IEP-1475: Signing Windows Executable #1228

alirana01 · 2025-05-19T12:10:57Z

Description

Signing windows binary.

Fixes # (IEP-1475)

Type of change

Please delete options that are not relevant.

New feature (non-breaking change which adds functionality)

How has this been tested?

Running workflow

Checklist

PR Self Reviewed
Applied Code formatting

Summary by CodeRabbit

Chores
- Improved the release process to support cross-platform builds for macOS, Windows, and Linux.
- Added Windows executable signing and enhanced macOS code signing and notarization.
- Streamlined artifact versioning, naming, and uploads to AWS S3 for easier access and distribution.
- Modularized the release workflow for better reliability and maintainability.

coderabbitai · 2025-05-19T12:11:05Z

Walkthrough

The GitHub Actions release workflow was renamed and restructured to use three distinct jobs: macos-build, windows-sign, and upload-aws. These jobs coordinate to build, sign, and upload release artifacts for Espressif-IDE across macOS, Windows, and Linux, with improved artifact handling, versioning, and AWS S3 upload logic.

Changes

File(s)	Change Summary
.github/workflows/ci_release.yml	Workflow split into `macos-build`, `windows-sign`, and `upload-aws` jobs; added artifact handling, cross-platform signing, global env vars, and modularized upload/versioning logic.

Sequence Diagram(s)

sequenceDiagram
    participant GitHubActions
    participant macos-build
    participant windows-sign
    participant upload-aws
    participant AWS_S3

    GitHubActions->>macos-build: Start build (macOS, Linux, Windows)
    macos-build->>macos-build: Build, sign (macOS), create artifacts
    macos-build->>windows-sign: Provide Windows artifact
    windows-sign->>windows-sign: Sign Windows executable
    windows-sign->>upload-aws: Provide all signed artifacts
    upload-aws->>AWS_S3: Upload artifacts, set redirects, invalidate CloudFront

Poem

🐇
Three jobs now hop where one once stood,
Building, signing, as only bunnies could.
Mac and Windows, zipped up tight,
Off to the cloud, launched in the night.
With paws on the pipeline and whiskers in code,
Our releases now travel a modular road!

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Explain this complex logic.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai explain this code block.
- @coderabbitai modularize this function.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and explain its main purpose.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
- @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai generate docstrings to generate docstrings for this PR.
@coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

coderabbitai

Actionable comments posted: 3

🧹 Nitpick comments (4)

.github/workflows/win_exe_sign_test.yml (4)
1-1: Refine workflow name & formatting
The workflow is named Java CI with Maven, which doesn’t reflect its purpose of signing Windows executables. Consider renaming it, e.g.:
name: Windows Executable Signing
Remove the trailing whitespace on this line to satisfy YAML linting rules.
🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 1-1: trailing spaces

(trailing-spaces)

17-17: Remove trailing whitespace
Lines 17 and 21 contain trailing spaces and will fail YAML linting (YAMLlint errors). Please delete any extra spaces on these blank lines.

Also applies to: 21-21

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 17-17: trailing spaces

(trailing-spaces)

22-27: Explicitly declare PowerShell shell
The decode step uses PowerShell cmdlets (Out-File) but doesn’t specify shell: pwsh. To make the intent explicit and avoid ambiguity if defaults change, add:
-    - name: Decode base64-encoded JKS
-      run: |
+    - name: Decode base64-encoded JKS
+      shell: pwsh
+      run: |
         echo "$env:JKS_B64" | Out-File -FilePath encoded.b64 -Encoding ASCII
         certutil -decode encoded.b64 mykeystore.jks
         Remove-Item encoded.b64
44-44: Use HTTPS for timestamp server
Switch the timestamp URL to HTTPS to ensure the timestamp request is sent securely:
-/tr http://timestamp.digicert.com
+/tr https://timestamp.digicert.com

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between ec6063f and 826dfc7.

⛔ Files ignored due to path filters (1)

releng/espressif-ide.exe is excluded by !**/*.exe

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

19-19: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 1-1: trailing spaces

(trailing-spaces)

[error] 17-17: trailing spaces

(trailing-spaces)

[error] 21-21: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (1)

GitHub Check: build_macos

🔇 Additional comments (1)

.github/workflows/win_exe_sign_test.yml (1)

3-7: Validate on triggers
This workflow only runs on pushes and PRs targeting master.

If your default branch is main, or you want to sign release tags, update these triggers.

Otherwise, confirm that master is indeed your intended branch.

coderabbitai · 2025-05-19T12:18:22Z

.github/workflows/win_exe_sign_test.yml

+      PFX_PASS: ${{ secrets.WIN_CERTIFICATE_PWD }}
+
+    steps:
+    - uses: actions/checkout@v3


🛠️ Refactor suggestion

Update checkout action version
Actionlint flags actions/checkout@v3 as outdated. Bump to the latest major version:

- uses: actions/checkout@v3 + uses: actions/checkout@v4

This ensures you get the newest bug fixes and performance improvements.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

- uses: actions/checkout@v3

- uses: actions/checkout@v4

🧰 Tools

🪛 actionlint (1.7.7)

19-19: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml at line 19, the checkout action version is outdated. Update the version from actions/checkout@v3 to the latest major version, such as actions/checkout@v4, to incorporate the newest bug fixes and performance improvements.

coderabbitai · 2025-05-19T12:18:22Z

.github/workflows/win_exe_sign_test.yml

+    - name: Convert JKS to PFX
+      shell: pwsh
+      run: |
+       & "${env:JAVA_HOME}\bin\keytool.exe" -importkeystore `
+            -srckeystore mykeystore.jks `
+            -srcstorepass $env:JKS_PASS `
+            -srcalias $env:ALIAS `
+            -destkeystore cert.pfx `
+            -deststoretype PKCS12 `
+            -deststorepass $env:PFX_PASS


🛠️ Refactor suggestion

Secure handling of keystore & error checking

After conversion, mykeystore.jks remains on the runner. Remove it to avoid leaking secrets:
& "${env:JAVA_HOME}\bin\keytool.exe" -importkeystore ` -srckeystore mykeystore.jks ` … ` -deststorepass $env:PFX_PASS

Remove-Item mykeystore.jks

- If the key entry has a separate password, add `-srckeypass $env:KEY_PASS`. - Consider breaking out each step or enabling `fail-fast` / `set -e` style behavior so the job fails immediately on errors.  <details> <summary>📝 Committable suggestion</summary> > ‼️ **IMPORTANT** > Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements. ```suggestion - name: Convert JKS to PFX shell: pwsh run: | & "${env:JAVA_HOME}\bin\keytool.exe" -importkeystore ` -srckeystore mykeystore.jks ` -srcstorepass $env:JKS_PASS ` -srcalias $env:ALIAS ` -destkeystore cert.pfx ` -deststoretype PKCS12 ` -deststorepass $env:PFX_PASS Remove-Item mykeystore.jks

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 28 to 37, improve security and robustness by deleting the mykeystore.jks file after conversion to prevent secret leakage, add the -srckeypass $env:KEY_PASS option if the key entry uses a separate password, and modify the script to enable fail-fast behavior so the job stops immediately on errors, either by breaking the command into steps or using error handling features like set -e or equivalent in PowerShell.

coderabbitai · 2025-05-19T12:18:22Z

.github/workflows/win_exe_sign_test.yml

+    - name: Sign Windows Executable
+      run: |
+       & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+            /f cert.pfx `
+            /p $env:PFX_PASS `
+            /tr http://timestamp.digicert.com `
+            /td sha256 `
+            /fd sha256 `
+            releng/espressif-ide.exe


🛠️ Refactor suggestion

Specify shell & avoid hardcoded SDK path

The signing commands use PowerShell syntax (& and backticks) but don’t declare shell: pwsh; add it for clarity.

Hardcoding 10.0.17763.0 may not match the runner’s installed Windows SDK. Instead, rely on signtool.exe in PATH or dynamically locate the correct SDK version:

name: Sign Windows Executable

run: |

name: Sign Windows Executable

shell: pwsh

run: | signtool sign ` /f cert.pfx ` /p $env:PFX_PASS ` /tr https://timestamp.digicert.com ` /td sha256 ` /fd sha256 ` releng/espressif-ide.exe

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 39 to 47, the signing step uses PowerShell syntax but does not specify 'shell: pwsh', so add 'shell: pwsh' to ensure the commands run in PowerShell. Also, remove the hardcoded Windows SDK path '10.0.17763.0' and instead call 'signtool.exe' directly assuming it is in the system PATH or implement a method to dynamically locate the correct SDK version to avoid path mismatches.

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (3)

.github/workflows/win_exe_sign_test.yml (3)
19-19: Update checkout action version
Actionlint flags actions/checkout@v3 as outdated. Bump to the latest major version to ensure you get the newest bug fixes and performance improvements.

Apply this diff:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
🧰 Tools

🪛 actionlint (1.7.7)

19-19: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

28-38: Secure handling of keystore & error checking
After converting the JKS to PFX, the original mykeystore.jks remains on the runner, risking secret leakage. Also consider adding -srckeypass $env:KEY_PASS if the keystore entry has a separate password and enabling fail-fast behavior (e.g., splitting into steps or using set -e).

Apply this diff:
     - name: Convert JKS to PFX
       shell: pwsh
       run: |
        & "${env:JAVA_HOME}\bin\keytool.exe" -importkeystore `
             -srckeystore mykeystore.jks `
             -srcstorepass $env:JKS_PASS `
             -srcalias $env:ALIAS `
             -destkeystore cert.pfx `
             -deststoretype PKCS12 `
             -deststorepass $env:PFX_PASS
+       # Remove the intermediate JKS to avoid leaking secrets
+      Remove-Item mykeystore.jks
39-47: Specify shell and avoid hardcoded SDK path
PowerShell syntax (& and backticks) is used but no shell is specified. Also, hardcoding the Windows SDK path may fail if the runner's SDK version differs. Use signtool.exe from PATH or dynamically locate it.

Apply this diff:
-    - name: Sign Windows Executable
-      run: |
+    - name: Sign Windows Executable
+      shell: pwsh
+      run: |
-       & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+       signtool.exe sign `
            /f cert.pfx `
            /p $env:PFX_PASS `
-           /tr http://timestamp.digicert.com `
+           /tr https://timestamp.digicert.com `
            /td sha256 `
            /fd sha256 `
            releng/espressif-ide.exe
Additionally, switching to HTTPS for the timestamp URL improves security.

🧹 Nitpick comments (2)

.github/workflows/win_exe_sign_test.yml (2)
17-21: Remove trailing whitespace
Lines 17 and 21 contain unnecessary trailing spaces, causing YAML lint errors. Remove the trailing spaces to comply with YAML formatting.

Apply this diff:
-                 # line 17 (contains trailing spaces)
+    # line 17 (no trailing spaces)

-                   # line 21 (contains trailing spaces)
+    # line 21 (no trailing spaces)
(Replace each blank line’s trailing spaces with a clean empty line.)

🧰 Tools

🪛 actionlint (1.7.7)

19-19: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

[error] 17-17: trailing spaces

(trailing-spaces)

[error] 21-21: trailing spaces

(trailing-spaces)

22-27: Specify shell for PowerShell commands
The run block relies on PowerShell-specific cmdlets (Out-File, certutil). On Windows runners, the default shell may vary. Explicitly set shell: pwsh (or powershell) to ensure consistent execution.

Apply this diff:
-    - name: Decode base64-encoded JKS
-      run: |
+    - name: Decode base64-encoded JKS
+      shell: pwsh
+      run: |
         echo "$env:JKS_B64" | Out-File -FilePath encoded.b64 -Encoding ASCII
         certutil -decode encoded.b64 mykeystore.jks
         Remove-Item encoded.b64

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 826dfc7 and 200eee5.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

19-19: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 17-17: trailing spaces

(trailing-spaces)

[error] 21-21: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (1)

GitHub Check: build_macos

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (3)

.github/workflows/win_exe_sign_test.yml (3)
19-19: Update checkout action to latest version
Actionlint flags actions/checkout@v3 as outdated. Bump to the latest major version to get bug fixes and performance improvements. Apply this diff:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
🧰 Tools

🪛 actionlint (1.7.7)

19-19: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

28-38: Secure keystore conversion & cleanup
Post-conversion, mykeystore.jks remains on the runner—remove it to prevent secret leakage. If the key alias has a separate password, include -srckeypass. Also, enable fail-fast behavior with $ErrorActionPreference = 'Stop'. Example:
     - name: Convert JKS to PFX
       shell: pwsh
       run: |
+        $ErrorActionPreference = 'Stop'
        & "${env:JAVA_HOME}\bin\keytool.exe" -importkeystore `
             -srckeystore mykeystore.jks `
             -srcstorepass $env:JKS_PASS `
             -srcalias $env:ALIAS `
+            -srckeypass $env:KEY_PASS `
             -destkeystore cert.pfx `
             -deststoretype PKCS12 `
             -deststorepass $env:PFX_PASS
+        Remove-Item mykeystore.jks -Force
39-47: Specify shell and avoid hardcoded signtool path
This step uses PowerShell syntax but doesn’t declare shell: pwsh. Hardcoding the Windows Kits path can break if the SDK version changes; instead, dynamically locate signtool.exe from PATH and switch the timestamp URL to HTTPS:
     - name: Sign Windows Executable
-      run: |
-       & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+      shell: pwsh
+      run: |
+        $signtool = (Get-Command signtool.exe).Source
+        & $signtool sign `
             /f cert.pfx `
             /p $env:PFX_PASS `
-            /tr http://timestamp.digicert.com `
+            /tr https://timestamp.digicert.com `
             /td sha256 `
             /fd sha256 `
             releng/espressif-ide.exe

🧹 Nitpick comments (2)

.github/workflows/win_exe_sign_test.yml (2)
17-17: Remove trailing whitespace
Lines 17, 21, and 56 contain trailing spaces, which trigger YAMLlint errors. Please remove them.

Also applies to: 21-21, 56-56

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 17-17: trailing spaces

(trailing-spaces)

22-27: Explicitly specify PowerShell shell and refine base64 decode
Even though Windows runners default to PowerShell, declaring shell: pwsh improves clarity. Also, using Out-File -Encoding ASCII may introduce a BOM; prefer Set-Content with -Encoding ASCII. For example:
-    - name: Decode base64-encoded JKS
-      run: |
+    - name: Decode base64-encoded JKS
+      shell: pwsh
+      run: |
         Set-Content -Path encoded.b64 -Value $env:JKS_B64 -Encoding ASCII
         certutil -decode encoded.b64 mykeystore.jks
         Remove-Item encoded.b64

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 200eee5 and 914f938.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

19-19: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 17-17: trailing spaces

(trailing-spaces)

[error] 21-21: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (1)

GitHub Check: build_macos

coderabbitai · 2025-05-19T12:36:48Z

.github/workflows/win_exe_sign_test.yml

+    steps:
+    - uses: actions/checkout@v3
+
+
+    - name: Decode base64-encoded JKS
+      run: |
+       echo "$env:JKS_B64" | Out-File -FilePath encoded.b64 -Encoding ASCII
+       certutil -decode encoded.b64 mykeystore.jks
+       Remove-Item encoded.b64
+
+    - name: Convert JKS to PFX


🛠️ Refactor suggestion

Add Java setup action
The workflow invokes keytool.exe but doesn't ensure a JDK is installed or JAVA_HOME is set. Insert the official setup action before converting the keystore:

steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + - name: Set up Java + uses: actions/setup-java@v3 + with: + distribution: 'temurin' + java-version: '11'

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 actionlint (1.7.7)

19-19: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

[error] 21-21: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 18 to 28, the workflow uses keytool.exe without ensuring a JDK is installed or JAVA_HOME is set. Fix this by adding the official Java setup action (actions/setup-java) before the step that converts the keystore. Configure it to install the required JDK version and set JAVA_HOME properly to enable keytool.exe usage.

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (4)

.github/workflows/win_exe_sign_test.yml (4)
22-22: Update checkout action to the latest major version
Actionlint flags actions/checkout@v3 as outdated. Bump to actions/checkout@v4 to leverage the newest fixes and performance improvements.

🧰 Tools

🪛 actionlint (1.7.7)

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

106-106: Update checkout action to the latest major version (duplicate)
As noted above, bump actions/checkout@v3 to actions/checkout@v4.

🧰 Tools

🪛 actionlint (1.7.7)

106-106: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

125-134: 🛠️ Refactor suggestion

Secure cleanup & optional key-pass handling

Remove mykeystore.jks after conversion so the raw keystore isn’t left on the runner.

If the key entry uses a separate password, add -srckeypass $env:KEY_PASS to avoid interactive prompts.
   certutil -decode encoded.b64 mykeystore.jks
   Remove-Item encoded.b64
+  & "${env:JAVA_HOME}\bin\keytool.exe" -importkeystore `
+    -srckeystore mykeystore.jks `
+    -srcstorepass $env:JKS_PASS `
+    -srckeypass $env:KEY_PASS `   # optional: only if the key alias has its own password
+    -destkeystore cert.pfx `
+    -deststoretype PKCS12 `
+    -deststorepass $env:PFX_PASS
+  Remove-Item mykeystore.jks
136-145: 🛠️ Refactor suggestion

Avoid hardcoded SDK paths & enforce PowerShell
Specify shell: pwsh and invoke signtool.exe from the PATH to prevent mismatches. Also switch to HTTPS for timestamping.
-      - name: Sign Windows Executable
-        run: |
+      - name: Sign Windows Executable
+        shell: pwsh
+        run: |
           $exe = Get-ChildItem -Recurse extracted\*.exe | Select-Object -First 1
-          & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+          & "signtool.exe" sign `
             /f cert.pfx `
             /p $env:PFX_PASS `
-            /tr http://timestamp.digicert.com `
+            /tr https://timestamp.digicert.com `
             /td sha256 `
             /fd sha256 `
             $exe.FullName

🧹 Nitpick comments (2)

.github/workflows/win_exe_sign_test.yml (2)
52-58: Remove temporary certificate after import
To avoid leaving sensitive files on the runner, delete certificate.p12 once it’s imported into the keychain.
  security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
+ rm certificate.p12
157-202: Clean up commented-out deploy job
The large commented block adds noise. If this deploy job isn’t ready, consider moving it to a dedicated WIP branch or removing it until it’s complete.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 914f938 and 543756a.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

25-25: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

106-106: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

⏰ Context from checks skipped due to timeout of 90000ms (2)

GitHub Check: build_macos
GitHub Check: build

🔇 Additional comments (5)

.github/workflows/win_exe_sign_test.yml (5)

62-66: Approve: Architecture-specific codesigning loop
The loop correctly signs each architecture’s .app and immediately verifies with codesign -v --deep.

72-76: Approve: DMG codesigning loop
Consistent with the app signing above, these commands sign and verify each DMG.

92-101: Approve: Artifact upload configuration
Uploading all build outputs under a single release-artifacts bundle ensures downstream jobs can retrieve everything required.

109-113: Approve: Downloading release artifacts
actions/download-artifact@v4 correctly retrieves the macOS outputs for Windows signing.

151-156: Approve: Uploading signed Windows ZIP
Re-uploading the single signed ZIP under the same artifact name keeps the workflow consistent.

coderabbitai

Actionable comments posted: 3

♻️ Duplicate comments (5)

.github/workflows/win_exe_sign_test.yml (5)
22-22: Update checkout action version
Actionlint flags actions/checkout@v3 as outdated. Bump to actions/checkout@v4.

🧰 Tools

🪛 actionlint (1.7.7)

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

25-25: Update setup-java action version
Actionlint flags actions/setup-java@v3 as outdated. Upgrade to actions/setup-java@v4.

🧰 Tools

🪛 actionlint (1.7.7)

25-25: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

108-108: Update checkout action in windows-sign
The Windows job still uses actions/checkout@v3. Please bump to actions/checkout@v4 here as well.

