 'build.keychain-db' already exists from a previous run. Although GitHub Actions typically provides clean runners, it's safer to delete any existing keychain with the same name before creating a new one. Consider adding 'security delete-keychain build.keychain-db 2>/dev/null || true' before the create-keychain command.
| # Create a temporary keychain and import the .p12 certificate | |
| # Create a temporary keychain and import the .p12 certificate | |
| security delete-keychain build.keychain-db 2>/dev/null || true |
|
|
||
| - name: Build extension code | ||
| run: |- | ||
| pnpm install |
There was a problem hiding this comment.
The pnpm install command is missing the '--frozen-lockfile' flag. For consistency with the bump job (line 40) and to ensure reproducible builds, consider using 'pnpm install --frozen-lockfile' instead of just 'pnpm install'.
| pnpm install | |
| pnpm install --frozen-lockfile |
Try to get our Safari builds to be created as part of triggering a release.