fix(ci): upload signing bundle as directory for correct SignPath structure #460
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
![sentry[bot]](https://avatars.githubusercontent.com/u/1396951?s=60&v=4){kind=small}
| github-artifact-id: "${{ steps.upload-bundle.outputs.artifact-id }}" | ||
| wait-for-completion: true | ||
| output-artifact-directory: "_signed" | ||
| - name: Extract signed binaries | ||
| run: | | ||
| cd _signed && unzip -o windows-bundle.zip | ||
| - name: Repackage and upload releases | ||
| if: ${{ !inputs.test_build }} | ||
| env: |
There was a problem hiding this comment.
Bug: The upload-artifact path is configured to include the _signing_bundle directory in the archive, which will cause downstream cp commands to fail due to an incorrect file path.
Severity: CRITICAL | Confidence: High
🔍 Detailed Analysis
The upload-artifact action with path: _signing_bundle/ archives the directory itself, not just its contents as the previous zip command did. When the artifact is downloaded and unzipped, the file paths will be nested inside an extra _signing_bundle directory (e.g., _signed/_signing_bundle/amd64/Zaparoo.exe). This will cause the subsequent cp command, which expects the files at _signed/amd64/Zaparoo.exe, to fail with a "No such file or directory" error. This will break the release workflow and prevent signed binaries from being correctly packaged.
💡 Suggested Fix
Modify the upload-artifact step to upload only the contents of the _signing_bundle directory. Change the path from _signing_bundle/ to _signing_bundle/** to prevent the directory itself from being included in the archive's root.
🤖 Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: .github/workflows/build.yml#L346-L351
Potential issue: The `upload-artifact` action with `path: _signing_bundle/` archives the
directory itself, not just its contents as the previous `zip` command did. When the
artifact is downloaded and unzipped, the file paths will be nested inside an extra
`_signing_bundle` directory (e.g., `_signed/_signing_bundle/amd64/Zaparoo.exe`). This
will cause the subsequent `cp` command, which expects the files at
`_signed/amd64/Zaparoo.exe`, to fail with a "No such file or directory" error. This will
break the release workflow and prevent signed binaries from being correctly packaged.
Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 507998
Summary