🧰 Tools

🪛 actionlint (1.7.7)

108-108: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

140-147: 🛠️ Refactor suggestion

Avoid hardcoded signtool path and use HTTPS timestamping
Hardcoding the Windows SDK version can break on runner updates. Instead call signtool.exe directly (it’s on the PATH) and switch to HTTPS for timestamping:
- & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+ & signtool.exe sign `
     /f cert.pfx `
     /p $env:PFX_PASS `
-   /tr http://timestamp.digicert.com `
+   /tr https://timestamp.digicert.com `
     /td sha256 `
     /fd sha256 `
     $exe.FullName
127-136: 🛠️ Refactor suggestion

Remove the decoded JKS after conversion
Right now mykeystore.jks persists after creating cert.pfx. Delete it to prevent leaking the raw keystore:
  certutil -decode encoded.b64 mykeystore.jks
  Remove-Item encoded.b64
+ Remove-Item mykeystore.jks
  & "${env:JAVA_HOME}\bin\keytool.exe" -importkeystore `
    -srckeystore mykeystore.jks `
    -srcstorepass $env:JKS_PASS `

🧹 Nitpick comments (2)

.github/workflows/win_exe_sign_test.yml (2)
54-61: Clean up macOS signing artifacts
After importing the cert, certificate.p12 and the temporary keychains remain on the runner. Remove them to avoid leaking secrets:
  echo "$MACOS_CERTIFICATE" | base64 -d > certificate.p12
+ rm -v certificate.p12
  # Set up keychain
  security create-keychain -p espressif build.keychain
  …
+ security delete-keychain build.keychain
Optionally also delete notary.keychain after notarization.

153-158: Use a distinct artifact name for the signed Windows ZIP
Uploading another artifact named release-artifacts overwrites or clobbers the macOS bundle. Give the Windows ZIP a unique name:
- - name: Upload Signed Windows ZIP
+ - name: Upload Signed Windows ZIP (Windows-only)
    uses: actions/upload-artifact@v4
    with:
-     name: release-artifacts
+     name: windows-signed-artifact
      path: artifacts/Espressif-IDE-win32.win32.x86_64.zip

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 543756a and 5c69473.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

25-25: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

108-108: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

⏰ Context from checks skipped due to timeout of 90000ms (3)

GitHub Check: build
GitHub Check: macos-build
GitHub Check: build_macos

coderabbitai · 2025-05-20T12:16:26Z

.github/workflows/win_exe_sign_test.yml

+        run: |
+          KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+          echo "${KEYSTORE_FILE}"
+          printf "%s" "${JARSIGNER_KEYSTORE_B64}" | base64 -d > "${KEYSTORE_FILE}"
+          mvn -e -X clean install -Djarsigner.keystore="${KEYSTORE_FILE}" -Djarsigner.alias="${JARSIGNER_ALIAS}" -Djarsigner.storepass="${JARSIGNER_STOREPASS}" -DskipTests=true
+          rm -v "${KEYSTORE_FILE}"


⚠️ Potential issue

Fix unresolved placeholder in KEYSTORE_FILE path
The line

KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"

contains a literal placeholder instead of a real filename. Define a concrete keystore filename (or introduce an env var) before decoding:

- KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}" + KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 39 to 44, the KEYSTORE_FILE path uses a literal placeholder {{secrets.JARSIGNER_KEYSTORE}} instead of an actual filename. Replace this placeholder with a concrete filename or an environment variable that holds the keystore filename before decoding. For example, define KEYSTORE_FILE as a fixed filename in the current directory or use an existing environment variable that contains the keystore filename, ensuring the base64 decoding writes to a valid file path.

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (4)

.github/workflows/win_exe_sign_test.yml (4)
22-22: Bump actions/checkout to v4
actions/checkout@v3 is flagged as outdated by actionlint. Upgrade both checkout steps to actions/checkout@v4 to ensure you’re running the latest, supported version.
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
Also applies to: 141-141

🧰 Tools

🪛 actionlint (1.7.7)

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

25-26: Upgrade actions/setup-java to v4
actionlint flags actions/setup-java@v3 as too old. Please update to actions/setup-java@v4 for improved compatibility and bug fixes.
- uses: actions/setup-java@v3
+ uses: actions/setup-java@v4
🧰 Tools

🪛 actionlint (1.7.7)

25-25: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

40-43: ⚠️ Potential issue

Fix unresolved keystore filename placeholder
The line uses a literal {{secrets.JARSIGNER_KEYSTORE}} placeholder instead of a valid filename. This will cause base64 -d to fail. Define a concrete filename or reference a proper variable, for example:
- KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+ KEYSTORE_FILE="${PWD}/jarsigner-rel-keystore.jks"
6-7: 🛠️ Refactor suggestion

Use shell-style glob for tag filters
GitHub Actions does not support regex in the tags filter. Replace the regex pattern with a shell-style glob to correctly match semantic version tags.
-on:
-  push:
-    branches: [master]
-    tags:
-      - "v[0-9]+.[0-9]+.[0-9]+"
+on:
+  push:
+    branches: [master]
+    tags:
+      - 'v*.*.*'

🧹 Nitpick comments (3)

.github/workflows/win_exe_sign_test.yml (3)
46-75: Remove trailing whitespace in codesign step
YAML lint reports trailing spaces on multiple lines within the Codesign Espressif-IDE step (e.g., lines 47, 57, 61, 65). Please clean up any trailing spaces to satisfy lint rules.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 47-47: trailing spaces

(trailing-spaces)

[error] 57-57: trailing spaces

(trailing-spaces)

[error] 61-61: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 70-70: trailing spaces

(trailing-spaces)

108-114: Fix indentation for upload-artifact step
YAML lint flagged wrong indentation at line 112 in the “Upload Espressif-IDE-macosx-cocoa-aarch64” block. Align name: and path: under with: by removing the extra space.

🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

[error] 114-114: trailing spaces

(trailing-spaces)

173-180: Avoid hardcoding signtool SDK path
Hardcoding "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" can break on runners with a different SDK version. Instead rely on signtool.exe being in PATH:
- & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+ & "signtool.exe" sign `

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 5c69473 and 8116925.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

25-25: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

141-141: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 47-47: trailing spaces

(trailing-spaces)

[error] 57-57: trailing spaces

(trailing-spaces)

[error] 61-61: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 70-70: trailing spaces

(trailing-spaces)

[error] 77-77: trailing spaces

(trailing-spaces)

[error] 86-86: trailing spaces

(trailing-spaces)

[error] 90-90: trailing spaces

(trailing-spaces)

[error] 93-93: trailing spaces

(trailing-spaces)

[error] 96-96: trailing spaces

(trailing-spaces)

[error] 100-100: trailing spaces

(trailing-spaces)

[error] 107-107: trailing spaces

(trailing-spaces)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

[error] 114-114: trailing spaces

(trailing-spaces)

[error] 121-121: trailing spaces

(trailing-spaces)

[error] 128-128: trailing spaces

(trailing-spaces)

coderabbitai · 2025-05-20T12:36:27Z

.github/workflows/win_exe_sign_test.yml

+      - name: Decode JKS and convert to PFX
+        env:
+          JKS_B64: ${{ secrets.JARSIGNER_REL_KEYSTORE_B64 }}
+          JKS_PASS: ${{ secrets.JARSIGNER_REL_STOREPASS }}
+          ALIAS: ${{ secrets.JARSIGNER_REL_ALIAS }}
+          PFX_PASS: ${{ secrets.JARSIGNER_REL_STOREPASS }}
+        run: |


🛠️ Refactor suggestion

Install and configure Java on Windows runner
You invoke keytool.exe via $env:JAVA_HOME, but no JDK is installed or JAVA_HOME set on the Windows runner. Add a setup step before this block:

- name: Set up Java uses: actions/setup-java@v4 with: distribution: 'temurin' java-version: '11'

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 153 to 159, the workflow uses keytool.exe via $env:JAVA_HOME but does not install Java or set JAVA_HOME on the Windows runner. To fix this, add a step before this block that uses actions/setup-java@v4 to install Java 11 from the Temurin distribution and set JAVA_HOME properly.

coderabbitai

Actionable comments posted: 2

♻️ Duplicate comments (7)

.github/workflows/win_exe_sign_test.yml (7)
22-22: Update checkout action to latest version
actions/checkout@v3 is flagged as outdated by actionlint. Bump to the latest major version to get bug fixes and performance improvements.
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
🧰 Tools

🪛 actionlint (1.7.7)

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

25-25: Bump setup-java action to v4
Similarly, actions/setup-java@v3 is outdated. Please upgrade to actions/setup-java@v4 for improved stability and support.
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
🧰 Tools

🪛 actionlint (1.7.7)

25-25: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

153-159: Ensure JDK is installed on Windows runner
The Windows job invokes keytool.exe via $env:JAVA_HOME but never installs Java or sets JAVA_HOME. Add a setup step before conversion:
   windows-sign:
     runs-on: windows-latest
+    steps:
+    - name: Set up Java
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'temurin'
+        java-version: '11'
160-163: Remove temporary JKS file after conversion
After decoding and converting mykeystore.jks to cert.pfx, the original JKS file remains on the runner, risking secret exposure. Add:
   certutil -decode encoded.b64 mykeystore.jks
+  Remove-Item mykeystore.jks
171-180: Avoid hardcoded signtool path & declare shell
The signing step hardcodes the Windows SDK path and doesn’t specify the pwsh shell. Prefer calling signtool.exe directly from the PATH and set the shell explicitly:
-      - name: Sign Windows Executable
-        run: |
+      - name: Sign Windows Executable
+        shell: pwsh
+        run: |
           $exe = Get-ChildItem -Recurse extracted\*.exe | Select-Object -First 1
-          & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+          & signtool sign `
             /f cert.pfx `
40-44: ⚠️ Potential issue

Fix unresolved keystore filename placeholder
The placeholder {{secrets.JARSIGNER_KEYSTORE}} is not evaluated and leads to an invalid path. Use a fixed filename or environment variable, for example:
-          KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+          KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
Ensure this name is used consistently when importing and removing the file.

6-7: ⚠️ Potential issue

Tag filter uses unsupported regex syntax
GitHub Actions tag filters expect shell-style globs, not regular expressions. The pattern "v[0-9]+.[0-9]+.[0-9]+" will not match version tags as intended.
Apply this diff:
 on:
   push:
     tags:
-      - "v[0-9]+.[0-9]+.[0-9]+"
+      - 'v*.*.*'

🧹 Nitpick comments (1)

.github/workflows/win_exe_sign_test.yml (1)

46-135: Remove trailing whitespace
YAMLlint has flagged trailing spaces on many lines (e.g., 47, 57, 61, etc.). Please trim all trailing whitespace to avoid lint errors.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 47-47: trailing spaces

(trailing-spaces)

[error] 57-57: trailing spaces

(trailing-spaces)

[error] 61-61: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 70-70: trailing spaces

(trailing-spaces)

[error] 77-77: trailing spaces

(trailing-spaces)

[error] 86-86: trailing spaces

(trailing-spaces)

[error] 90-90: trailing spaces

(trailing-spaces)

[error] 93-93: trailing spaces

(trailing-spaces)

[error] 96-96: trailing spaces

(trailing-spaces)

[error] 100-100: trailing spaces

(trailing-spaces)

[error] 107-107: trailing spaces

(trailing-spaces)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

[error] 114-114: trailing spaces

(trailing-spaces)

[error] 121-121: trailing spaces

(trailing-spaces)

[error] 128-128: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 8116925 and f10e08f.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

25-25: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

141-141: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 47-47: trailing spaces

(trailing-spaces)

[error] 57-57: trailing spaces

(trailing-spaces)

[error] 61-61: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 70-70: trailing spaces

(trailing-spaces)

[error] 77-77: trailing spaces

(trailing-spaces)

[error] 86-86: trailing spaces

(trailing-spaces)

[error] 90-90: trailing spaces

(trailing-spaces)

[error] 93-93: trailing spaces

(trailing-spaces)

[error] 96-96: trailing spaces

(trailing-spaces)

[error] 100-100: trailing spaces

(trailing-spaces)

[error] 107-107: trailing spaces

(trailing-spaces)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

[error] 114-114: trailing spaces

(trailing-spaces)

[error] 121-121: trailing spaces

(trailing-spaces)

[error] 128-128: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (2)

GitHub Check: build_macos
GitHub Check: macos-build

coderabbitai · 2025-05-20T13:05:53Z

.github/workflows/win_exe_sign_test.yml

+      - name: Repack signed Windows ZIP
+        run: |
+          Compress-Archive -Path extracted\* -DestinationPath artifacts/Espressif-IDE-win32.win32.x86_64.zip -Force
+
+      - name: Upload Signed Windows ZIP
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-artifacts
+          path: artifacts/Espressif-IDE-win32.win32.x86_64.zip
+


⚠️ Potential issue

Consistent artifact naming for Windows ZIP upload
The step repacks and uploads the signed Windows ZIP under release-artifacts, which conflicts with the original upload naming. Unify artifact names across jobs. For instance, to continue using espressif-ide-win32:

- - name: Upload Signed Windows ZIP - uses: actions/upload-artifact@v4 + - name: Upload Signed Windows ZIP + uses: actions/upload-artifact@v4 with: - name: release-artifacts + name: espressif-ide-win32 path: artifacts/Espressif-IDE-win32.win32.x86_64.zip

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

- name: Repack signed Windows ZIP

run: |

Compress-Archive -Path extracted\* -DestinationPath artifacts/Espressif-IDE-win32.win32.x86_64.zip -Force

- name: Upload Signed Windows ZIP

uses: actions/upload-artifact@v4

with:

name: release-artifacts

path: artifacts/Espressif-IDE-win32.win32.x86_64.zip

- name: Repack signed Windows ZIP

run: |

Compress-Archive -Path extracted\* -DestinationPath artifacts/Espressif-IDE-win32.win32.x86_64.zip -Force

- name: Upload Signed Windows ZIP

uses: actions/upload-artifact@v4

with:

name: espressif-ide-win32

path: artifacts/Espressif-IDE-win32.win32.x86_64.zip

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 182 to 191, the artifact name used for uploading the signed Windows ZIP is set to "release-artifacts," which is inconsistent with the original artifact naming convention. To fix this, change the artifact name in the upload step to match the original naming, such as "espressif-ide-win32," ensuring consistent artifact names across all jobs.

coderabbitai · 2025-05-20T13:05:53Z

.github/workflows/win_exe_sign_test.yml

+      - name: Download built artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: release-artifacts
+          path: artifacts
+


⚠️ Potential issue

Download artifact name mismatch
The windows-sign job downloads an artifact named release-artifacts, but the macOS build uploads the Windows ZIP under espressif-ide-win32. This will cause the download step to fail.
Choose one of the following fixes:

Change the upload name in macos-build to release-artifacts.

Update this download step to:

- - uses: actions/download-artifact@v4 - with: - name: release-artifacts + - uses: actions/download-artifact@v4 + with: + name: espressif-ide-win32 path: artifacts

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

- name: Download built artifacts

uses: actions/download-artifact@v4

with:

name: release-artifacts

path: artifacts

- name: Download built artifacts

uses: actions/download-artifact@v4

with:

name: espressif-ide-win32

path: artifacts

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 143 to 148, the download step uses the artifact name 'release-artifacts', but the macOS build uploads the Windows ZIP artifact under the name 'espressif-ide-win32'. To fix this, either change the upload artifact name in the macOS build job to 'release-artifacts' to match this download step, or update the download step here to use the artifact name 'espressif-ide-win32' so it correctly downloads the uploaded artifact.

coderabbitai

Actionable comments posted: 3

♻️ Duplicate comments (7)

.github/workflows/win_exe_sign_test.yml (7)
22-22: Bump actions/checkout to v4
The actions/checkout action is on v3, which is outdated. Update both occurrences to v4:
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
Also applies to: 141-141

🧰 Tools

🪛 actionlint (1.7.7)

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

25-25: Bump actions/setup-java to v4
The actions/setup-java action uses v3, but v4 is available with improvements:
- uses: actions/setup-java@v3
+ uses: actions/setup-java@v4
🧰 Tools

🪛 actionlint (1.7.7)

25-25: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

40-44: ⚠️ Potential issue

Fix unresolved placeholder in keystore path
The KEYSTORE_FILE variable uses a literal {{secrets.JARSIGNER_KEYSTORE}} placeholder, which is invalid. Define a concrete filename or use an env var, e.g.:
-          KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+          KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
This ensures the base64 decoding writes to a valid path.

160-169: ⚠️ Potential issue

Remove JKS file after converting to PFX
The script decodes mykeystore.jks but never deletes it, risking secret leakage. After the keytool.exe command, add:
       -deststorepass $env:PFX_PASS
+  Remove-Item mykeystore.jks
to clean up the JKS file.

186-191: ⚠️ Potential issue

Use consistent artifact naming
The windows-sign job uploads the signed ZIP under release-artifacts, but the macos-build job names it espressif-ide-win32. Align them:
-      - name: Upload Signed Windows ZIP
-        uses: actions/upload-artifact@v4
-        with:
-          name: release-artifacts
+      - name: Upload Signed Windows ZIP
+        uses: actions/upload-artifact@v4
+        with:
+          name: espressif-ide-win32
           path: artifacts/Espressif-IDE-win32.win32.x86_64.zip
171-180: ⚠️ Potential issue

Specify PowerShell shell & avoid hardcoded signtool.exe path
The signing step uses PowerShell syntax without shell: pwsh, and hardcodes a Windows SDK path. Update:
-      - name: Sign Windows Executable
-        run: |
+      - name: Sign Windows Executable
+        shell: pwsh
+        run: |
           $exe = Get-ChildItem -Recurse extracted\*.exe | Select-Object -First 1
-          & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+          & signtool sign `
             /f cert.pfx `
This ensures the runner locates signtool.exe from PATH or installed Windows SDK.

153-159: ⚠️ Potential issue

Install Java on Windows runner
The Windows job invokes keytool.exe via $env:JAVA_HOME but never sets up a JDK. Add before converting the keystore:
+    - name: Set up Java
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'temurin'
+        java-version: '11'
This ensures JAVA_HOME is defined.

🧹 Nitpick comments (1)

.github/workflows/win_exe_sign_test.yml (1)

47-128: Remove trailing whitespace
Multiple lines contain trailing spaces, causing YAML lint errors. Please remove any trailing spaces across the file to satisfy linter rules.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 47-47: trailing spaces

(trailing-spaces)

[error] 57-57: trailing spaces

(trailing-spaces)

[error] 61-61: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 70-70: trailing spaces

(trailing-spaces)

[error] 77-77: trailing spaces

(trailing-spaces)

[error] 86-86: trailing spaces

(trailing-spaces)

[error] 90-90: trailing spaces

(trailing-spaces)

[error] 93-93: trailing spaces

(trailing-spaces)

[error] 96-96: trailing spaces

(trailing-spaces)

[error] 100-100: trailing spaces

(trailing-spaces)

[error] 107-107: trailing spaces

(trailing-spaces)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

[error] 114-114: trailing spaces

(trailing-spaces)

[error] 121-121: trailing spaces

(trailing-spaces)

[error] 128-128: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between f10e08f and 47bcd01.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

25-25: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

141-141: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 47-47: trailing spaces

(trailing-spaces)

[error] 57-57: trailing spaces

(trailing-spaces)

[error] 61-61: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 70-70: trailing spaces

(trailing-spaces)

[error] 77-77: trailing spaces

(trailing-spaces)

[error] 86-86: trailing spaces

(trailing-spaces)

[error] 90-90: trailing spaces

(trailing-spaces)

[error] 93-93: trailing spaces

(trailing-spaces)

[error] 96-96: trailing spaces

(trailing-spaces)

[error] 100-100: trailing spaces

(trailing-spaces)

[error] 107-107: trailing spaces

(trailing-spaces)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

[error] 114-114: trailing spaces

(trailing-spaces)

[error] 121-121: trailing spaces

(trailing-spaces)

[error] 128-128: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (2)

GitHub Check: build_macos
GitHub Check: macos-build

coderabbitai · 2025-05-20T13:31:12Z

.github/workflows/win_exe_sign_test.yml

+      - name: Download built artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: espressif-ide-win32
+          path: releng/com.espressif.idf.product/target/products/Espressif-IDE-*-win32.win32.x86_64.zip
+
+      - name: Extract Windows ZIP
+        run: |
+          Expand-Archive -Path (Get-ChildItem -Path artifacts -Filter "*win32.win32.x86_64.zip").FullName -DestinationPath extracted


⚠️ Potential issue

Align download path with Expand-Archive usage
The download step writes artifacts to releng/..., but the extract step looks in artifacts. Either change the download path to artifacts:

- - name: Download built artifacts - uses: actions/download-artifact@v4 - with: - name: espressif-ide-win32 - path: releng/com.espressif.idf.product/target/products/Espressif-IDE-*-win32.win32.x86_64.zip + - name: Download built artifacts + uses: actions/download-artifact@v4 + with: + name: espressif-ide-win32 + path: artifacts

or update Expand-Archive to use the releng/... path.

