Add PR level app archive#628
Conversation
|
The PR Policy check is blocking this PR because required template information is missing. Please update the PR description with:
Screenshots or video are required for UI, UX, settings, onboarding, overlay, menu bar, or visual behavior changes. If this PR has no visual changes, check the no-visual-change box in the template. If this remains incomplete for 48 hours after opening, the PR may be closed. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 740ec8087a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: Checkout PR merge commit | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.event.pull_request.merge_commit_sha }} |
There was a problem hiding this comment.
Handle the blocked fork PR merge checkout
For fork-based PRs, this ref resolves to the PR merge commit SHA inside a pull_request_target workflow. The current actions/checkout docs say checkout of fork PR code in this context requires allow-unsafe-pr-checkout, and GitHub’s July 2026 backport applies to floating major tags like actions/checkout@v4; starting July 20, 2026, approved outside-contributor archive runs will fail at checkout before producing the artifact. Either move this build to an unprivileged pull_request workflow or explicitly opt in after the environment approval gate.
Useful? React with 👍 / 👎.
Greptile SummaryThis PR adds a fully automated PR-level build and download workflow for FluidVoice. When a non-draft PR is pushed,
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2871d7ad54
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| RUN_ID: ${{ github.event.workflow_run.id }} | ||
| EVENT_PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }} |
There was a problem hiding this comment.
Derive the PR number for forked workflow runs
When the completed PR Archive run came from a forked pull request, GitHub's workflow_run.pull_requests payload can be empty, so this expression sets EVENT_PR_NUMBER to an empty value. The very next validation then exits before listing the uploaded artifact, which means the archive can be built successfully for the external-contributor PRs this feature calls out, but no download comment is posted. Recover the PR number from the artifact name/head SHA or another API lookup instead of relying only on pull_requests[0].
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f9224ecd83
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| 3. Open Terminal and remove the download quarantine marker: | ||
|
|
||
| xattr -dr com.apple.quarantine "/Applications/$APP_NAME.app" |
There was a problem hiding this comment.
Add an untrusted-code warning before quarantine bypass
For external-contributor PRs, this trusted bot comment is posted for an app archive built from the PR's untrusted code, but the install steps tell reviewers to strip Gatekeeper quarantine with xattr -dr before any warning inside the artifact README is visible. Since the archive is ad-hoc signed and the app target is not sandboxed, following this instruction on a malicious PR gives that PR code normal user-level execution; gate the bypass step to trusted authors or put a clear untrusted-code warning before it.
Useful? React with 👍 / 👎.
| jobs: | ||
| comment: | ||
| name: Add PR archive download link | ||
| if: github.event.workflow_run.conclusion == 'success' |
There was a problem hiding this comment.
Clear stale archive comments when builds stop succeeding
Because the archive workflow cancels in-progress runs on new commits and this job only runs after successful conclusions, a PR that already has a build-ready comment keeps linking the older artifact whenever the next archive is cancelled or fails. The later current-head check prevents posting superseded artifacts, but these non-success paths never update or remove the existing marker, so testers can download an app for a previous PR head; let this workflow handle completed failures/cancellations or mark the existing comment stale on synchronize.
Useful? React with 👍 / 👎.
Description
Add PR level app archive, this allows to simply download the unsigned zip and do a local test
Type of Change
Related Issue or Discussion
Closes #599
Testing
swiftlint --strict --config .swiftlint.yml SourcesScreenshots / Video
Attach screenshots or a video for UI, UX, settings, onboarding, overlay, menu bar, or visual behavior changes.
Notes
Add reviewer context, rollout notes, or known tradeoffs here.