Skip to content

Add PR level app archive#628

Open
grohith327 wants to merge 6 commits into
mainfrom
rohith/add-pr-archive-workflow
Open

Add PR level app archive#628
grohith327 wants to merge 6 commits into
mainfrom
rohith/add-pr-archive-workflow

Conversation

@grohith327

@grohith327 grohith327 commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Description

Add PR level app archive, this allows to simply download the unsigned zip and do a local test

Type of Change

  • 🐞 Bug fix
  • ✨ New feature
  • 💥 Breaking change
  • 🧹 Chore
  • 📝 Documentation update

Related Issue or Discussion

Closes #599

Testing

  • Tested on Intel Mac
  • Tested on Apple Silicon Mac
  • Tested on macOS version: 27
  • Ran linter locally: swiftlint --strict --config .swiftlint.yml Sources
  • Ran tests locally

Screenshots / Video

Attach screenshots or a video for UI, UX, settings, onboarding, overlay, menu bar, or visual behavior changes.

  • No UI/visual changes; screenshots/video are not applicable.

Notes

Add reviewer context, rollout notes, or known tradeoffs here.

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown

The PR Policy check is blocking this PR because required template information is missing.

Please update the PR description with:

  • Related Issue or Discussion

Screenshots or video are required for UI, UX, settings, onboarding, overlay, menu bar, or visual behavior changes. If this PR has no visual changes, check the no-visual-change box in the template.

If this remains incomplete for 48 hours after opening, the PR may be closed.

@github-actions github-actions Bot added the needs PR template Pull request is missing required template content. label Jul 16, 2026

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 740ec8087a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/pr-archive.yml Outdated
- name: Checkout PR merge commit
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.merge_commit_sha }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Handle the blocked fork PR merge checkout

For fork-based PRs, this ref resolves to the PR merge commit SHA inside a pull_request_target workflow. The current actions/checkout docs say checkout of fork PR code in this context requires allow-unsafe-pr-checkout, and GitHub’s July 2026 backport applies to floating major tags like actions/checkout@v4; starting July 20, 2026, approved outside-contributor archive runs will fail at checkout before producing the artifact. Either move this build to an unprivileged pull_request workflow or explicitly opt in after the environment approval gate.

Useful? React with 👍 / 👎.

@greptile-apps

greptile-apps Bot commented Jul 16, 2026

Copy link
Copy Markdown

Greptile Summary

This PR adds a fully automated PR-level build and download workflow for FluidVoice. When a non-draft PR is pushed, pr-archive.yml builds an ad-hoc-signed .xcarchive and app ZIP; pr-archive-comment.yml then posts (or updates) a download link comment on the PR. The Fluid.xcodeproj change embeds MediaRemoteAdapter in the app bundle, which is necessary for the archive to be runnable.

  • pr-archive.yml uses pull_request (not pull_request_target), so it is fully secretless; all three third-party actions are pinned to immutable commit SHAs; the checkout pins head.sha and performs a manual merge to avoid the merge_commit_sha-null edge case; post-build validation covers deep codesign verification, entitlement presence, and rpath dependency completeness.
  • pr-archive-comment.yml uses the safe workflow_run pattern, passes all untrusted context values through environment variables, and validates artifact IDs and names with strict regexes before posting.
  • project.pbxproj adds a PBXCopyFilesBuildPhase to embed MediaRemoteAdapter.framework, enabling the Contents/Frameworks/ layout the packaging step expects.

Confidence Score: 5/5

Safe to merge — the workflow is secretless, uses immutable action pins, and the three security concerns from the previous review round are all fully addressed.

The build workflow uses pull_request with contents: read only, so no secrets are reachable even if a PR author crafts malicious Xcode build phases. All actions are pinned to full 40-character commit SHAs. The manual merge-and-validate approach is sound. The comment workflow is a clean workflow_run-based design that never downloads or executes PR artifacts, and all attacker-influenced values are validated before use. The xcodeproj change is a straightforward framework embed needed for the archive to function.

No files require special attention.

Reviews (6): Last reviewed commit: "Update comment instruction" | Re-trigger Greptile

Comment thread .github/workflows/pr-archive.yml Outdated
Comment thread .github/workflows/pr-archive.yml Outdated
Comment thread .github/workflows/pr-archive.yml
@github-actions github-actions Bot removed the needs PR template Pull request is missing required template content. label Jul 16, 2026

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2871d7ad54

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
RUN_ID: ${{ github.event.workflow_run.id }}
EVENT_PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Derive the PR number for forked workflow runs

When the completed PR Archive run came from a forked pull request, GitHub's workflow_run.pull_requests payload can be empty, so this expression sets EVENT_PR_NUMBER to an empty value. The very next validation then exits before listing the uploaded artifact, which means the archive can be built successfully for the external-contributor PRs this feature calls out, but no download comment is posted. Recover the PR number from the artifact name/head SHA or another API lookup instead of relying only on pull_requests[0].

Useful? React with 👍 / 👎.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f9224ecd83

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +83 to +85
3. Open Terminal and remove the download quarantine marker:

xattr -dr com.apple.quarantine "/Applications/$APP_NAME.app"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Add an untrusted-code warning before quarantine bypass

For external-contributor PRs, this trusted bot comment is posted for an app archive built from the PR's untrusted code, but the install steps tell reviewers to strip Gatekeeper quarantine with xattr -dr before any warning inside the artifact README is visible. Since the archive is ad-hoc signed and the app target is not sandboxed, following this instruction on a malicious PR gives that PR code normal user-level execution; gate the bypass step to trusted authors or put a clear untrusted-code warning before it.

Useful? React with 👍 / 👎.

jobs:
comment:
name: Add PR archive download link
if: github.event.workflow_run.conclusion == 'success'

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Clear stale archive comments when builds stop succeeding

Because the archive workflow cancels in-progress runs on new commits and this job only runs after successful conclusions, a PR that already has a build-ready comment keeps linking the older artifact whenever the next archive is cancelled or fails. The later current-head check prevents posting superseded artifacts, but these non-success paths never update or remove the existing marker, so testers can download an app for a previous PR head; let this workflow handle completed failures/cancellations or mark the existing comment stale on synchronize.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Crash at launch outside Xcode: dyld "Library not loaded: @rpath/MediaRemoteAdapter.framework" — dynamic SPM framework not embedded in app bundle

1 participant