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 143 to 151, the download step saves artifacts to the releng/com.espressif.idf.product/target/products directory, but the extract step looks for ZIP files in the artifacts directory, causing a path mismatch. Fix this by either changing the download path to artifacts to match the extract step or update the Expand-Archive command to use the releng/com.espressif.idf.product/target/products path where the ZIP files are actually downloaded.

coderabbitai · 2025-05-20T13:31:12Z

.github/workflows/win_exe_sign_test.yml

+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@v4
+        with:
+           name: espressif-ide-macosx.cocoa.aarch64


⚠️ Potential issue

Fix indentation for with block
Line 112 is over-indented, causing a YAML lint warning. Adjust to match the other artifact upload steps:

- name: espressif-ide.cocoa.aarch64 + name: espressif-ide.cocoa.aarch64

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml at line 112, the indentation of the line "name: espressif-ide-macosx.cocoa.aarch64" is too deep, causing a YAML lint warning. Adjust the indentation to align with the other artifact upload steps by reducing the leading spaces so it matches the expected YAML structure.

coderabbitai

Actionable comments posted: 2

♻️ Duplicate comments (5)

.github/workflows/win_exe_sign_test.yml (5)
40-42: ⚠️ Potential issue

Fix unresolved placeholder in keystore filename
The KEYSTORE_FILE path uses a literal {{secrets.JARSIGNER_KEYSTORE}} placeholder instead of a real filename. Define a concrete .jks filename or reference a proper secret. For example:
- KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+ KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
22-22: 🛠️ Refactor suggestion

Update checkout action to latest major version
actionlint flags actions/checkout@v3 as too old. Bump to actions/checkout@v4 for improved performance and bug fixes.
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
🧰 Tools

🪛 actionlint (1.7.7)

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

187-191: ⚠️ Potential issue

Unify artifact upload name for Windows ZIP
The signed Windows ZIP is uploaded under release-artifacts, but the original upload used espressif-ide-win32. Use a consistent name to avoid confusion:
-      - name: Upload Signed Windows ZIP
-        uses: actions/upload-artifact@v4
-        with:
-          name: release-artifacts
+      - name: Upload Signed Windows ZIP
+        uses: actions/upload-artifact@v4
+        with:
+          name: espressif-ide-win32
           path: artifacts/Espressif-IDE-win32.win32.x86_64.zip
171-179: 🛠️ Refactor suggestion

Avoid hardcoded Windows SDK path & specify shell
Hardcoding the SDK path can break on runner updates. Use signtool.exe from PATH and declare PowerShell shell:
-      - name: Sign Windows Executable
-        run: |
+      - name: Sign Windows Executable
+        shell: pwsh
+        run: |
           $exe = Get-ChildItem -Recurse extracted\*.exe | Select-Object -First 1
-          & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+          & signtool.exe sign `
137-141: ⚠️ Potential issue

Ensure Java is installed on Windows runner
The Windows job calls keytool.exe but doesn’t install a JDK. Add a Java setup step after checkout:
-    steps:
-      - uses: actions/checkout@v3
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '11'
🧰 Tools

🪛 actionlint (1.7.7)

141-141: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🧹 Nitpick comments (4)

.github/workflows/win_exe_sign_test.yml (4)
47-128: Remove trailing whitespace
Multiple lines contain trailing spaces flagged by YAMLlint. Clean up trailing whitespace to satisfy lint rules, e.g.:
sed -i 's/[[:space:]]\+$//' .github/workflows/win_exe_sign_test.yml
🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 47-47: trailing spaces

(trailing-spaces)

[error] 57-57: trailing spaces

(trailing-spaces)

[error] 61-61: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 70-70: trailing spaces

(trailing-spaces)

[error] 77-77: trailing spaces

(trailing-spaces)

[error] 86-86: trailing spaces

(trailing-spaces)

[error] 90-90: trailing spaces

(trailing-spaces)

[error] 93-93: trailing spaces

(trailing-spaces)

[error] 96-96: trailing spaces

(trailing-spaces)

[error] 100-100: trailing spaces

(trailing-spaces)

[error] 107-107: trailing spaces

(trailing-spaces)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

[error] 114-114: trailing spaces

(trailing-spaces)

[error] 121-121: trailing spaces

(trailing-spaces)

[error] 128-128: trailing spaces

(trailing-spaces)

112-112: Fix indentation for upload artifact name
The name line is over-indented, causing a YAML warning. Align it with other steps:
-           name: espressif-ide-macosx.cocoa.aarch64
+         name: espressif-ide-macosx.cocoa.aarch64
🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

161-162: Remove intermediate JKS file after conversion
After converting encoded.b64 to mykeystore.jks, the JKS remains on disk. Delete it post-import to avoid leaking secrets:
   certutil -decode encoded.b64 mykeystore.jks
   Remove-Item encoded.b64
+  Remove-Item mykeystore.jks -Force
192-237: Remove or complete commented-out deploy job
A large block of commented-out deploy steps clutters the workflow. Remove it or provide a working implementation before merging.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 47bcd01 and 70b422f.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

25-25: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

141-141: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 47-47: trailing spaces

(trailing-spaces)

[error] 57-57: trailing spaces

(trailing-spaces)

[error] 61-61: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 70-70: trailing spaces

(trailing-spaces)

[error] 77-77: trailing spaces

(trailing-spaces)

[error] 86-86: trailing spaces

(trailing-spaces)

[error] 90-90: trailing spaces

(trailing-spaces)

[error] 93-93: trailing spaces

(trailing-spaces)

[error] 96-96: trailing spaces

(trailing-spaces)

[error] 100-100: trailing spaces

(trailing-spaces)

[error] 107-107: trailing spaces

(trailing-spaces)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

[error] 114-114: trailing spaces

(trailing-spaces)

[error] 121-121: trailing spaces

(trailing-spaces)

[error] 128-128: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (2)

GitHub Check: build_macos
GitHub Check: macos-build

coderabbitai

Actionable comments posted: 3

♻️ Duplicate comments (4)

.github/workflows/win_exe_sign_test.yml (4)
25-29: 🛠️ Refactor suggestion

Upgrade actions/setup-java to v4
actionlint flags actions/setup-java@v3 as outdated. Switch to actions/setup-java@v4:
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
🧰 Tools

🪛 actionlint (1.7.7)

25-25: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

175-183: 🛠️ Refactor suggestion

Specify PowerShell and avoid hardcoded SDK path
The signing step uses PowerShell syntax but doesn't declare shell: pwsh and hardcodes a Windows SDK version, which may vary. Update to use signtool.exe from PATH and specify the shell:
-      - name: Sign Windows Executable
-        run: |
+      - name: Sign Windows Executable
+        shell: pwsh
+        run: |
           $exe = Get-ChildItem -Recurse extracted\*.exe | Select-Object -First 1
-          & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+          & "signtool.exe" sign `
             /f cert.pfx `
             /p $env:PFX_PASS `
             /tr http://timestamp.digicert.com `
             /td sha256 `
             /fd sha256 `
             $exe.FullName
112-112: 🛠️ Refactor suggestion

Fix indentation in artifact upload step
Line 112 is over-indented, causing a YAML lint warning. Align with other upload-artifact steps:
-           name: espressif-ide-macosx.cocoa.aarch64
+         name: espressif-ide-macosx.cocoa.aarch64
🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

40-43: 🛠️ Refactor suggestion

Fix keystore filename placeholder
The KEYSTORE_FILE path uses a literal placeholder {{secrets.JARSIGNER_KEYSTORE}}, which isn't a valid filename. Define an actual filename or env var. For example:
- KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+ KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"

🧹 Nitpick comments (4)

.github/workflows/win_exe_sign_test.yml (4)
47-47: Remove trailing whitespace
YAMLlint reports trailing spaces on multiple lines. Please remove trailing spaces at the flagged lines to pass lint checks.

Also applies to: 57-57, 61-61, 65-65, 70-70, 77-77, 86-86, 90-90, 93-93, 96-96, 100-100, 107-107, 114-114, 121-121, 128-128

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 47-47: trailing spaces

(trailing-spaces)

161-163: Clean up JKS file after conversion
After converting mykeystore.jks to cert.pfx, the legacy JKS file remains on the runner. Remove it to avoid leaking secrets:
- certutil -decode encoded.b64 mykeystore.jks
- Remove-Item encoded.b64
+ certutil -decode encoded.b64 mykeystore.jks
+ Remove-Item encoded.b64
+ Remove-Item mykeystore.jks
191-193: Unify upload artifact naming
The final upload-artifact step names the artifact release-artifacts, which is inconsistent with previous steps. Consider reusing espressif-ide-win32 for clarity:
-          name: release-artifacts
+          name: espressif-ide-win32
195-236: Remove or enable commented-out deploy job
The deploy job is fully commented out, which adds noise. If it's WIP, consider extracting it to a separate file or enabling it when ready. Otherwise, remove the block to keep the workflow focused.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 70b422f and cdfaf07.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

25-25: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

141-141: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 47-47: trailing spaces

(trailing-spaces)

[error] 57-57: trailing spaces

(trailing-spaces)

[error] 61-61: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 70-70: trailing spaces

(trailing-spaces)

[error] 77-77: trailing spaces

(trailing-spaces)

[error] 86-86: trailing spaces

(trailing-spaces)

[error] 90-90: trailing spaces

(trailing-spaces)

[error] 93-93: trailing spaces

(trailing-spaces)

[error] 96-96: trailing spaces

(trailing-spaces)

[error] 100-100: trailing spaces

(trailing-spaces)

[error] 107-107: trailing spaces

(trailing-spaces)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

[error] 114-114: trailing spaces

(trailing-spaces)

[error] 121-121: trailing spaces

(trailing-spaces)

[error] 128-128: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (2)

GitHub Check: macos-build
GitHub Check: build_macos

coderabbitai · 2025-05-21T08:33:07Z

.github/workflows/win_exe_sign_test.yml

+      - uses: actions/checkout@v3
+


🛠️ Refactor suggestion

Bump actions/checkout to latest version
actions/checkout@v3 is outdated per actionlint. Upgrade to actions/checkout@v4:

- uses: actions/checkout@v3 + uses: actions/checkout@v4

Also applies to: 141-142

🧰 Tools

🪛 actionlint (1.7.7)

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml at lines 22-23 and also lines 141-142, the usage of actions/checkout is outdated at version v3. Update the version from actions/checkout@v3 to actions/checkout@v4 to comply with the latest recommended version by actionlint.

coderabbitai · 2025-05-21T08:33:07Z

.github/workflows/win_exe_sign_test.yml

+  windows-sign:
+    runs-on: windows-latest
+    needs: macos-build
+    steps:
+      - uses: actions/checkout@v3
+


🛠️ Refactor suggestion

Install Java on Windows runner
The windows-sign job invokes keytool.exe but doesn't install Java or set JAVA_HOME. Add a setup step:

- name: Set up Java uses: actions/setup-java@v4 with: distribution: 'temurin' java-version: '11'

🧰 Tools

🪛 actionlint (1.7.7)

141-141: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 137 to 142, the windows-sign job uses keytool.exe but does not install Java or set JAVA_HOME. Add a step before running keytool.exe to install Java by using the actions/setup-java@v4 action with distribution set to 'temurin' and java-version set to '11' to ensure Java is available on the Windows runner.

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (8)

.github/workflows/win_exe_sign_test.yml (8)
6-7: Use shell-style glob for tag filters
GitHub Actions uses shell-style glob patterns for tag filters, not regex. The current pattern "v[0-9]+.[0-9]+.[0-9]+" will not match as intended. Update to:
 on:
   push:
     tags:
-      - "v[0-9]+.[0-9]+.[0-9]+"
+      - 'v*.*.*'
22-23: Bump actions/checkout to v4
actions/checkout@v3 is flagged by actionlint as outdated. Upgrade both occurrences to actions/checkout@v4 in the macos-build (line 22) and windows-sign (line 146) jobs:
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
Also applies to: 146-147

🧰 Tools

🪛 actionlint (1.7.7)

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

25-28: Upgrade actions/setup-java to v4
Similarly, bump actions/setup-java@v3 to actions/setup-java@v4 for the macOS job:
- uses: actions/setup-java@v3
+ uses: actions/setup-java@v4
🧰 Tools

🪛 actionlint (1.7.7)

25-25: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

40-45: ⚠️ Potential issue

Resolve placeholder in KEYSTORE_FILE path
The keystore is currently written to "${PWD}/{{secrets.JARSIGNER_KEYSTORE}}", which is a literal placeholder. Replace it with a concrete filename (or valid env var):
- KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+ KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
Ensure this matches how you reference the file in subsequent steps.

112-114: 🛠️ Refactor suggestion

Fix indentation and normalize macOS aarch64 artifact name
The upload-artifact step for aarch64 is mis-indented (11 spaces) and uses dots instead of dashes in the name. Adjust to:
-           name: espressif-ide-macosx.cocoa.aarch64
+         name: espressif-ide-macosx-cocoa-aarch64
🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

[error] 114-114: trailing spaces

(trailing-spaces)

154-162: 🛠️ Refactor suggestion

Install Java on Windows runner before keytool
The windows-sign job invokes keytool.exe but never installs Java or sets JAVA_HOME. Add before decoding the JKS:
- name: Set up Java
  uses: actions/setup-java@v4
  with:
    distribution: 'temurin'
    java-version: '11'
This is required for keytool.exe to be available.

174-183: ⚠️ Potential issue

Avoid hardcoded Windows SDK path for signtool.exe
Referencing a fixed SDK path (10.0.17763.0) will break if the runner’s SDK changes. Instead invoke signtool from PATH:
- & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+ & signtool sign `
Or implement logic to dynamically locate the installed SDK.

189-194: 🛠️ Refactor suggestion

Unify artifact naming for signed Windows ZIP
The macOS job uploads the Windows ZIP as espressif-ide-win32, but the Windows-sign job re-uploads it under release-artifacts. This mismatch can break downstream jobs. Rename the upload to match:
-          name: release-artifacts
+          name: espressif-ide-win32
Alternatively, choose a clear distinct name like espressif-ide-win32-signed.

🧹 Nitpick comments (2)

.github/workflows/win_exe_sign_test.yml (2)
46-75: Strip trailing whitespace in codesign blocks
YAML lint reports trailing spaces on multiple lines within the Codesign Espressif-IDE step (e.g., lines 47, 57, 61, 65, 70, 77). Please remove all trailing spaces or run a formatting tool over lines 46–75.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 47-47: trailing spaces

(trailing-spaces)

[error] 57-57: trailing spaces

(trailing-spaces)

[error] 61-61: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 70-70: trailing spaces

(trailing-spaces)

155-183: Specify shell: pwsh for PowerShell steps
Several Windows steps (Extract Windows ZIP, Decode JKS and convert to PFX, Sign Windows Executable) use PowerShell syntax but lack an explicit shell declaration. For clarity and consistency, add shell: pwsh to each:
- name: Sign Windows Executable
  shell: pwsh
  run: |
    # ...

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between cdfaf07 and baeea69.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

25-25: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

146-146: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 47-47: trailing spaces

(trailing-spaces)

[error] 57-57: trailing spaces

(trailing-spaces)

[error] 61-61: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 70-70: trailing spaces

(trailing-spaces)

[error] 77-77: trailing spaces

(trailing-spaces)

[error] 86-86: trailing spaces

(trailing-spaces)

[error] 90-90: trailing spaces

(trailing-spaces)

[error] 93-93: trailing spaces

(trailing-spaces)

[error] 96-96: trailing spaces

(trailing-spaces)

[error] 100-100: trailing spaces

(trailing-spaces)

[error] 107-107: trailing spaces

(trailing-spaces)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

[error] 114-114: trailing spaces

(trailing-spaces)

[error] 121-121: trailing spaces

(trailing-spaces)

[error] 128-128: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (2)

GitHub Check: build_macos
GitHub Check: macos-build

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (5)

.github/workflows/win_exe_sign_test.yml (5)
22-23: Update actions/checkout to the latest major version
Actionlint flagged actions/checkout@v3 as outdated. Please bump to actions/checkout@v4 to receive the latest fixes and performance improvements.
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
🧰 Tools

🪛 actionlint (1.7.7)

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

25-28: Bump actions/setup-java to v4
You’re currently pinning actions/setup-java@v3, which is outdated. Upgrade to actions/setup-java@v4.
- uses: actions/setup-java@v3
+ uses: actions/setup-java@v4
🧰 Tools

🪛 actionlint (1.7.7)

25-25: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

40-40: ⚠️ Potential issue

Fix unresolved placeholder in keystore filename
The line uses a literal placeholder {{secrets.JARSIGNER_KEYSTORE}} instead of a concrete filename. Define an explicit filename for the keystore (or use an environment variable) before decoding:
- KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+ KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
165-173: ⚠️ Potential issue

Install Java on the Windows runner before keytool usage
You reference ${env:JAVA_HOME}\bin\keytool.exe but haven’t installed or configured Java on the Windows runner. Insert a setup step before conversion:
-      - name: Decode base64-encoded JKS
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '11'
+      - name: Decode base64-encoded JKS
This ensures JAVA_HOME is available for keytool.exe.

176-185: 🛠️ Refactor suggestion

Avoid hardcoded signtool path
Hardcoding C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe may break on different runners. Instead, assume signtool.exe is in PATH or discover it dynamically:
- & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+ & signtool sign `
Or use Get-Command signtool | Select-Object -ExpandProperty Source for dynamic resolution.

🧹 Nitpick comments (4)

.github/workflows/win_exe_sign_test.yml (4)
11-14: Remove or utilize the unused ARCHIVE_SUFFIX variable
ARCHIVE_SUFFIX is defined as -SNAPSHOT.zip but isn’t referenced in any active steps. Either remove it to reduce confusion or integrate it into artifact upload/download paths.

47-128: Remove trailing spaces
Multiple lines contain trailing whitespace, triggering YAML lint errors. Please remove these trailing spaces to ensure a clean workflow file.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 47-47: trailing spaces

(trailing-spaces)

[error] 57-57: trailing spaces

(trailing-spaces)

[error] 61-61: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 70-70: trailing spaces

(trailing-spaces)

[error] 77-77: trailing spaces

(trailing-spaces)

[error] 86-86: trailing spaces

(trailing-spaces)

[error] 90-90: trailing spaces

(trailing-spaces)

[error] 93-93: trailing spaces

(trailing-spaces)

[error] 96-96: trailing spaces

(trailing-spaces)

[error] 100-100: trailing spaces

(trailing-spaces)

[error] 107-107: trailing spaces

(trailing-spaces)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

[error] 114-114: trailing spaces

(trailing-spaces)

[error] 121-121: trailing spaces

(trailing-spaces)

[error] 128-128: trailing spaces

(trailing-spaces)

158-163: Use Set-Content -NoNewline to avoid extra newline in base64 decoding
PowerShell’s Out-File appends a newline, which can corrupt the JKS. Instead, use:
- echo "$env:JKS_B64" | Out-File -FilePath encoded.b64 -Encoding ASCII
+ echo "$env:JKS_B64" | Set-Content -NoNewline encoded.b64 -Encoding ASCII
191-196: Consider aligning artifact names with defined environment variables
You upload the final Windows ZIP as release-artifacts, but you’ve defined ARCHIVE_PREFIX and ARCHIVE_SUFFIX at the top. Consider using these to standardize naming across platforms:
- name: release-artifacts
+ name: ${{ env.ARCHIVE_PREFIX }}${{ needs.macos-build.outputs.version }}${{ env.ARCHIVE_SUFFIX }}
This improves consistency and avoids hardcoded strings.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between baeea69 and ff20f32.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

25-25: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

146-146: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 47-47: trailing spaces

(trailing-spaces)

[error] 57-57: trailing spaces

(trailing-spaces)

[error] 61-61: trailing spaces

(trailing-spaces)

[error] 65-65: trailing spaces

(trailing-spaces)

[error] 70-70: trailing spaces

(trailing-spaces)

[error] 77-77: trailing spaces

(trailing-spaces)

[error] 86-86: trailing spaces

(trailing-spaces)

[error] 90-90: trailing spaces

(trailing-spaces)

[error] 93-93: trailing spaces

(trailing-spaces)

[error] 96-96: trailing spaces

(trailing-spaces)

[error] 100-100: trailing spaces

(trailing-spaces)

[error] 107-107: trailing spaces

(trailing-spaces)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

[error] 114-114: trailing spaces

(trailing-spaces)

[error] 121-121: trailing spaces

(trailing-spaces)

[error] 128-128: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (2)

GitHub Check: build
GitHub Check: macos-build

🔇 Additional comments (1)

.github/workflows/win_exe_sign_test.yml (1)

197-242: Skip reviewing commented-out deploy job
These lines are part of an inactive (commented) deploy job. No review comments needed until the job is enabled.

coderabbitai · 2025-05-22T08:40:22Z

.github/workflows/win_exe_sign_test.yml

+  push:
+    branches: [master]
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"


⚠️ Potential issue

Replace regex tag filter with glob pattern
GitHub Actions tag filters do not support regex syntax. Update the pattern from:

- tags: - - "v[0-9]+.[0-9]+.[0-9]+"

to a shell-style glob, for example:

+ tags: + - 'v*.*.*'

This ensures your workflow triggers correctly on version tags.

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml at line 7, the tag filter uses a regex pattern which is unsupported by GitHub Actions. Replace the regex "v[0-9]+.[0-9]+.[0-9]+" with a glob pattern like 'v*.*.*' to correctly match version tags and ensure the workflow triggers as expected.

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (8)

.github/workflows/win_exe_sign_test.yml (8)
21-22: Upgrade actions/checkout to v4.
Actionlint flags actions/checkout@v3 as outdated. Bump to the latest major version:
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
Also applies to: 145-146

🧰 Tools

🪛 actionlint (1.7.7)

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-28: Upgrade actions/setup-java to v4.
Actionlint indicates actions/setup-java@v3 is too old. Update to:
- uses: actions/setup-java@v3
+ uses: actions/setup-java@v4
🧰 Tools

🪛 actionlint (1.7.7)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

165-174: Delete JKS after converting to PFX.
You remove encoded.b64 but retain mykeystore.jks. To prevent leaking secrets, remove the JKS file:
   & "${env:JAVA_HOME}\bin\keytool.exe" -importkeystore `
   -srckeystore mykeystore.jks `
   ...
   -deststorepass $env:PFX_PASS
+  Remove-Item mykeystore.jks
193-197: Consistent artifact naming for Windows ZIP.
The job downloads espressif-ide-win32 but uploads the signed ZIP as release-artifacts. This mismatch will break the deploy pipeline. Align names:
- name: Upload Signed Windows ZIP
- uses: actions/upload-artifact@v4
- with:
-  name: release-artifacts
+ name: Upload Signed Windows ZIP
+ uses: actions/upload-artifact@v4
+ with:
+  name: espressif-ide-win32
6-7: ⚠️ Potential issue

Workflow tag filter uses unsupported regex.
GitHub Actions tag filters don’t support regex; use a shell-style glob to trigger on version tags.
For example:
-  tags:
-    - "v[0-9]+.[0-9]+.[0-9]+"
+  tags:
+    - 'v*.*.*'
145-151: ⚠️ Potential issue

Install Java on the Windows runner before using keytool.
The Windows signing job invokes keytool.exe but doesn’t install Java or set JAVA_HOME. Add a setup step after checkout:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v4
+    - name: Set up Java
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'temurin'
+        java-version: '11'
🧰 Tools

🪛 actionlint (1.7.7)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

39-43: ⚠️ Potential issue

Fix unresolved keystore filename placeholder.
KEYSTORE_FILE is currently set to a literal {{secrets.JARSIGNER_KEYSTORE}}, causing the base64 decode to write to an invalid path. Define a concrete filename or use an env var, e.g.:
- KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+ KEYSTORE_FILE="${PWD}/jarsigner-rel-keystore.jks"
180-186: 🛠️ Refactor suggestion

Avoid hardcoded signtool path.
Rely on signtool.exe in PATH or dynamically locate it instead of using a fixed SDK version path:
- & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+ & "signtool.exe" sign `

🧹 Nitpick comments (1)

.github/workflows/win_exe_sign_test.yml (1)

46-46: Remove trailing spaces and fix indentation.
YAMLlint flagged multiple trailing spaces and an indentation mismatch at line 111. Please clean up trailing whitespace and adjust the with block indentation to match surrounding steps.

Also applies to: 56-56, 60-60, 64-64, 69-69, 76-76, 85-85, 89-89, 92-92, 95-95, 99-99, 106-106, 113-113, 120-120, 127-127

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 46-46: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ff20f32 and e1ae050.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

[error] 120-120: trailing spaces

(trailing-spaces)

[error] 127-127: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (2)

GitHub Check: build_macos
GitHub Check: macos-build

coderabbitai

Actionable comments posted: 2

♻️ Duplicate comments (7)

.github/workflows/win_exe_sign_test.yml (7)
6-7: 🛠️ Refactor suggestion

Use a valid glob pattern for tag filter
GitHub Actions doesn’t support regex in tag filters. Change
tags:
  - "v[0-9]+.[0-9]+.[0-9]+"
to a glob-style pattern, for example:
tags:
  - 'v*.*.*'
21-22: 🛠️ Refactor suggestion

Bump actions/checkout to latest major version
actionlint flags actions/checkout@v3 as outdated. Upgrade to actions/checkout@v4 to pull in the latest bug fixes and performance improvements.
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
🧰 Tools

🪛 actionlint (1.7.7)

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

23-27: 🛠️ Refactor suggestion

Upgrade actions/setup-java to v4
Similarly, bump actions/setup-java@v3 to actions/setup-java@v4 per actionlint to ensure compatibility with the latest runners.
- uses: actions/setup-java@v3
+ uses: actions/setup-java@v4
🧰 Tools

🪛 actionlint (1.7.7)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

39-43: 🛠️ Refactor suggestion

Fix unresolved keystore filename placeholder
The KEYSTORE_FILE path uses {{secrets.JARSIGNER_KEYSTORE}}, which won’t resolve to a valid filename. Define a concrete filename or environment variable, e.g.:
- KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+ KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
Ensure the base64 decode writes to a real .jks file and that it’s removed after use.

145-146: 🛠️ Refactor suggestion

Bump actions/checkout in Windows job
Just like in the macOS job, update:
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
to avoid running an outdated checkout action on Windows.

🧰 Tools

🪛 actionlint (1.7.7)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

182-192: 🛠️ Refactor suggestion

Avoid hardcoded signtool.exe path & use HTTPS timestamp
Hardcoding the Windows SDK path risks breakage on SDK upgrades, and the timestamp URL should use HTTPS. Replace with:
- & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
-   /f cert.pfx `
-   /p $env:PFX_PASS `
-   /tr http://timestamp.digicert.com `
+ & signtool sign `
+   /f cert.pfx `
+   /p $env:PFX_PASS `
+   /tr https://timestamp.digicert.com `
    /td sha256 `
    /fd sha256 `
    $exe.FullName
106-113: 🛠️ Refactor suggestion

Correct artifact name and indentation for aarch64 DMG
The artifact name and indentation are inconsistent with the x86_64 step and use a dot instead of hyphens. Update to:
-           name: espressif-ide-macosx.cocoa.aarch64
+         name: espressif-ide-macosx-cocoa-aarch64
This ensures consistent naming and passes YAML lint.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

🧹 Nitpick comments (2)

.github/workflows/win_exe_sign_test.yml (2)
1-252: Remove trailing whitespace across the workflow
YAMLlint reports multiple trailing-space errors throughout the file. It’s best to trim all trailing spaces to prevent lint failures. You can run:
sed -i '' -e 's/[[:space:]]\+$//' .github/workflows/win_exe_sign_test.yml
🧰 Tools

🪛 actionlint (1.7.7)

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

[error] 120-120: trailing spaces

(trailing-spaces)

[error] 127-127: trailing spaces

(trailing-spaces)

213-252: Clean up or remove commented-out deploy job
The entire deploy job is commented out. If this is temporary, consider adding a TODO explaining when it should be enabled, or remove it to reduce noise.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f1aead4 and c7a227e.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

[error] 120-120: trailing spaces

(trailing-spaces)

[error] 127-127: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (3)

GitHub Check: macos-build
GitHub Check: build_macos
GitHub Check: build

coderabbitai · 2025-05-28T09:13:45Z

.github/workflows/win_exe_sign_test.yml

+      - name: Download built artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: espressif-ide-win32
+          path: artifacts


⚠️ Potential issue

Fix upload path mismatch for the signed ZIP
You download into artifacts and expand into extracted, but then upload from artifacts/extracted/*, which doesn’t exist. Either change the upload path to extracted/* or expand into artifacts/extracted. For example:

- path: artifacts/extracted/* + path: extracted/*

Also applies to: 205-210

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 147 to 151 and also lines 205 to 210, the download path is set to 'artifacts' but the upload step tries to upload from 'artifacts/extracted/*', which does not exist. To fix this, either change the extraction path to 'artifacts/extracted' so the upload path is correct, or adjust the upload path to 'extracted/*' if extraction remains outside 'artifacts'. Ensure the download, extraction, and upload paths are consistent to avoid path mismatches.

coderabbitai

Actionable comments posted: 2

♻️ Duplicate comments (8)

.github/workflows/win_exe_sign_test.yml (8)
21-21: ⚠️ Potential issue

Bump actions/checkout to latest version
actionlint flags actions/checkout@v3 as outdated. Upgrade to actions/checkout@v4 to ensure compatibility and receive the latest fixes.
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
🧰 Tools

🪛 actionlint (1.7.7)

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: ⚠️ Potential issue

Upgrade actions/setup-java to v4
actionlint reports that actions/setup-java@v3 is too old. Use v4 for better support and bug fixes:
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
🧰 Tools

🪛 actionlint (1.7.7)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

165-170: ⚠️ Potential issue

Specify PowerShell shell for JKS decode step
On Windows runners the default shell is cmd.exe, so $env:JKS_B64 won’t expand. Add shell: pwsh to this step:
-      - name: Decode base64-encoded JKS
-        run: |
+      - name: Decode base64-encoded JKS
+        shell: pwsh
+        run: |
           echo "$env:JKS_B64" | Out-File -FilePath encoded.b64 -Encoding ASCII
           certutil -decode encoded.b64 mykeystore.jks
           Remove-Item encoded.b64
39-42: ⚠️ Potential issue

Fix unresolved keystore filename placeholder
The line uses a literal placeholder {{secrets.JARSIGNER_KEYSTORE}}, which won’t resolve. Define a concrete filename before decoding. For example:
-          KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+          KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
           echo "${KEYSTORE_FILE}"
           printf "%s" "${JARSIGNER_KEYSTORE_B64}" | base64 -d > "${KEYSTORE_FILE}"
This ensures the keystore file is written correctly and can be cleaned up.

182-192: 🛠️ Refactor suggestion

Avoid hardcoded signtool path & use HTTPS timestamp
Hardcoding the Windows SDK path can break on version upgrades. Instead call signtool.exe from PATH and secure the timestamp URL:
-          & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
-            /f cert.pfx `
-            /p $env:PFX_PASS `
-            /tr http://timestamp.digicert.com `
-            /td sha256 `
-            /fd sha256 `
-            $exe.FullName
+          & signtool sign `
+            /f cert.pfx `
+            /p $env:PFX_PASS `
+            /tr https://timestamp.digicert.com `
+            /td sha256 `
+            /fd sha256 `
+            $exe.FullName
This makes your workflow more robust and secure.

6-7: ⚠️ Potential issue

Replace unsupported regex tag filter with glob pattern
GitHub Actions doesn’t support regex in the tags filter. This will prevent your workflow from triggering on version tags.
Apply this diff:
-on:
-  push:
-    branches: [master]
-    tags:
-      - "v[0-9]+.[0-9]+.[0-9]+"
+on:
+  push:
+    branches: [master]
+    tags:
+      - 'v*.*.*'
111-112: ⚠️ Potential issue

Correct DMG artifact name and indentation
The artifact name uses a dot and improper indentation, leading to inconsistent naming and potential upload failures. Change to hyphens and align indent with other steps:
-      - name: Upload Espressif-IDE-macosx-cocoa-aarch64.dmg
-        if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@v4
-        with:
-           name: espressif-ide-macosx.cocoa.aarch64
-           path: releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
+      - name: Upload Espressif-IDE-macosx-cocoa-aarch64.dmg
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: espressif-ide-macosx-cocoa-aarch64
+          path: releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

207-210: ⚠️ Potential issue

Fix upload path mismatch for signed ZIP
You extract the archive into extracted, yet the upload step points to artifacts/extracted. This will fail to find any files. Update the path or extraction target for consistency. For example:
-      - name: Upload Signed Windows ZIP
-        uses: actions/upload-artifact@v4
-        with:
-          name: Espressif-IDE-win32-Signed
-          path: artifacts/extracted/
+      - name: Upload Signed Windows ZIP
+        uses: actions/upload-artifact@v4
+        with:
+          name: Espressif-IDE-win32-Signed
+          path: extracted/
           overwrite: true
           if-no-files-found: error

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c7a227e and eb83701.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

[error] 120-120: trailing spaces

(trailing-spaces)

[error] 127-127: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (2)

GitHub Check: build_macos
GitHub Check: macos-build

🔇 Additional comments (1)

.github/workflows/win_exe_sign_test.yml (1)

46-46: Remove trailing spaces
YAMLlint reports trailing spaces on these lines. Removing them will eliminate lint errors and improve readability.
[ suggest_nitpick ]

Also applies to: 56-56, 60-60, 64-64, 69-69, 76-76, 85-85, 89-89, 92-92, 95-95, 99-99, 106-106, 113-113, 120-120, 127-127

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 46-46: trailing spaces

(trailing-spaces)

coderabbitai · 2025-06-02T09:03:36Z

.github/workflows/win_exe_sign_test.yml

+
+      - name: Download built artifacts


⚠️ Potential issue

Add Java setup action to Windows job
The Windows runner invokes keytool.exe but no JDK is installed nor JAVA_HOME set. Insert before JKS decoding:

- - uses: actions/checkout@v3 + - uses: actions/checkout@v4 + - name: Set up Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '11'

This ensures keytool.exe is available.

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 146 to 147, the Windows job uses keytool.exe without installing a JDK or setting JAVA_HOME. Fix this by adding a Java setup step before the JKS decoding step: update the checkout action to v4, then add a step using actions/setup-java@v4 with distribution 'temurin' and java-version '11' to ensure keytool.exe is available.

coderabbitai

Actionable comments posted: 2

♻️ Duplicate comments (7)

.github/workflows/win_exe_sign_test.yml (7)
21-21: Upgrade checkout action to latest version
Per actionlint, bump actions/checkout@v3 to actions/checkout@v4 to leverage recent bug fixes and runner improvements.

🧰 Tools

🪛 actionlint (1.7.7)

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

23-24: Bump setup-java action to latest major version
The step uses actions/setup-java@v3, which is outdated. Upgrade to actions/setup-java@v4 to comply with current runner requirements.

🧰 Tools

🪛 actionlint (1.7.7)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-145: Upgrade checkout action in Windows job
Also bump the Windows job’s actions/checkout@v3 to actions/checkout@v4 per actionlint.

🧰 Tools

🪛 actionlint (1.7.7)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

165-170: Specify PowerShell shell for JKS decoding
The decode step uses PowerShell syntax but does not declare shell: pwsh. Without it, $env:JKS_B64 won’t expand under the default cmd.exe. Add shell: pwsh to this step.

194-200: Specify shell and simplify signature verification
The signature verification step uses PowerShell syntax without shell: pwsh and hardcodes the signtool path. Update to:
- name: Verify Signature
  shell: pwsh
  run: |
    $exe = Get-ChildItem -Recurse extracted\Espressif-IDE\espressif-ide.exe | Select-Object -First 1
    & signtool verify /pa $exe.FullName
39-43: ⚠️ Potential issue

Resolve placeholder in KEYSTORE_FILE path
The line KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}" uses an unresolved template. Use a concrete filename or an environment variable, e.g.:
- KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+ KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
185-192: 🛠️ Refactor suggestion

Use signtool from PATH and HTTPS timestamp
Avoid hardcoding the Windows SDK path and use a secure timestamp URL. For example:
- & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+ & signtool sign `
  /f cert.pfx `
  /p $env:PFX_PASS `
- /tr http://timestamp.digicert.com `
+ /tr https://timestamp.digicert.com `
  /td sha256 `
  /fd sha256 `
  $exe.FullName

🧹 Nitpick comments (3)

.github/workflows/win_exe_sign_test.yml (3)
46-134: Remove trailing whitespace
Multiple lines contain trailing spaces, which cause YAML lint errors. Please remove trailing spaces throughout the steps (e.g., lines 46, 56, 60, 64, 69, 76, 85, 89, 92, 95, 99, 106, 113, 120, 127) to satisfy the linter.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

[error] 120-120: trailing spaces

(trailing-spaces)

[error] 127-127: trailing spaces

(trailing-spaces)

110-112: Fix artifact name and indentation for aarch64 DMG
The name field uses a dot and is over-indented. It should use hyphens and match other steps:
-          name: espressif-ide-macosx.cocoa.aarch64
+          name: espressif-ide-macosx-cocoa-aarch64
Adjust indentation to align with line 104.

🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

168-181: Clean up JKS file after conversion
After importing the JKS into a PFX, the mykeystore.jks file remains on the runner, risking secret leakage. Add a removal command immediately after conversion:
Remove-Item mykeystore.jks

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eb83701 and 6b008a8.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

[error] 120-120: trailing spaces

(trailing-spaces)

[error] 127-127: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (2)

GitHub Check: build_macos
GitHub Check: macos-build

coderabbitai · 2025-06-02T12:10:56Z

.github/workflows/win_exe_sign_test.yml

+
+      - name: Download built artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: espressif-ide-win32
+          path: artifacts
+


⚠️ Potential issue

Install Java before using keytool
The Windows job invokes keytool.exe without installing a JDK or setting JAVA_HOME. Add a step after checkout, e.g.:

- name: Set up Java uses: actions/setup-java@v4 with: distribution: temurin java-version: '11'

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 146 to 152, the workflow uses keytool.exe without installing a JDK or setting JAVA_HOME, which will cause failures. Add a step immediately after the checkout step to install Java by using the actions/setup-java@v4 action with distribution set to temurin and java-version set to '11'. This ensures keytool.exe can run properly during the job.

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (7)

.github/workflows/win_exe_sign_test.yml (7)
21-22: Update checkout action to latest version
actions/checkout@v3 is flagged as outdated by actionlint. Please bump both occurrences to actions/checkout@v4 for the newest fixes and performance improvements.

Also applies to: 145-146

🧰 Tools

🪛 actionlint (1.7.7)

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: Update setup-java action to latest version
actions/setup-java@v3 is flagged as outdated. Please upgrade to actions/setup-java@v4 to comply with actionlint recommendations.

🧰 Tools

🪛 actionlint (1.7.7)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

39-42: ⚠️ Potential issue

Fix unresolved keystore filename placeholder
The line uses a literal placeholder instead of a real filename, so the base64 decode will fail. Replace with a concrete path:
-           KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+           KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
107-112: ⚠️ Potential issue

Fix indentation and artifact name for aarch64 DMG upload
The name: field is mis-indented and uses a dot instead of hyphens. It should match the x86_64 step for consistency:
-          name: espressif-ide-macosx.cocoa.aarch64
+          name: espressif-ide-macosx-cocoa-aarch64
Also ensure indentation aligns with other upload-artifact steps (10 spaces before name:).

🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

6-7: ⚠️ Potential issue

Fix unsupported tag filter pattern
GitHub Actions tag filters use glob patterns, not regex. The current "v[0-9]+.[0-9]+.[0-9]+" will not trigger correctly.
-  tags:
-    - "v[0-9]+.[0-9]+.[0-9]+"
+  tags:
+    - 'v*.*.*'
171-180: ⚠️ Potential issue

Install Java before converting JKS to PFX
The Windows job calls keytool.exe via $env:JAVA_HOME but never installs Java or sets JAVA_HOME. Add a setup step immediately before the conversion:
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '11'
This ensures keytool.exe is available.

165-170: ⚠️ Potential issue

Specify PowerShell shell for JKS decode and cleanup keystore file
On Windows runners the default shell is cmd.exe, so $env:JKS_B64 won’t expand. Also, after decoding you should remove the JKS to avoid leaking secrets:
-      - name: Decode base64-encoded JKS
-        run: |
+      - name: Decode base64-encoded JKS
+        shell: pwsh
+        run: |
           echo "$env:JKS_B64" | Out-File -FilePath encoded.b64 -Encoding ASCII
           certutil -decode encoded.b64 mykeystore.jks
-          Remove-Item encoded.b64
+          Remove-Item encoded.b64
+          Remove-Item mykeystore.jks -Force

🧹 Nitpick comments (4)

.github/workflows/win_exe_sign_test.yml (4)
46-46: Remove trailing whitespace
Multiple lines contain trailing spaces, causing YAML lint errors. Please remove these extra spaces or run a formatter to clear them.

Also applies to: 56-56, 60-60, 64-64, 69-69, 76-76, 85-85, 89-89, 92-92, 95-95, 99-99, 106-106, 113-113, 120-120, 127-127

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 46-46: trailing spaces

(trailing-spaces)

182-192: Use secure timestamp URL and remove hardcoded signtool path
Hardcoding the Windows SDK path can break on updates, and the timestamp URL should use HTTPS. Update as follows:
-          & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
-            /f cert.pfx `
-            /p $env:PFX_PASS `
-            /tr http://timestamp.digicert.com `
+          & signtool.exe sign `
+            /f cert.pfx `
+            /p $env:PFX_PASS `
+            /tr https://timestamp.digicert.com `
             /td sha256 `
             /fd sha256 `
             $exe.FullName
194-200: Specify PowerShell shell for signature verification and simplify signtool invocation
The verification step lacks shell: pwsh and uses a hardcoded SDK path. It should rely on signtool.exe in PATH:
-      - name: Verify Signature
-        run: |
+      - name: Verify Signature
+        shell: pwsh
+        run: |
           $exe = Get-ChildItem -Recurse extracted\Espressif-IDE\espressif-ide.exe | Select-Object -First 1
-         & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" verify `
+         & signtool.exe verify `
           /pa `
           $exe.FullName
213-258: Cleanup commented-out deploy job
This large commented block clutters the workflow. Since it’s inactive and slated for removal later, consider deleting it now or moving it into a separate workflow for clarity.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6b008a8 and 38f2739.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

[error] 120-120: trailing spaces

(trailing-spaces)

[error] 127-127: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (2)

GitHub Check: macos-build
GitHub Check: build_macos

coderabbitai · 2025-06-02T12:40:43Z

.github/workflows/win_exe_sign_test.yml

+        with:
+          name: Espressif-IDE-win32-Signed
+          path: extracted/
+          overwrite: true


💡 Verification agent

🧩 Analysis chain

Verify artifact upload path for signed Windows ZIP
The upload-artifact step uploads the entire extracted/ folder. Confirm that this includes the signed .zip and no extraneous files. Alternatively, narrow the path to extracted/*.zip to avoid unexpected content.

🏁 Script executed:

#!/bin/bash # Verify contents of the extracted directory ls -R extracted

Length of output: 74

We can’t verify extracted/ contents via ls in this clone (it’s only created at runtime). Let’s inspect the workflow around the upload step to confirm where and how extracted/ is produced:

🏁 Script executed:

#!/bin/bash # Show the upload-artifact step with surrounding context rg -n "upload-artifact" -C5 .github/workflows/win_exe_sign_test.yml # Show all references to "extracted" to find its creation/extraction step rg -n "extracted" -C5 .github/workflows/win_exe_sign_test.yml

Length of output: 3880

Package and upload a signed Windows ZIP
The current upload-artifact step is pointing at the unzipped extracted/ directory (raw binaries), not a standalone signed ZIP. To produce a proper signed Windows ZIP and avoid unexpected files:

After the signing step, add a re-zip action, for example:
- name: Create Signed Windows ZIP shell: pwsh run: Compress-Archive -Path extracted/* -DestinationPath signed-win32.zip -Force

Update the upload-artifact step (lines 205–211) to reference that ZIP:
- path: extracted/ + path: signed-win32.zip

This ensures only the signed distribution archive is published as the artifact.

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 207 to 210, the upload-artifact step currently uploads the entire extracted/ directory, which may include unwanted files. To fix this, add a step after signing that creates a new ZIP archive containing only the signed files (e.g., using Compress-Archive in PowerShell to zip extracted/* into signed-win32.zip). Then update the upload-artifact step to upload this signed-win32.zip file instead of the whole extracted/ folder, ensuring only the signed Windows ZIP is published.

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (9)

.github/workflows/win_exe_sign_test.yml (9)
6-7: 🛠️ Refactor suggestion

Use glob pattern for tag filter instead of regex
GitHub Actions tag filters do not support regex. Replace "v[0-9]+.[0-9]+.[0-9]+" with a glob pattern like 'v*.*.*' to ensure proper triggering on version tags.

21-22: 🛠️ Refactor suggestion

Update checkout action to the latest major version
actions/checkout@v3 is flagged as outdated by actionlint. Bump to actions/checkout@v4 to leverage the latest improvements and security fixes.

🧰 Tools

🪛 actionlint (1.7.7)

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

23-28: 🛠️ Refactor suggestion

Upgrade actions/setup-java to the latest major version
actions/setup-java@v3 is outdated per actionlint. Update to actions/setup-java@v4 to ensure compatibility and receive the latest bug fixes.

🧰 Tools

🪛 actionlint (1.7.7)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

111-112: 🛠️ Refactor suggestion

Correct artifact name and indentation for macOS aarch64 upload
The name field is over-indented and uses a dot instead of hyphens. It should align with other steps and use hyphens:
-           name: espressif-ide-macosx.cocoa.aarch64
+         name: espressif-ide-macosx-cocoa-aarch64
🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

39-42: ⚠️ Potential issue

Fix unresolved keystore filename placeholder
KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}" uses a literal placeholder rather than a valid file path. Update to a concrete filename or env var, for example:
- KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+ KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
This change ensures the keystore file is correctly created and referenced.

145-147: 🛠️ Refactor suggestion

Install Java and update checkout action for Windows job
The windows-sign job still uses actions/checkout@v3 and invokes keytool.exe without ensuring a JDK or JAVA_HOME is set. Apply this diff:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4

+    - name: Set up Java
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'temurin'
+        java-version: '11'
This ensures signtool.exe and keytool.exe run reliably on the Windows runner.

🧰 Tools

🪛 actionlint (1.7.7)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

165-170: 🛠️ Refactor suggestion

Specify PowerShell shell for JKS decoding step
The Decode base64-encoded JKS step uses PowerShell syntax ($env:JKS_B64) but lacks shell: pwsh, defaulting to cmd.exe where the env var won’t expand. Add:
-      - name: Decode base64-encoded JKS
-        run: |
+      - name: Decode base64-encoded JKS
+        shell: pwsh
+        run: |
This change allows correct base64 decoding on the Windows runner.

182-192: 🛠️ Refactor suggestion

Use portable signtool invocation and secure timestamp URL
Avoid hardcoding the Windows SDK path and using HTTP for timestamping. Update to:
- & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
-    /f cert.pfx `
-    /p $env:PFX_PASS `
-    /tr http://timestamp.digicert.com `
+ & signtool.exe sign `
+    /f cert.pfx `
+    /p $env:PFX_PASS `
+    /tr https://timestamp.digicert.com `
     /td sha256 `
     /fd sha256 `
     $exe.FullName
This makes the step more portable and secures the timestamp server connection.

194-200: 🛠️ Refactor suggestion

Specify pwsh shell and use signtool.exe from PATH in verification step
The Verify Signature step defaults to cmd.exe and hardcodes the SDK path. Change to:
-      - name: Verify Signature
-        run: |
+      - name: Verify Signature
+        shell: pwsh
+        run: |
           $exe = Get-ChildItem -Recurse extracted\Espressif-IDE\espressif-ide.exe | Select-Object -First 1
-         & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" verify `
+         & signtool.exe verify `
           /pa `
           $exe.FullName
This ensures PowerShell syntax runs correctly and improves maintainability.

🧹 Nitpick comments (2)

.github/workflows/win_exe_sign_test.yml (2)
46-106: Remove trailing spaces
Multiple lines (e.g., 46, 56, 60, 64, 69, 76, 85, 89, 92, 95, 99, 106) contain trailing spaces, causing YAML lint errors. Please remove these trailing spaces to comply with YAML formatting standards.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

205-210: Standardize artifact naming and upload only the signed ZIP

The artifact name Espressif-IDE-win32-Signed uses mixed case and deviates from other jobs. Prefer lowercase with hyphens (e.g., espressif-ide-win32-signed).

Instead of uploading the entire extracted/ folder, compress it into a single ZIP to avoid unintended files. For example:
- name: Create Signed Windows ZIP
  shell: pwsh
  run: Compress-Archive -Path extracted/* -DestinationPath signed-win32.zip -Force

- name: Upload Signed Windows ZIP
  uses: actions/upload-artifact@v4
  with:
    name: espressif-ide-win32-signed
    path: signed-win32.zip
    overwrite: true
This change aligns naming conventions and guarantees only the intended archive is published.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 38f2739 and 6a0e72f.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

[error] 120-120: trailing spaces

(trailing-spaces)

[error] 127-127: trailing spaces

(trailing-spaces)

coderabbitai

Actionable comments posted: 4

♻️ Duplicate comments (8)

.github/workflows/win_exe_sign_test.yml (8)
21-21: Bump actions/checkout to latest version
actions/checkout@v3 is outdated per actionlint. Upgrade all usages to @v4 to pick up bug fixes and performance improvements.
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
Also applies to: 145-145, 227-227

🧰 Tools

🪛 actionlint (1.7.7)

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

23-27: Upgrade actions/setup-java to latest major version
actions/setup-java@v3 is flagged as too old. Move to actions/setup-java@v4 for compatibility and security updates.
-      - name: Set up JDK 17
-        uses: actions/setup-java@v3
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
         with:
           java-version: '17'
           distribution: 'temurin'
🧰 Tools

🪛 actionlint (1.7.7)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

6-7: ⚠️ Potential issue

Fix unsupported tag filter pattern
GitHub Actions tag filters use glob patterns, not regex. Update the tag filter to a shell-style glob to ensure the workflow triggers correctly on version tags.
 on:
   push:
     tags:
-      - "v[0-9]+.[0-9]+.[0-9]+"
+      - 'v*.*.*'
182-192: 🛠️ Refactor suggestion

Use signtool from PATH and secure timestamp URL
Hardcoding the SDK path can break on upgrades, and HTTP timestamping is insecure. Rely on the runner’s signtool.exe in PATH and switch to HTTPS:
-          & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+          & signtool sign `
             /f cert.pfx `
             /p $env:PFX_PASS `
-            /tr http://timestamp.digicert.com `
+            /tr https://timestamp.digicert.com `
             /td sha256 `
             /fd sha256 `
             $exe.FullName
145-147: ⚠️ Potential issue

Install Java before using keytool on Windows
The Windows job invokes keytool.exe but never installs a JDK or sets JAVA_HOME. Add a setup step immediately after checkout:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '11'
🧰 Tools

🪛 actionlint (1.7.7)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

111-112: ⚠️ Potential issue

Normalize DMG artifact naming for aarch64
The artifact name and indentation are inconsistent. Use hyphens instead of dots and align with the x86_64 step:
-          name: espressif-ide-macosx.cocoa.aarch64
+          name: espressif-ide-macosx-cocoa-aarch64
🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

39-43: ⚠️ Potential issue

Resolve keystore file path placeholder
The placeholder {{secrets.JARSIGNER_KEYSTORE}} will not resolve at runtime. Use a fixed filename or reference a real environment variable. For example:
-          KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+          KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
211-217: 🛠️ Refactor suggestion

Upload a standalone signed Windows ZIP
Currently the entire extracted/ folder is uploaded. Instead create a compressed ZIP of the signed binaries and upload that single file:
+      - name: Create Signed Windows ZIP
+        shell: pwsh
+        run: |
+          Compress-Archive -Path extracted/* -DestinationPath signed-win32.zip -Force
-      - name: Upload Signed Windows ZIP
+      - name: Upload Signed Windows ZIP
         uses: actions/upload-artifact@v4
         with:
           name: espressif-ide-win32
-          path: extracted/
+          path: signed-win32.zip

🧹 Nitpick comments (2)

.github/workflows/win_exe_sign_test.yml (2)
46-106: Remove trailing spaces
YAMLlint reports trailing spaces on multiple lines (46, 56, 60, 64, 69, 76, 85, 89, 92, 95, 99, 106). These will fail linting—please strip trailing whitespace from all lines.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

220-223: Fix indentation in upload-aws job
YAMLlint reports incorrect indentation here. Align runs-on, needs, and env under the job key by adding one space:
-  upload-aws:
-   runs-on: macos-latest
-   needs: windows-sign
-   env:
+  upload-aws:
+    runs-on: macos-latest
+    needs: windows-sign
+    env:
🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 220-220: wrong indentation: expected 4 but found 3

(indentation)

[warning] 223-223: wrong indentation: expected 5 but found 4

(indentation)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6a0e72f and 28fd1f0.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

227-227: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

[error] 120-120: trailing spaces

(trailing-spaces)

[error] 127-127: trailing spaces

(trailing-spaces)

[warning] 220-220: wrong indentation: expected 4 but found 3

(indentation)

[warning] 223-223: wrong indentation: expected 5 but found 4

(indentation)

[warning] 227-227: wrong indentation: expected 5 but found 4

(indentation)

⏰ Context from checks skipped due to timeout of 90000ms (3)

GitHub Check: build
GitHub Check: macos-build
GitHub Check: build_macos

coderabbitai · 2025-06-03T10:54:59Z

.github/workflows/win_exe_sign_test.yml

+        aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin-test/ide/Espressif-IDE-win32.win32.x86_64/latest" --website-redirect-location "/dl/idf-eclipse-plugin-test/ide/Espressif-IDE-${VERSION}-win32.win32.x86_64.zip"
+
+        aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin-test/ide/Espressif-IDE-macosx-cocoa-x86_64/latest" --website-redirect-location "/dl/idf-eclipse-plugin-test/ide/Espressif-IDE-macosx-cocoa-x86_64-v${VERSION}.dmg"
+
+        aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin-test/ide/Espressif-IDE-macosx-cocoa-aarch64/latest" --website-redirect-location "/dl/idf-eclipse-plugin-test/ide/Espressif-IDE-macosx-cocoa-aarch64-v${VERSION}.dmg"
+
+        aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin-test/ide/Espressif-IDE-linux.gtk.x86_64/latest" --website-redirect-location "/dl/idf-eclipse-plugin-test/ide/Espressif-IDE-${VERSION}-linux.gtk.x86_64.tar.gz"


⚠️ Potential issue

Use consistent S3 bucket for redirects
The s3api put-object commands reference a hardcoded espdldata bucket instead of ${{ secrets.DL_BUCKET }}. Update to use the same secret:

- aws s3api put-object --acl=public-read --bucket espdldata ... + aws s3api put-object --acl=public-read --bucket ${{ secrets.DL_BUCKET }} ...

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin-test/ide/Espressif-IDE-win32.win32.x86_64/latest" --website-redirect-location "/dl/idf-eclipse-plugin-test/ide/Espressif-IDE-${VERSION}-win32.win32.x86_64.zip"

aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin-test/ide/Espressif-IDE-macosx-cocoa-x86_64/latest" --website-redirect-location "/dl/idf-eclipse-plugin-test/ide/Espressif-IDE-macosx-cocoa-x86_64-v${VERSION}.dmg"

aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin-test/ide/Espressif-IDE-macosx-cocoa-aarch64/latest" --website-redirect-location "/dl/idf-eclipse-plugin-test/ide/Espressif-IDE-macosx-cocoa-aarch64-v${VERSION}.dmg"

aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin-test/ide/Espressif-IDE-linux.gtk.x86_64/latest" --website-redirect-location "/dl/idf-eclipse-plugin-test/ide/Espressif-IDE-${VERSION}-linux.gtk.x86_64.tar.gz"

aws s3api put-object --acl=public-read --bucket ${{ secrets.DL_BUCKET }} --key "dl/idf-eclipse-plugin-test/ide/Espressif-IDE-win32.win32.x86_64/latest" --website-redirect-location "/dl/idf-eclipse-plugin-test/ide/Espressif-IDE-${VERSION}-win32.win32.x86_64.zip"

aws s3api put-object --acl=public-read --bucket ${{ secrets.DL_BUCKET }} --key "dl/idf-eclipse-plugin-test/ide/Espressif-IDE-macosx-cocoa-x86_64/latest" --website-redirect-location "/dl/idf-eclipse-plugin-test/ide/Espressif-IDE-macosx-cocoa-x86_64-v${VERSION}.dmg"

aws s3api put-object --acl=public-read --bucket ${{ secrets.DL_BUCKET }} --key "dl/idf-eclipse-plugin-test/ide/Espressif-IDE-macosx-cocoa-aarch64/latest" --website-redirect-location "/dl/idf-eclipse-plugin-test/ide/Espressif-IDE-macosx-cocoa-aarch64-v${VERSION}.dmg"

aws s3api put-object --acl=public-read --bucket ${{ secrets.DL_BUCKET }} --key "dl/idf-eclipse-plugin-test/ide/Espressif-IDE-linux.gtk.x86_64/latest" --website-redirect-location "/dl/idf-eclipse-plugin-test/ide/Espressif-IDE-${VERSION}-linux.gtk.x86_64.tar.gz"

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 300 to 306, the aws s3api put-object commands use a hardcoded bucket name "espdldata" instead of the secret variable ${{ secrets.DL_BUCKET }}. Replace all instances of the bucket name "espdldata" with ${{ secrets.DL_BUCKET }} to ensure consistent use of the configured S3 bucket for redirects.

coderabbitai · 2025-06-03T10:54:59Z

.github/workflows/win_exe_sign_test.yml

+    - name: Download macOS aarch64 dmg zip
+      uses: actions/download-artifact@v4
+      with:
+        name: espressif-ide-macosx.cocoa.aarch64
+        path: artifacts/macos_arm
+


⚠️ Potential issue

Fix artifact name for macOS aarch64 download
The download step refers to the old dot-style name; it must match the renamed upload:

- - name: Download macOS aarch64 dmg zip + - name: Download macOS aarch64 dmg uses: actions/download-artifact@v4 with: - name: espressif-ide-macosx.cocoa.aarch64 + name: espressif-ide-macosx-cocoa-aarch64 path: artifacts/macos_arm

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

- name: Download macOS aarch64 dmg zip

uses: actions/download-artifact@v4

with:

name: espressif-ide-macosx.cocoa.aarch64

path: artifacts/macos_arm

- name: Download macOS aarch64 dmg

uses: actions/download-artifact@v4

with:

name: espressif-ide-macosx-cocoa-aarch64

path: artifacts/macos_arm

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 247 to 252, the artifact name used in the download step for macOS aarch64 is outdated and does not match the renamed upload artifact. Update the 'name' field in the download-artifact action to the new correct artifact name that matches the upload step to ensure the artifact is downloaded properly.

coderabbitai · 2025-06-03T10:54:59Z

.github/workflows/win_exe_sign_test.yml

+    - name: Extract macOS x86_64 dmg
+      run: unzip -q artifacts/macos_x86/*.zip -d artifacts/macos_x86
+
+    - name: Extract macOS aarch64 dmg
+      run: unzip -q artifacts/macos_arm/*.zip -d artifacts/macos_arm
+


⚠️ Potential issue

Remove unzip step for DMG artifacts
DMG files are not ZIP archives. The extract steps will fail. Either download the DMGs directly (no unzip) or use hdiutil if you need to mount them. For example:

- - name: Extract macOS x86_64 dmg - run: unzip -q artifacts/macos_x86/*.zip -d artifacts/macos_x86 + # DMG artifacts are binary images; no unzip required

Repeat for the aarch64 block.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 259 to 264, the unzip commands are incorrectly used on DMG files, which are not ZIP archives and will cause failures. Remove the unzip steps for both macOS x86_64 and aarch64 DMG artifacts. Instead, either download the DMG files directly without extraction or use the macOS-specific `hdiutil` command to mount the DMG files if needed.

coderabbitai

Actionable comments posted: 9

♻️ Duplicate comments (5)

.github/workflows/win_exe_sign_test.yml (5)
250-252: Update artifact name for macOS aarch64 download
The download step’s name must match the upload. Change:
-        name: espressif-ide-macosx.cocoa.aarch64
+        name: espressif-ide-macosx-cocoa-aarch64
39-39: ⚠️ Potential issue

Resolve keystore filename placeholder
The path uses a literal placeholder {{secrets.JARSIGNER_KEYSTORE}}, which won’t resolve. Replace it with a concrete filename or environment variable, for example:
- KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+ KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
185-192: 🛠️ Refactor suggestion

Avoid hardcoded signtool.exe path & use HTTPS timestamp
Hardcoding the SDK path can break on upgrades. Also switch to HTTPS for the timestamp. For example:
- & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+ & signtool sign `
  /f cert.pfx `
  /p $env:PFX_PASS `
- /tr http://timestamp.digicert.com `
+ /tr https://timestamp.digicert.com `
  /td sha256 `
  /fd sha256 `
309-315: 🛠️ Refactor suggestion

Use consistent S3 bucket for redirects
These aws s3api put-object calls hardcode --bucket espdldata. Switch to ${{ secrets.DL_BUCKET }}:
-        aws s3api put-object --acl=public-read --bucket espdldata ...
+        aws s3api put-object --acl=public-read --bucket ${{ secrets.DL_BUCKET }} ...
194-200: 🛠️ Refactor suggestion

Specify pwsh shell for signature verification
The signature verification step uses PowerShell commands but lacks shell: pwsh. Also remove the full path to signtool.exe:
-      - name: Verify Signature
-        run: |
+      - name: Verify Signature
+        shell: pwsh
+        run: |
           $exe = Get-ChildItem -Recurse extracted\Espressif-IDE\espressif-ide.exe | Select-Object -First 1
-         & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" verify `
+         & signtool verify `
           /pa `
           $exe.FullName

🧹 Nitpick comments (2)

.github/workflows/win_exe_sign_test.yml (2)
46-127: Remove trailing whitespace
Multiple steps contain trailing spaces, which cause YAML lint errors (lines 46,56,60,64,69,76,85,89,92,95,99,106,113,120,127). Please clean up trailing spaces across the file for consistency.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

[error] 120-120: trailing spaces

(trailing-spaces)

[error] 127-127: trailing spaces

(trailing-spaces)

174-180: Include -srckeypass if alias password differs
If your key entry uses a separate password, add -srckeypass $env:KEY_PASS to the keytool invocation for completeness:
-            -srcstorepass $env:JKS_PASS `
+            -srcstorepass $env:JKS_PASS `
+            -srckeypass $env:KEY_PASS `

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 28fd1f0 and b018315.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

227-227: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

[error] 120-120: trailing spaces

(trailing-spaces)

[error] 127-127: trailing spaces

(trailing-spaces)

[warning] 220-220: wrong indentation: expected 4 but found 3

(indentation)

[warning] 223-223: wrong indentation: expected 5 but found 4

(indentation)

[warning] 227-227: wrong indentation: expected 5 but found 4

(indentation)

⏰ Context from checks skipped due to timeout of 90000ms (3)

GitHub Check: build
GitHub Check: macos-build
GitHub Check: build_macos

coderabbitai · 2025-06-03T11:31:29Z

.github/workflows/win_exe_sign_test.yml

+    outputs:
+      version: ${{ steps.get_version.outputs.version }}
+    steps:
+      - uses: actions/checkout@v3


🛠️ Refactor suggestion

Upgrade actions/checkout to v4
The workflow uses an outdated checkout action (actions/checkout@v3), which may not be supported on newer runners. Bump all instances to actions/checkout@v4.

Also applies to: 145-145, 227-227

🧰 Tools

🪛 actionlint (1.7.7)

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml at lines 21, 145, and 227, the workflow uses the outdated action version actions/checkout@v3. Update all these instances to actions/checkout@v4 to ensure compatibility with newer runners and maintain support.

coderabbitai · 2025-06-03T11:31:30Z

.github/workflows/win_exe_sign_test.yml

+    - name: Extract macOS x86_64 dmg
+      run: |
+        ls -altr artifacts
+        ls -altr artifacts/macos_x86
+        unzip -q artifacts/macos_x86/*.zip -d artifacts/macos_x86
+
+    - name: Extract macOS aarch64 dmg
+      run: |
+        ls -altr artifacts
+        ls -altr artifacts/macos_arm
+        unzip -q artifacts/macos_arm/*.zip -d artifacts/macos_arm


⚠️ Potential issue

Remove unzip for DMG files
DMG artifacts aren’t ZIPs, so unzip -q .../*.zip will fail. Either download DMGs directly or use hdiutil. For example, remove these steps altogether if no extraction is needed.

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 259 to 269, the workflow incorrectly uses unzip commands to extract DMG files, which are not ZIP archives and will cause failures. Remove the unzip commands for the macOS x86_64 and aarch64 DMG extraction steps, and either download the DMG files directly or use the appropriate tool like hdiutil if mounting or extraction is necessary. If no extraction is required, simply omit these steps.

coderabbitai · 2025-06-03T11:31:30Z

.github/workflows/win_exe_sign_test.yml

+           name: espressif-ide-macosx.cocoa.aarch64
+           path: releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg


⚠️ Potential issue

Fix artifact name and indentation for aarch64 DMG
The name field uses a dot and is over-indented:

- name: espressif-ide-macosx.cocoa.aarch64 + name: espressif-ide-macosx-cocoa-aarch64

Adjust indentation to match other upload steps.

🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 111 to 112, the artifact name uses dots instead of dashes and is over-indented. Rename the artifact from "espressif-ide-macosx.cocoa.aarch64" to "espressif-ide-macosx-cocoa-aarch64" and adjust the indentation to align with other upload steps for consistency.

coderabbitai · 2025-06-03T11:31:30Z

.github/workflows/win_exe_sign_test.yml

+
+        aws s3 cp --acl=public-read artifacts/macos_x86/Espressif-IDE-macosx-cocoa-x86_64-v${VERSION}.dmg s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin-test/ide/
+        aws s3 cp --acl=public-read artifacts/macos_arm/Espressif-IDE-macosx-cocoa-aarch64-v${VERSION}.dmg s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin-test/ide/
+        aws s3 cp --acl=public-read artifacts/Espressif-IDE-win32.win32.x86_64.zip s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/ide/


⚠️ Potential issue

Correct S3 upload path for Windows ZIP
The path artifacts/Espressif-IDE-win32.win32.x86_64.zip doesn’t exist; you downloaded and extracted files instead. Update this to use your newly created signed-win32.zip or point to the correct artifact location.

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml at line 305, the S3 upload command references a non-existent file path artifacts/Espressif-IDE-win32.win32.x86_64.zip. Update this path to point to the correct artifact, such as the newly created signed-win32.zip file or the actual location of the signed Windows ZIP artifact, ensuring the upload command uses the valid file path.

coderabbitai · 2025-06-03T11:31:30Z

.github/workflows/win_exe_sign_test.yml

+      - uses: actions/checkout@v3
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v3


🛠️ Refactor suggestion

Bump actions/setup-java to v4
actions/setup-java@v3 is flagged as outdated by actionlint. Update to actions/setup-java@v4 to ensure compatibility with the current runner.

🧰 Tools

🪛 actionlint (1.7.7)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml at line 24, the action 'actions/setup-java' is using version v3, which is outdated. Update the version from v3 to v4 by changing the line to 'uses: actions/setup-java@v4' to ensure compatibility with the current runner and resolve the actionlint warning.

coderabbitai · 2025-06-03T11:31:30Z

.github/workflows/win_exe_sign_test.yml

+    - name: Extract linux zip (keep internal .tar.gz intact)
+      run: |
+        ls -altr artifacts
+        unzip -q artifacts/*.zip -d artifacts/linux
+        ls -altr artifacts/linux/
+


⚠️ Potential issue

Fix Linux artifact extraction
You uploaded .tar.gz, not a ZIP, yet you’re running unzip. Replace with:

- run: unzip -q artifacts/*.zip -d artifacts/linux + run: mkdir -p artifacts/linux && tar -xzf artifacts/*.tar.gz -C artifacts/linux

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 271 to 276, the extraction step incorrectly uses unzip on a .tar.gz file. Replace the unzip command with a mkdir command to create the target directory if it doesn't exist, followed by a tar command to extract the .tar.gz archive into the artifacts/linux directory.

coderabbitai

Actionable comments posted: 7

♻️ Duplicate comments (7)

.github/workflows/win_exe_sign_test.yml (7)
21-22: Update actions/checkout to v4
Actionlint reports actions/checkout@v3 is outdated. Bump to actions/checkout@v4 for compatibility with newer runners.

🧰 Tools

🪛 actionlint (1.7.7)

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-146: Update actions/checkout to v4 in windows-sign job
Please bump actions/checkout@v3 to actions/checkout@v4 here as well.

🧰 Tools

🪛 actionlint (1.7.7)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

227-228: Update actions/checkout to v4 in upload-aws job
Please bump actions/checkout@v3 to actions/checkout@v4 here as well.

🧰 Tools

🪛 actionlint (1.7.7)

227-227: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

[warning] 227-227: wrong indentation: expected 5 but found 4

(indentation)

39-43: ⚠️ Potential issue

Fix unresolved keystore filename placeholder
The placeholder {{secrets.JARSIGNER_KEYSTORE}} will not resolve. Use a concrete filename or env var, e.g.:
- KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+ KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
110-112: ⚠️ Potential issue

Fix artifact name and indentation
The artifact name uses a dot and is over-indented:
- name: espressif-ide-macosx.cocoa.aarch64
+ name: espressif-ide-macosx-cocoa-aarch64
Adjust indentation to match other upload-artifact steps.

🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

185-192: ⚠️ Potential issue

Use HTTPS timestamp and PATH for signtool

Switch to https://timestamp.digicert.com for secure timestamping.

Avoid hardcoded Windows Kits path; invoke signtool.exe directly from PATH.
- & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
-   /tr http://timestamp.digicert.com `
+ & signtool.exe sign `
+   /tr https://timestamp.digicert.com `
298-304: ⚠️ Potential issue

Use configured S3 bucket secret for redirects
The aws s3api put-object commands reference a hardcoded bucket espdldata. Replace with the secret ${{ secrets.DL_BUCKET }} to maintain consistency:
- --bucket espdldata
+ --bucket ${{ secrets.DL_BUCKET }}

🧹 Nitpick comments (2)

.github/workflows/win_exe_sign_test.yml (2)
46-99: Remove trailing spaces
YAMLlint reports multiple trailing-space errors in this block (lines 46, 56, 60, 64, 69, 76, 85, 89, 92, 95, 99). Clean up these trailing spaces to satisfy lint checks and keep formatting consistent.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

219-227: Fix indentation in upload-aws job
YAMLlint warns about inconsistent indentation (lines 220–227). Standardize to 4 spaces under upload-aws for keys: runs-on, needs, env, steps, and list items. For example:
-   runs-on: macos-latest
+  runs-on: macos-latest
🧰 Tools

🪛 actionlint (1.7.7)

227-227: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

[warning] 220-220: wrong indentation: expected 4 but found 3

(indentation)

[warning] 223-223: wrong indentation: expected 5 but found 4

(indentation)

[warning] 227-227: wrong indentation: expected 5 but found 4

(indentation)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b018315 and 40e11f5.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

227-227: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

[error] 120-120: trailing spaces

(trailing-spaces)

[error] 127-127: trailing spaces

(trailing-spaces)

[warning] 220-220: wrong indentation: expected 4 but found 3

(indentation)

[warning] 223-223: wrong indentation: expected 5 but found 4

(indentation)

[warning] 227-227: wrong indentation: expected 5 but found 4

(indentation)

⏰ Context from checks skipped due to timeout of 90000ms (2)

GitHub Check: build_macos
GitHub Check: macos-build

coderabbitai · 2025-06-03T12:23:42Z

.github/workflows/win_exe_sign_test.yml

+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"


⚠️ Potential issue

Unsupported regex in tag filter
GitHub Actions tag filters use shell-style glob patterns, not regular expressions. Replace:

- tags: - - "v[0-9]+.[0-9]+.[0-9]+"

with:

tags: - 'v*.*.*'

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml at lines 6 to 7, the tag filter uses an unsupported regular expression pattern "v[0-9]+.[0-9]+.[0-9]+". Replace this regex with a shell-style glob pattern by changing the tag filter to 'v*.*.*' to comply with GitHub Actions syntax.

coderabbitai · 2025-06-03T12:23:42Z

.github/workflows/win_exe_sign_test.yml

+      - name: Set up JDK 17
+        uses: actions/setup-java@v3
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+


🛠️ Refactor suggestion

Upgrade actions/setup-java to v4
Actionlint flags actions/setup-java@v3 as too old. Update to actions/setup-java@v4 to ensure Java setup on the runner.

🧰 Tools

🪛 actionlint (1.7.7)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml between lines 23 and 28, the GitHub action uses an outdated version v3 of actions/setup-java. Update the version from v3 to v4 by changing the uses line to actions/setup-java@v4 to comply with actionlint and ensure proper Java setup on the runner.

coderabbitai · 2025-06-03T12:23:42Z

.github/workflows/win_exe_sign_test.yml

+      - name: Upload Signed Windows ZIP
+        uses: actions/upload-artifact@v4
+        with:
+          name: espressif-ide-win32
+          path: extracted/
+          overwrite: true
+          if-no-files-found: error
+


🛠️ Refactor suggestion

Repackage and upload a signed Windows ZIP
Currently the step uploads the raw extracted/ directory. To publish a proper signed archive:

Compress the signed files:
- name: Create Signed Windows ZIP shell: pwsh run: Compress-Archive -Path extracted/* -DestinationPath signed-win32.zip -Force

Upload only the ZIP:
- name: Upload Signed Windows ZIP uses: actions/upload-artifact@v4 with: name: espressif-ide-win32 path: signed-win32.zip overwrite: true

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 211 to 218, the current step uploads the entire extracted/ directory instead of a compressed archive. To fix this, add a step before uploading that compresses the contents of extracted/ into a signed-win32.zip file using Compress-Archive in PowerShell. Then modify the upload step to upload only the signed-win32.zip file instead of the raw directory.

coderabbitai · 2025-06-03T12:23:43Z

.github/workflows/win_exe_sign_test.yml

+    - name: Download macOS aarch64 dmg zip
+      uses: actions/download-artifact@v4
+      with:
+        name: espressif-ide-macosx.cocoa.aarch64
+        path: artifacts/macos_arm


⚠️ Potential issue

Fix artifact name in aarch64 download step
The download step refers to espressif-ide-macosx.cocoa.aarch64, but the artifact is named espressif-ide-macosx-cocoa-aarch64. Update to:

name: espressif-ide-macosx-cocoa-aarch64

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 247 to 251, the artifact name in the download step is incorrect; it uses 'espressif-ide-macosx.cocoa.aarch64' instead of the correct 'espressif-ide-macosx-cocoa-aarch64'. Update the 'name' field in the download-artifact action to 'espressif-ide-macosx-cocoa-aarch64' to match the actual artifact name.

coderabbitai · 2025-06-03T12:23:43Z

.github/workflows/win_exe_sign_test.yml

+      - name: Verify Signature
+        run: |
+         $exe = Get-ChildItem -Recurse extracted\Espressif-IDE\espressif-ide.exe | Select-Object -First 1
+         & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" verify `
+         /pa `
+         $exe.FullName
+


⚠️ Potential issue

Specify shell: pwsh and use signtool from PATH for verification
The Verify Signature step invokes PowerShell syntax with the default shell and a hardcoded path. Update to:

- name: Verify Signature - run: | + name: Verify Signature + shell: pwsh + run: | $exe = Get-ChildItem -Recurse extracted\Espressif-IDE\espressif-ide.exe | Select-Object -First 1 - & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" verify ` + & signtool.exe verify ` /pa ` $exe.FullName

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 194 to 200, the Verify Signature step uses PowerShell syntax but does not specify the shell, and it calls signtool.exe using a hardcoded path. To fix this, add "shell: pwsh" to explicitly use PowerShell Core, and replace the hardcoded signtool.exe path with just "signtool.exe" to use the version available in the system PATH.

coderabbitai · 2025-06-03T12:23:43Z

.github/workflows/win_exe_sign_test.yml

+      run: |
+        zip -r artifacts/update/* com.espressif.idf.update-v${VERSION}.zip
+        zip -r artifacts/win32/* Espressif-IDE-${VERSION}-win32.win32.x86_64.zip
+


⚠️ Potential issue

Correct zip command arguments
The zip -r invocation has the zipfile path and source files reversed. It should be:

- zip -r artifacts/update/* com.espressif.idf.update-v${VERSION}.zip + zip -r artifacts/update/com.espressif.idf.update-v${VERSION}.zip artifacts/update/* - zip -r artifacts/win32/* Espressif-IDE-${VERSION}-win32.win32.x86_64.zip + zip -r artifacts/win32/Espressif-IDE-${VERSION}-win32.win32.x86_64.zip artifacts/win32/*

This ensures the archives are created correctly.

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 277 to 280, the zip command arguments are reversed; the zipfile path should come immediately after the zip command followed by the source files. Fix this by placing the archive file path first, then the files or directories to be zipped, ensuring the archives are created correctly.

coderabbitai

Actionable comments posted: 2

♻️ Duplicate comments (13)

.github/workflows/win_exe_sign_test.yml (13)
21-22: Upgrade actions/checkout to v4
Actionlint flags actions/checkout@v3 as outdated. Bump all instances to @v4 to ensure compatibility with current runners and receive the latest fixes.
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
Also applies to: 145-146, 227-228

🧰 Tools

🪛 actionlint (1.7.7)

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

23-27: Upgrade actions/setup-java to v4
Actionlint reports actions/setup-java@v3 is too old. Update to @v4 for proper runner support.
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
🧰 Tools

🪛 actionlint (1.7.7)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

39-43: ⚠️ Potential issue

Fix unresolved keystore filename placeholder
The step decodes the keystore into {{secrets.JARSIGNER_KEYSTORE}}, which is a literal placeholder. Replace with a concrete filename or env var:
-          KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+          KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
247-251: ⚠️ Potential issue

Correct download artifact name for macOS aarch64
The download step refers to the old dot-based name. Use the updated dash-based artifact:
-        name: espressif-ide-macosx.cocoa.aarch64
+        name: espressif-ide-macosx-cocoa-aarch64
194-200: ⚠️ Potential issue

Specify shell: pwsh and use generic signtool.exe for verification
The Verify Signature step defaults to cmd.exe and uses a hardcoded path. Change to:
-      - name: Verify Signature
-        run: |
+      - name: Verify Signature
+        shell: pwsh
+        run: |
           $exe = Get-ChildItem -Recurse extracted\Espressif-IDE\espressif-ide.exe | Select-Object -First 1
-         & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" verify `
+         & signtool.exe verify `
            /pa `
            $exe.FullName
111-112: ⚠️ Potential issue

Fix indentation and artifact name for macOS aarch64
Indentation is incorrect and the artifact name uses dots instead of dashes. Update to:
-          name: espressif-ide-macosx.cocoa.aarch64
+          name: espressif-ide-macosx-cocoa-aarch64
Ensure the line is indented to 10 spaces under with:.

🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

276-280: ⚠️ Potential issue

Correct zip command argument order
The zip invocations have reversed arguments; the archive path must come first:
-        zip -r artifacts/update/* com.espressif.idf.update-v${VERSION}.zip
+        zip -r artifacts/update/com.espressif.idf.update-v${VERSION}.zip artifacts/update/*
-        zip -r artifacts/win32/* Espressif-IDE-${VERSION}-win32.win32.x86_64.zip
+        zip -r artifacts/win32/Espressif-IDE-${VERSION}-win32.win32.x86_64.zip artifacts/win32/*
6-7: 🛠️ Refactor suggestion

Invalid tag filter syntax: Use glob instead of regex

GitHub Actions tag filters don’t support regular expressions. Switch to a shell-style glob to correctly match semantic version tags.

Apply this diff:
-    tags:
-      - "v[0-9]+.[0-9]+.[0-9]+"
+    tags:
+      - 'v*.*.*'
185-192: 🛠️ Refactor suggestion

Use generic signtool.exe and HTTPS timestamp
Hardcoding the Windows SDK path can break on upgrades; use signtool.exe from PATH. Switch to an HTTPS timestamp server:
-          & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+          & signtool.exe sign `
             /f cert.pfx `
             /p $env:PFX_PASS `
-            /tr http://timestamp.digicert.com `
+            /tr https://timestamp.digicert.com `
             /td sha256 `
             /fd sha256 `
             $exe.FullName
297-303: ⚠️ Potential issue

Use configured S3 bucket secret instead of hardcoded name
The put-object steps reference the static bucket espdldata. Replace with the secret:
-        aws s3api put-object --acl=public-read --bucket espdldata ...
+        aws s3api put-object --acl=public-read --bucket ${{ secrets.DL_BUCKET }} ...
147-152: ⚠️ Potential issue

Install Java on Windows runner before using keytool.exe
The windows-sign job invokes keytool.exe via JAVA_HOME but no JDK is installed nor JAVA_HOME set. Add a setup step:
       - uses: actions/checkout@v4
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '11'
165-170: ⚠️ Potential issue

Decode JKS with PowerShell and clean up keystore
The JKS decode step runs under cmd and leaves mykeystore.jks on disk. Update to:
-      - name: Decode base64-encoded JKS
-        run: |
+      - name: Decode base64-encoded JKS
+        shell: pwsh
+        run: |
           echo "$env:JKS_B64" | Out-File -FilePath encoded.b64 -Encoding ASCII
           certutil -decode encoded.b64 mykeystore.jks
           Remove-Item encoded.b64
+          Remove-Item mykeystore.jks
211-218: 🛠️ Refactor suggestion

Package and upload a signed Windows ZIP
Uploading the raw extracted/ directory can include unintended files. Instead, compress the signed files into a standalone ZIP and upload that:
- name: Upload Signed Windows ZIP
- uses: actions/upload-artifact@v4
- with:
-  name: espressif-ide-win32
-  path: extracted/
-  overwrite: true
+ name: Create Signed Windows ZIP
+ shell: pwsh
+ run: |
+  Compress-Archive -Path extracted/* -DestinationPath signed-win32.zip -Force
+ - name: Upload Signed Windows ZIP
+   uses: actions/upload-artifact@v4
+   with:
+     name: espressif-ide-win32
+     path: signed-win32.zip
+     overwrite: true

🧹 Nitpick comments (2)

.github/workflows/win_exe_sign_test.yml (2)

46-46: Remove trailing spaces
YAMLlint reports trailing spaces at multiple lines. Clean these up to satisfy lint rules.

Also applies to: 56-56, 60-60, 64-64, 69-69, 76-76, 85-85, 89-89, 92-92, 95-95, 99-99, 106-106, 113-113, 120-120, 127-127

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 46-46: trailing spaces

(trailing-spaces)

220-223: Fix indentation for upload-aws job
YAMLlint flags incorrect indentation in the upload-aws job block. Ensure runs-on:, env:, and steps: are indented consistently under upload-aws.

Also applies to: 227-227

🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 220-220: wrong indentation: expected 4 but found 3

(indentation)

[warning] 223-223: wrong indentation: expected 5 but found 4

(indentation)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 40e11f5 and c7097fe.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

227-227: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

[error] 120-120: trailing spaces

(trailing-spaces)

[error] 127-127: trailing spaces

(trailing-spaces)

[warning] 220-220: wrong indentation: expected 4 but found 3

(indentation)

[warning] 223-223: wrong indentation: expected 5 but found 4

(indentation)

[warning] 227-227: wrong indentation: expected 5 but found 4

(indentation)

⏰ Context from checks skipped due to timeout of 90000ms (3)

GitHub Check: build_macos
GitHub Check: build
GitHub Check: macos-build

coderabbitai · 2025-06-03T14:31:46Z

.github/workflows/win_exe_sign_test.yml

+        aws s3 cp --acl=public-read artifacts/macos_arm/Espressif-IDE-macosx-cocoa-aarch64-v${VERSION}.dmg s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin-test/ide/
+        aws s3 cp --acl=public-read Espressif-IDE-${VERSION}-win32.win32.x86_64.zip s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/ide/
+


⚠️ Potential issue

Inconsistent S3 upload paths for Windows ZIP
Most upload commands target dl/idf-eclipse-plugin-test, but the Windows ZIP is sent to dl/idf-eclipse-plugin. This will mix test and prod artifacts—align all paths to the same prefix.

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 292 to 294, the S3 upload path for the Windows ZIP file differs from the others, causing test and production artifacts to mix. Update the Windows ZIP upload command to use the same S3 path prefix as the other uploads, specifically changing the path from dl/idf-eclipse-plugin to dl/idf-eclipse-plugin-test to maintain consistency.

coderabbitai · 2025-06-03T14:31:46Z

.github/workflows/win_exe_sign_test.yml

+          KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+          echo "${KEYSTORE_FILE}"
+          printf "%s" "${JARSIGNER_KEYSTORE_B64}" | base64 -d > "${KEYSTORE_FILE}"
+          mvn -e -X clean install -Djarsigner.keystore="${KEYSTORE_FILE}" -Djarsigner.alias="${JARSIGNER_ALIAS}" -Djarsigner.storepass="${JARSIGNER_STOREPASS}" -DskipTests=true


⚠️ Potential issue

Avoid verbose/debug flags to prevent leaking secrets
Running mvn -e -X generates detailed logs (including env vars), which can expose sensitive data. Remove -X (and consider dropping -e) to limit verbosity:

- mvn -e -X clean install \ + mvn clean install \

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml at line 42, remove the `-X` flag from the `mvn` command to prevent verbose debug output that may leak sensitive environment variables. Optionally, also remove the `-e` flag to further reduce log verbosity. This will limit the exposure of secrets in the build logs.

coderabbitai

Actionable comments posted: 4

♻️ Duplicate comments (9)

.github/workflows/win_exe_sign_test.yml (9)
21-21: Update checkout action to v4
Actionlint flags actions/checkout@v3 as too old to run on current GitHub runners. Bump to actions/checkout@v4.

🧰 Tools

🪛 actionlint (1.7.7)

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: Update setup-java action to v4
Actionlint flags actions/setup-java@v3 as outdated. Upgrade to actions/setup-java@v4 to ensure compatibility.

🧰 Tools

🪛 actionlint (1.7.7)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-145: Update checkout action to v4 (Windows job)
Actionlint flags actions/checkout@v3 as outdated. Bump to actions/checkout@v4.

🧰 Tools

🪛 actionlint (1.7.7)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

277-280: ⚠️ Potential issue

Correct zip command argument order
The zip -r invocations have their arguments reversed. The archive path must come first, then the source:
- zip -r artifacts/update/* com.espressif.idf.update-v${VERSION}.zip
+ zip -r artifacts/update/com.espressif.idf.update-v${VERSION}.zip artifacts/update/*
- zip -r artifacts/win32/* Espressif-IDE-${VERSION}-win32.win32.x86_64.zip
+ zip -r artifacts/win32/Espressif-IDE-${VERSION}-win32.win32.x86_64.zip artifacts/win32/*
7-7: ⚠️ Potential issue

Unsupported regex in tag filter
GitHub Actions does not support regular expressions in tag filters. Replace the regex pattern with a shell-style glob, for example:
-    tags:
-      - "v[0-9]+.[0-9]+.[0-9]+"
+    tags:
+      - 'v*.*.*'
297-303: ⚠️ Potential issue

Use configured S3 bucket for redirects
The aws s3api put-object steps hardcode espdldata. Switch to ${{ secrets.DL_BUCKET }}:
- aws s3api put-object --acl=public-read --bucket espdldata ...
+ aws s3api put-object --acl=public-read --bucket ${{ secrets.DL_BUCKET }} ...
247-251: ⚠️ Potential issue

Fix artifact name in download step
The download action references espressif-ide-macosx.cocoa.aarch64 but the artifact is named with dashes. Update it:
- name: Download macOS aarch64 dmg zip
- uses: actions/download-artifact@v4
- with:
-   name: espressif-ide-macosx.cocoa.aarch64
+ name: Download macOS aarch64 dmg
+ uses: actions/download-artifact@v4
+ with:
+   name: espressif-ide-macosx-cocoa-aarch64
111-113: ⚠️ Potential issue

Correct artifact naming and indentation
The name field is over-indented and uses dots instead of dashes:
-           name: espressif-ide-macosx.cocoa.aarch64
+          name: espressif-ide-macosx-cocoa-aarch64
Adjust indentation to align with other upload steps.

🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

293-293: ⚠️ Potential issue

Fix Windows S3 upload path and prefix
This aws s3 cp uses the wrong file path and the production prefix:
- aws s3 cp --acl=public-read Espressif-IDE-${VERSION}-win32.win32.x86_64.zip s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/ide/
+ aws s3 cp --acl=public-read artifacts/win32/Espressif-IDE-${VERSION}-win32.win32.x86_64.zip s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin-test/ide/

🧹 Nitpick comments (1)

.github/workflows/win_exe_sign_test.yml (1)
194-200: Specify PowerShell shell & avoid hardcoded path for verification
Add shell: pwsh and use signtool.exe from PATH in the Verify Signature step:
- name: Verify Signature
+ name: Verify Signature
+   shell: pwsh
  run: |
    $exe = Get-ChildItem -Recurse extracted\Espressif-IDE\espressif-ide.exe | Select-Object -First 1
-   & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" verify `
+   & signtool.exe verify `
      /pa `
      $exe.FullName

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c7097fe and a292776.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

227-227: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

[error] 120-120: trailing spaces

(trailing-spaces)

[error] 127-127: trailing spaces

(trailing-spaces)

[warning] 220-220: wrong indentation: expected 4 but found 3

(indentation)

[warning] 223-223: wrong indentation: expected 5 but found 4

(indentation)

[warning] 227-227: wrong indentation: expected 5 but found 4

(indentation)

⏰ Context from checks skipped due to timeout of 90000ms (3)

GitHub Check: build_macos
GitHub Check: build
GitHub Check: macos-build

coderabbitai · 2025-06-03T15:28:35Z

.github/workflows/win_exe_sign_test.yml

+      - name: Decode base64-encoded JKS
+        run: |
+          echo "$env:JKS_B64" | Out-File -FilePath encoded.b64 -Encoding ASCII
+          certutil -decode encoded.b64 mykeystore.jks
+          Remove-Item encoded.b64
+


🛠️ Refactor suggestion

Specify PowerShell shell for JKS decoding
The Decode base64-encoded JKS step uses PowerShell commands but lacks shell: pwsh. Add it to ensure correct execution:

- name: Decode base64-encoded JKS + name: Decode base64-encoded JKS + shell: pwsh run: | echo "$env:JKS_B64" | Out-File -FilePath encoded.b64 -Encoding ASCII certutil -decode encoded.b64 mykeystore.jks Remove-Item encoded.b64

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 165 to 170, the step decoding the base64-encoded JKS uses PowerShell commands but does not specify the shell, which can cause execution issues. Fix this by adding "shell: pwsh" to the step definition to explicitly run the commands in PowerShell.

coderabbitai · 2025-06-03T15:28:36Z

.github/workflows/win_exe_sign_test.yml

+      - name: Upload Signed Windows ZIP
+        uses: actions/upload-artifact@v4
+        with:
+          name: espressif-ide-win32
+          path: extracted/
+          overwrite: true


🛠️ Refactor suggestion

Repackage and upload a signed Windows ZIP
Uploading the raw extracted/ directory may include unwanted files. Instead, compress the signed binaries into a ZIP and upload that archive:

- name: Upload Signed Windows ZIP uses: actions/upload-artifact@v4 with: name: espressif-ide-win32 path: extracted/ + name: Create Signed Windows ZIP + shell: pwsh + run: Compress-Archive -Path extracted/* -DestinationPath signed-win32.zip -Force + - name: Upload Signed Windows ZIP + uses: actions/upload-artifact@v4 + with: + name: espressif-ide-win32 + path: signed-win32.zip

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 211 to 216, the current step uploads the entire extracted/ directory which may contain unwanted files. To fix this, add a step before uploading that compresses the contents of extracted/ into a signed-win32.zip archive using Compress-Archive in PowerShell. Then update the upload step to upload the signed-win32.zip file instead of the raw directory.

coderabbitai · 2025-06-03T15:28:36Z

.github/workflows/win_exe_sign_test.yml

+          $exe = Get-ChildItem -Recurse extracted\Espressif-IDE\espressif-ide.exe | Select-Object -First 1
+          & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+            /f cert.pfx `
+            /p $env:PFX_PASS `
+            /tr http://timestamp.digicert.com `
+            /td sha256 `
+            /fd sha256 `
+            $exe.FullName


⚠️ Potential issue

Remove hardcoded SDK path and secure timestamp URL
The signtool.exe call hardcodes the Windows SDK version and uses an insecure HTTP timestamp. Switch to the PATH-provided tool and HTTPS:

- & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign ` + & signtool.exe sign ` /f cert.pfx ` /p $env:PFX_PASS ` - /tr http://timestamp.digicert.com ` + /tr https://timestamp.digicert.com ` /td sha256 ` /fd sha256 ` $exe.FullName

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml around lines 185 to 192, the signtool.exe path is hardcoded with a specific Windows SDK version and the timestamp URL uses insecure HTTP. Update the script to call signtool.exe directly from the system PATH instead of the hardcoded path, and change the timestamp URL from "http://timestamp.digicert.com" to the secure "https://timestamp.digicert.com" to improve security and maintainability.

coderabbitai · 2025-06-03T15:28:36Z

.github/workflows/win_exe_sign_test.yml

+          KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+          echo "${KEYSTORE_FILE}"


⚠️ Potential issue

Fix unresolved keystore filename placeholder
The line

KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"

uses a literal placeholder. Replace it with a concrete filename or an env var, for example:

KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"

🤖 Prompt for AI Agents

In .github/workflows/win_exe_sign_test.yml at lines 39-40, the KEYSTORE_FILE variable uses a literal placeholder {{secrets.JARSIGNER_KEYSTORE}} which is unresolved. Replace this placeholder with the actual keystore filename or a valid environment variable reference, for example, set KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks" to ensure the path points to a real file.

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (10)

.github/workflows/win_exe_sign_test.yml (10)
6-7: Regex tag filter is unsupported by GitHub Actions
GitHub Actions only accepts shell-style glob patterns for tag filters. Update:
-on:
-  tags:
-    - "v[0-9]+.[0-9]+.[0-9]+"
+ on:
+   tags:
+     - 'v*.*.*'
21-22: Upgrade actions/checkout to v4
Per actionlint, actions/checkout@v3 is outdated. Bump all instances to @v4.
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
Also applies to: 145-145, 227-227

🧰 Tools

🪛 actionlint (1.7.7)

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: Upgrade actions/setup-java to v4
actionlint flags actions/setup-java@v3 as too old. Change to:
- uses: actions/setup-java@v3
+ uses: actions/setup-java@v4
🧰 Tools

🪛 actionlint (1.7.7)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

39-40: Fix unresolved keystore filename placeholder
The KEYSTORE_FILE path uses a literal {{secrets.JARSIGNER_KEYSTORE}} placeholder. Replace with a concrete filename or environment variable. For example:
- KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+ KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
111-112: Correct artifact name format and indentation
The name field uses dots and is over-indented. Rename and align with other steps:
- name: espressif-ide-macosx.cocoa.aarch64
+ name: espressif-ide-macosx-cocoa-aarch64
🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

185-192: Remove hardcoded SDK path & secure timestamp URL
Use signtool.exe from PATH and switch to HTTPS:
-& "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+& signtool.exe sign `
 /f cert.pfx
 /p $env:PFX_PASS
-/tr http://timestamp.digicert.com
+/tr https://timestamp.digicert.com
 /td sha256
 /fd sha256
 $exe.FullName
194-200: Specify shell: pwsh and use signtool from PATH for verification
Add shell: pwsh and drop the hardcoded path:
- name: Verify Signature
- run: |
+ name: Verify Signature
+ shell: pwsh
+ run: |
    $exe = Get-ChildItem -Recurse extracted\Espressif-IDE\espressif-ide.exe | Select-Object -First 1
-   & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" verify `
+   & signtool.exe verify `
     /pa
     $exe.FullName
211-216: Repackage & upload a signed Windows ZIP instead of raw folder
Compress the signed binaries into a ZIP and upload that single file:
- name: Upload Signed Windows ZIP
- uses: actions/upload-artifact@v4
- with:
-   name: espressif-ide-win32
-   path: extracted/
+ - name: Create Signed Windows ZIP
+   shell: pwsh
+   run: Compress-Archive -Path extracted/* -DestinationPath signed-win32.zip -Force
+ - name: Upload Signed Windows ZIP
+   uses: actions/upload-artifact@v4
+   with:
+     name: espressif-ide-win32
+     path: signed-win32.zip
     overwrite: true
     if-no-files-found: error
271-280: Fix zip command argument order
The archive path must come before the source files:
- zip -r artifacts/update/* com.espressif.idf.update-v${{ env.VERSION }}.zip
- zip -r artifacts/win32/* Espressif-IDE-${{ env.VERSION }}-win32.win32.x86_64.zip
+ zip -r artifacts/update/com.espressif.idf.update-v${{ env.VERSION }}.zip artifacts/update/*
+ zip -r artifacts/win32/Espressif-IDE-${{ env.VERSION }}-win32.win32.x86_64.zip artifacts/win32/*
292-294: Use consistent S3 bucket and paths
Avoid hardcoded espdldata and align all uploads to ${{ secrets.DL_BUCKET }}:
- aws s3 cp ... Espressif-IDE-${{ env.VERSION }}-win32.win32.x86_64.zip s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/ide/
+ aws s3 cp ... Espressif-IDE-${{ env.VERSION }}-win32.win32.x86_64.zip s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin-test/ide/
- aws s3api put-object --bucket espdldata ...
+ aws s3api put-object --bucket ${{ secrets.DL_BUCKET }} ...
Also applies to: 297-304

🧹 Nitpick comments (1)

.github/workflows/win_exe_sign_test.yml (1)

46-46: Remove trailing whitespace
Several lines contain trailing spaces, which trigger YAML lint errors. Please strip trailing spaces across the file.

Also applies to: 56-56, 60-60, 64-64, 69-69, 76-76, 85-85, 89-89, 92-92, 95-95, 99-99, 106-106, 113-113, 120-120, 127-127

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 46-46: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a292776 and 8a7b021.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

227-227: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

[error] 120-120: trailing spaces

(trailing-spaces)

[error] 127-127: trailing spaces

(trailing-spaces)

[warning] 220-220: wrong indentation: expected 4 but found 3

(indentation)

[warning] 223-223: wrong indentation: expected 5 but found 4

(indentation)

[warning] 227-227: wrong indentation: expected 5 but found 4

(indentation)

⏰ Context from checks skipped due to timeout of 90000ms (3)

GitHub Check: build_macos
GitHub Check: build
GitHub Check: macos-build

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (9)

.github/workflows/win_exe_sign_test.yml (9)
6-7: 🛠️ Refactor suggestion

Fix unsupported regex tag filter
GitHub Actions tag filters use glob patterns, not regex. Update the tags entry to a shell-style glob:
-    tags:
-      - "v[0-9]+.[0-9]+.[0-9]+"
+    tags:
+      - 'v*.*.*'
39-41: ⚠️ Potential issue

Resolve keystore filename placeholder
KEYSTORE_FILE uses a literal placeholder {{secrets.JARSIGNER_KEYSTORE}}. Define a concrete filename (or env var) instead, for example:
-          KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+          KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
165-170: ⚠️ Potential issue

Specify PowerShell shell for JKS decoding
The base64 decode step runs PowerShell commands but lacks an explicit shell declaration—this can fail on Windows runners. Add shell: pwsh:
-      - name: Decode base64-encoded JKS
-        run: |
+      - name: Decode base64-encoded JKS
+        shell: pwsh
+        run: |
145-153: ⚠️ Potential issue

Install Java on Windows runner before keytool usage
keytool.exe requires a JDK and JAVA_HOME. Add a Java setup step immediately after checkout:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '11'
🧰 Tools

🪛 actionlint (1.7.7)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

211-216: 🛠️ Refactor suggestion

Repackage and upload a signed ZIP
Uploading the raw extracted/ directory is error-prone. Compress the signed binaries and upload the archive instead:
-      - name: Upload Signed Windows ZIP
-        uses: actions/upload-artifact@v4
-        with:
-          name: espressif-ide-win32
-          path: extracted/
+      - name: Create Signed Windows ZIP
+        shell: pwsh
+        run: Compress-Archive -Path extracted/* -DestinationPath signed-win32.zip -Force
+
+      - name: Upload Signed Windows ZIP
+        uses: actions/upload-artifact@v4
+        with:
+          name: espressif-ide-win32
+          path: signed-win32.zip
182-192: ⚠️ Potential issue

Use signtool.exe from PATH and secure timestamp URL
Avoid hardcoded SDK paths and switch to HTTPS timestamping:
-          & "C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.17763.0\\x86\\signtool.exe" sign `
+          & signtool.exe sign `
             /f cert.pfx `
             /p $env:PFX_PASS `
-            /tr http://timestamp.digicert.com `
+            /tr https://timestamp.digicert.com `
             /td sha256 `
             /fd sha256 `
297-302: ⚠️ Potential issue

Use the configured S3 bucket for website redirects
Replace hardcoded espdldata with ${{ secrets.DL_BUCKET }} in the s3api put-object commands:
-        aws s3api put-object --acl=public-read --bucket espdldata --key ...
+        aws s3api put-object --acl=public-read --bucket ${{ secrets.DL_BUCKET }} --key ...
194-200: ⚠️ Potential issue

Specify PowerShell shell and use PATH for signature verification
Declare shell: pwsh and call signtool.exe without a hardcoded path:
-      - name: Verify Signature
-        run: |
+      - name: Verify Signature
+        shell: pwsh
+        run: |
             $exe = ...
-         & "C:\\Program Files ..." verify `
+         & signtool.exe verify `
291-294: 🛠️ Refactor suggestion

Align S3 paths for Windows uploads
The Windows artifact is uploaded under dl/idf-eclipse-plugin/ide/, while others use the -test prefix. Update to maintain consistency:
-        aws s3 cp --acl=public-read Espressif-IDE-${{ env.VERSION }}-win32.win32.x86_64.zip s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/ide/
+        aws s3 cp --acl=public-read Espressif-IDE-${{ env.VERSION }}-win32.win32.x86_64.zip s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin-test/ide/

🧹 Nitpick comments (7)

.github/workflows/win_exe_sign_test.yml (7)
21-24: Upgrade checkout and Java setup actions
Actionlint flags actions/checkout@v3 and actions/setup-java@v3 as outdated. Bump both to their latest major versions:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4

-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
🧰 Tools

🪛 actionlint (1.7.7)

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

42-42: Remove verbose debug flags from Maven build
Avoid -X (and consider dropping -e) to reduce log verbosity and prevent leaking sensitive data:
-          mvn -e -X clean install -Djarsigner.keystore=... -DskipTests=true
+          mvn clean install -Djarsigner.keystore=... -DskipTests=true
109-112: Normalize artifact name for macOS aarch64
Inconsistent naming and indentation—use hyphens to match other artifacts:
-          name: espressif-ide-macosx.cocoa.aarch64
+          name: espressif-ide-macosx-cocoa-aarch64
🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

145-146: Upgrade actions/checkout in windows-sign job
Bump to actions/checkout@v4 for compatibility with current runners:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
🧰 Tools

🪛 actionlint (1.7.7)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

171-181: Clean up keystore after conversion
Remove the intermediate JKS file post-conversion to avoid leaving secrets on the runner:
 & "${env:JAVA_HOME}\\bin\\keytool.exe" -importkeystore `
   -srckeystore mykeystore.jks `
   -srcstorepass $env:JKS_PASS `
   ...
+Remove-Item mykeystore.jks
227-228: Upgrade checkout in upload-aws job
Bump actions/checkout@v3 to actions/checkout@v4 here as well:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
🧰 Tools

🪛 actionlint (1.7.7)

227-227: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

[warning] 227-227: wrong indentation: expected 5 but found 4

(indentation)

247-251: Normalize artifact download name for macOS aarch64
Ensure the download step matches the corrected hyphenated artifact:
-        name: espressif-ide-macosx.cocoa.aarch64
+        name: espressif-ide-macosx-cocoa-aarch64

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8a7b021 and 4327e23.

📒 Files selected for processing (1)

.github/workflows/win_exe_sign_test.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/win_exe_sign_test.yml

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

145-145: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

227-227: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/win_exe_sign_test.yml

[error] 46-46: trailing spaces

(trailing-spaces)

[error] 56-56: trailing spaces

(trailing-spaces)

[error] 60-60: trailing spaces

(trailing-spaces)

[error] 64-64: trailing spaces

(trailing-spaces)

[error] 69-69: trailing spaces

(trailing-spaces)

[error] 76-76: trailing spaces

(trailing-spaces)

[error] 85-85: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 95-95: trailing spaces

(trailing-spaces)

[error] 99-99: trailing spaces

(trailing-spaces)

[error] 106-106: trailing spaces

(trailing-spaces)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

[error] 113-113: trailing spaces

(trailing-spaces)

[error] 120-120: trailing spaces

(trailing-spaces)

[error] 127-127: trailing spaces

(trailing-spaces)

[warning] 220-220: wrong indentation: expected 4 but found 3

(indentation)

[warning] 223-223: wrong indentation: expected 5 but found 4

(indentation)

[warning] 227-227: wrong indentation: expected 5 but found 4

(indentation)

⏰ Context from checks skipped due to timeout of 90000ms (1)

GitHub Check: build

removed temporary workflow and moved it into the original file

coderabbitai

Actionable comments posted: 3

🧹 Nitpick comments (3)

.github/workflows/ci_release.yml (3)
97-110: Fix YAML indentation and naming consistency for macOS artifact upload

Line 108 has one extra space in indentation under with: which could break the step.

The artifact name uses dots (espressif-ide-macosx.cocoa.aarch64) unlike the x86 step’s dashes; unify to espressif-ide-macosx-cocoa-aarch64.

Suggested diff:
-      - name: Upload Espressif-IDE-macosx.cocoa.aarch64
-        if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@v4
-        with:
-           name: espressif-ide-macosx.cocoa.aarch64
-           path: releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
+      - name: Upload Espressif-IDE-macosx-cocoa-aarch64
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: espressif-ide-macosx-cocoa-aarch64
+          path: releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 103-103: trailing spaces

(trailing-spaces)

[warning] 108-108: wrong indentation: expected 10 but found 11

(indentation)

[error] 110-110: trailing spaces

(trailing-spaces)

216-223: Fix indentation in upload-aws job header
The upload-aws job’s runs-on, needs, and env keys are misindented by one space. This can invalidate the YAML. Please align them under the upload-aws: key:
-  upload-aws:
-   runs-on: macos-latest
-   needs: windows-sign
-   env:
+  upload-aws:
+    runs-on: macos-latest
+    needs: windows-sign
+    env:
🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 217-217: wrong indentation: expected 4 but found 3

(indentation)

[warning] 220-220: wrong indentation: expected 5 but found 4

(indentation)

278-301: Consider using aws s3 sync to simplify uploads
Instead of multiple aws s3 cp calls, a single sync can reduce boilerplate and prevent omissions:
aws s3 sync artifacts/linux/ s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/updates/latest --acl public-read
Repeat for other directories (macos_x86, macos_arm, win32).

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4327e23 and b17abfe.

📒 Files selected for processing (1)

.github/workflows/ci_release.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/ci_release.yml

18-18: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

21-21: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

142-142: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

224-224: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/ci_release.yml

[error] 43-43: trailing spaces

(trailing-spaces)

[error] 53-53: trailing spaces

(trailing-spaces)

[error] 57-57: trailing spaces

(trailing-spaces)

[error] 61-61: trailing spaces

(trailing-spaces)

[error] 66-66: trailing spaces

(trailing-spaces)

[error] 73-73: trailing spaces

(trailing-spaces)

[error] 82-82: trailing spaces

(trailing-spaces)

[error] 86-86: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 96-96: trailing spaces

(trailing-spaces)

[error] 103-103: trailing spaces

(trailing-spaces)

[warning] 108-108: wrong indentation: expected 10 but found 11

(indentation)

[error] 110-110: trailing spaces

(trailing-spaces)

[error] 117-117: trailing spaces

(trailing-spaces)

[error] 124-124: trailing spaces

(trailing-spaces)

[warning] 217-217: wrong indentation: expected 4 but found 3

(indentation)

[warning] 220-220: wrong indentation: expected 5 but found 4

(indentation)

[warning] 224-224: wrong indentation: expected 5 but found 4

(indentation)

⏰ Context from checks skipped due to timeout of 90000ms (2)

GitHub Check: build
GitHub Check: build_macos

🔇 Additional comments (11)

.github/workflows/ci_release.yml (11)

8-11: ARCHIVE_PREFIX/SUFFIX environment variables look good
Defining ARCHIVE_PREFIX and ARCHIVE_SUFFIX at the top-level is clear and will make naming consistent across jobs.

13-16: Version extraction and workflow outputs are correct
The get_version step cleanly strips the leading v from the tag and passes it to downstream jobs via outputs. This will ensure all artifacts are consistently versioned.

Also applies to: 26-29

42-71: macOS codesign steps are solid
The two-step signing of both x86_64 and aarch64 binaries (and DMGs) with the correct entitlements and runtime options follows best practices.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 43-43: trailing spaces

(trailing-spaces)

[error] 53-53: trailing spaces

(trailing-spaces)

[error] 57-57: trailing spaces

(trailing-spaces)

[error] 61-61: trailing spaces

(trailing-spaces)

[error] 66-66: trailing spaces

(trailing-spaces)

72-96: Notarization block is implemented correctly
Keychain creation, profile storage, submission, and staple attachment for both architectures are all present. This ensures distributed .dmg files will be trusted by Gatekeeper.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 73-73: trailing spaces

(trailing-spaces)

[error] 82-82: trailing spaces

(trailing-spaces)

[error] 86-86: trailing spaces

(trailing-spaces)

[error] 89-89: trailing spaces

(trailing-spaces)

[error] 92-92: trailing spaces

(trailing-spaces)

[error] 96-96: trailing spaces

(trailing-spaces)

111-131: Upload of update site, Windows, and Linux artifacts is correct
The glob patterns and separate artifact names will make downstream retrieval straightforward.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 117-117: trailing spaces

(trailing-spaces)

[error] 124-124: trailing spaces

(trailing-spaces)

133-142: windows-sign job definition is solid
The needs: macos-build dependency and environment variable setup ensure the job only runs when macOS artifacts are ready.

🧰 Tools

🪛 actionlint (1.7.7)

142-142: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

144-167: Artifact download and keystore decoding are correct
Using actions/download-artifact followed by Expand-Archive and certutil to decode the JKS is a practical PowerShell approach.

168-178: Keytool conversion to PFX is implemented correctly
The use of -importkeystore with proper alias and password variables will produce a valid cert.pfx for signing.

202-214: Deleting unsigned binary and uploading signed ZIP look good
The delete-artifact action and the final upload-artifact step will correctly replace the unsigned artifact with the signed version.

224-267: Download artifacts and version extraction are correct
Reusing actions/download-artifact for each platform and re-parsing the tag into VERSION/FOLDER will maintain consistency across platforms.

🧰 Tools

🪛 actionlint (1.7.7)

224-224: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

[warning] 224-224: wrong indentation: expected 5 but found 4

(indentation)

268-278: DMG renaming and archive compression steps look solid
The mv commands and zip -r invocation will produce versioned .dmg and .zip artifacts for upload.

coderabbitai · 2025-06-04T11:15:01Z

.github/workflows/ci_release.yml

+      - name: Verify Signature
+        run: |
+         $exe = Get-ChildItem -Recurse extracted\Espressif-IDE\espressif-ide.exe | Select-Object -First 1
+         & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" verify `
+         /pa `
+         $exe.FullName
+
+      - name: Removing original ZIP from extracted folder
+        run: |
+           Remove-Item -Force artifacts\*.zip


⚠️ Potential issue

Critical: Missing shell: pwsh on PowerShell steps
Both the Verify Signature and Removing original ZIP steps use PowerShell commands (Get-ChildItem, Remove-Item) but omit shell: pwsh. They will fail under the default Bash shell. Please add shell: pwsh to these steps.

🤖 Prompt for AI Agents

In .github/workflows/ci_release.yml around lines 191 to 200, the steps "Verify Signature" and "Removing original ZIP from extracted folder" use PowerShell commands but lack the required "shell: pwsh" declaration. Add "shell: pwsh" to both steps to ensure they run with the PowerShell shell instead of the default Bash shell, preventing execution errors.

coderabbitai · 2025-06-04T11:15:01Z

.github/workflows/ci_release.yml

+      - name: Decode keystore and build with Maven
+        env:
+          JARSIGNER_KEYSTORE_B64: ${{ secrets.JARSIGNER_REL_KEYSTORE_B64 }}
+          JARSIGNER_STOREPASS: ${{ secrets.JARSIGNER_REL_STOREPASS }}
+          JARSIGNER_ALIAS: ${{ secrets.JARSIGNER_REL_ALIAS }}
+        run: |
+          KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+          echo "${KEYSTORE_FILE}"
+          printf "%s" "${JARSIGNER_KEYSTORE_B64}" | base64 -d > "${KEYSTORE_FILE}"
+          mvn -e -X clean install -Djarsigner.keystore="${KEYSTORE_FILE}" -Djarsigner.alias="${JARSIGNER_ALIAS}" -Djarsigner.storepass="${JARSIGNER_STOREPASS}" -DskipTests=true
+          rm -v "${KEYSTORE_FILE}"
+


⚠️ Potential issue

Critical: Incorrect placeholder for keystore file path
The line

KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"

uses an undefined JARSIGNER_KEYSTORE placeholder. This will write the keystore to a non‐existent path and cause the Maven build to fail.

Please replace with a concrete filename or an environment variable. For example:

- KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}" + KEYSTORE_FILE="${PWD}/release.keystore.jks"

and ensure you update the env: block or rename the file accordingly.

🤖 Prompt for AI Agents

In .github/workflows/ci_release.yml around lines 30 to 41, the KEYSTORE_FILE path uses an incorrect placeholder {{secrets.JARSIGNER_KEYSTORE}} which is undefined. Replace this with a concrete filename or an environment variable defined in the env block, such as using a fixed filename like "keystore.jks" or referencing a new env variable (e.g., JARSIGNER_KEYSTORE_FILENAME) that you add to the env section. Update the KEYSTORE_FILE assignment accordingly to use this valid filename for storing the decoded keystore.

coderabbitai · 2025-06-04T11:15:01Z

.github/workflows/ci_release.yml

+          & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+            /f cert.pfx `
+            /p $env:PFX_PASS `
+            /tr http://timestamp.digicert.com `
+            /td sha256 `
+            /fd sha256 `
+            $exe.FullName


⚠️ Potential issue

Critical: Use HTTPS for timestamp server
The /tr flag currently points to an unsecured HTTP endpoint. This can be intercepted and break your signature verification.

Please switch to HTTPS:

-& /tr http://timestamp.digicert.com \ +& /tr https://timestamp.digicert.com \ /td sha256 \ /fd sha256 \

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In .github/workflows/ci_release.yml around lines 183 to 189, the timestamp server URL used with the /tr flag is using HTTP, which is insecure. Update the URL to use HTTPS instead by changing "http://timestamp.digicert.com" to "https://timestamp.digicert.com" to ensure secure and reliable timestamping of the signature.

kolipakakondal · 2025-06-04T11:50:46Z

Hi @alirana01 General suggestion -please keep the changes minimal and only include what’s necessary for Windows signing? Including refactoring and formatting changes in the same PR increases the overall complexity for review. If needed, you can split them into two commits — one for the actual changes and another for the refactoring/formatting.

testing signing with jks

826dfc7

alirana01 self-assigned this May 19, 2025

coderabbitai bot reviewed May 19, 2025

View reviewed changes

alirana01 added 2 commits May 19, 2025 14:25

updated pfx pass

200eee5

upload added to test

914f938

coderabbitai bot reviewed May 19, 2025

View reviewed changes

alirana01 added 2 commits May 20, 2025 14:01

testing workflow with single file

543756a

fixing macos build steps

5c69473

coderabbitai bot reviewed May 20, 2025

View reviewed changes

fixing macos signing issues

8116925

coderabbitai bot reviewed May 20, 2025

View reviewed changes

fixing the signing part

f10e08f

coderabbitai bot reviewed May 20, 2025

View reviewed changes

fixing the build artifact name for windows signing

47bcd01

coderabbitai bot reviewed May 20, 2025

View reviewed changes

fixing naming issues

70b422f

coderabbitai bot reviewed May 20, 2025

View reviewed changes

validation for certificate

cdfaf07

coderabbitai bot reviewed May 21, 2025

View reviewed changes

fixing env level

baeea69

coderabbitai bot reviewed May 21, 2025

View reviewed changes

fixing errors

ff20f32

coderabbitai bot reviewed May 22, 2025

View reviewed changes

alirana01 added 2 commits May 22, 2025 13:43

fixing path issues on windows signing

09a227b

retrigger workflow

e1ae050

coderabbitai bot reviewed May 22, 2025

View reviewed changes

debugging information

94b1f30

fixed path for upload

c7a227e

coderabbitai bot reviewed May 28, 2025

View reviewed changes

trying without wildcard

eb83701

coderabbitai bot reviewed Jun 2, 2025

View reviewed changes

update for debugging

6b008a8

coderabbitai bot reviewed Jun 2, 2025

View reviewed changes

fixing paths

38f2739

coderabbitai bot reviewed Jun 2, 2025

View reviewed changes

removing unsigned zip

6a0e72f

coderabbitai bot reviewed Jun 2, 2025

View reviewed changes

alirana01 added 2 commits June 3, 2025 12:44

added the upload functionality

7024921

added the test keys to verify workflow

28fd1f0

coderabbitai bot reviewed Jun 3, 2025

View reviewed changes

some debugging information

b018315

coderabbitai bot reviewed Jun 3, 2025

View reviewed changes

fixing and zipping again courtesy of microsoft :/

40e11f5

coderabbitai bot reviewed Jun 3, 2025

View reviewed changes

correct path for the update zip

c7097fe

coderabbitai bot reviewed Jun 3, 2025

View reviewed changes

fix for update path

a292776

coderabbitai bot reviewed Jun 3, 2025

View reviewed changes

fixing version param for variable

8a7b021

coderabbitai bot reviewed Jun 4, 2025

View reviewed changes

fixed zip command

4327e23

coderabbitai bot reviewed Jun 4, 2025

View reviewed changes

fixed and finalized

b17abfe

removed temporary workflow and moved it into the original file

coderabbitai bot reviewed Jun 4, 2025

View reviewed changes

alirana01 merged commit 70a0ae5 into master Jun 4, 2025
4 of 5 checks passed

alirana01 deleted the IEP-1475 branch June 4, 2025 12:50

		name: espressif-ide-macosx.cocoa.aarch64
		path: releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg

		aws s3 cp --acl=public-read artifacts/macos_arm/Espressif-IDE-macosx-cocoa-aarch64-v${VERSION}.dmg s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin-test/ide/
		aws s3 cp --acl=public-read Espressif-IDE-${VERSION}-win32.win32.x86_64.zip s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/ide/

		KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
		echo "${KEYSTORE_FILE}"

IEP-1475: Signing Windows Executable #1228

IEP-1475: Signing Windows Executable #1228

Uh oh!

Conversation

alirana01 commented May 19, 2025 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Type of change

How has this been tested?

Checklist

Summary by CodeRabbit

Uh oh!

coderabbitai bot commented May 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Sequence Diagram(s)

Poem

Chat

Support

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

CodeRabbit Configuration File (.coderabbit.yaml)

Documentation and Community

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot May 19, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot May 19, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot May 19, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot May 19, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot May 20, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot May 20, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot May 20, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot May 20, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot May 20, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot May 20, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

alirana01 commented May 19, 2025 •

edited by coderabbitai bot

Loading

coderabbitai bot commented May 19, 2025 •

edited

Loading

CodeRabbit Configuration File (`.coderabbit.yaml`)