fix: The specified item could not be found in the keychain#1448
fix: The specified item could not be found in the keychain#1448kolipakakondal wants to merge 4 commits intomasterfrom
Conversation
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 36 minutes and 43 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe GitHub Actions nightly workflow now also runs on pull requests targeting Changes
Sequence Diagram(s)sequenceDiagram
participant GH as GitHub Actions
participant Runner as macOS Runner
participant Keychain as build.keychain
participant Codesign as codesign tool
participant Notarize as notarization service
participant Upload as Artifact uploader
rect rgba(135,206,235,0.5)
GH->>Runner: trigger (cron or PR -> master/release/**)
end
rect rgba(144,238,144,0.5)
Runner->>Keychain: list & select `build.keychain`
Runner->>Keychain: import Apple Developer ID CA certs (ignore failures)
Runner->>Runner: set SIGN_ID=QWXF6GB4AV
end
rect rgba(255,182,193,0.5)
Runner->>Codesign: run codesign --keychain build.keychain -s "$SIGN_ID" (x86_64/aarch64 + DMG)
Codesign-->>Runner: signed artifacts
end
rect rgba(255,228,181,0.5)
Runner->>Notarize: submit signed artifacts
Notarize-->>Runner: notarization result
Runner->>Upload: upload notarized artifacts
Upload-->>GH: publish artifacts
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/nightly.yml:
- Around line 9-12: The workflow currently triggers on pull_request and can run
destructive publishing and secret-consuming steps; change triggers or gate risky
steps so PRs cannot publish or use production secrets. Either remove or restrict
the pull_request trigger and run PR validation via workflow_dispatch on a
branch, or keep pull_request only for build/codesign smoke-tests and add if:
github.event_name != 'pull_request' (or equivalent) to each sensitive job/step
such as "Authenticate to Azure", "Get Azure Key Vault Access Token", "Sign JAR
files with Azure Key Vault", "Codesign Espressif-IDE", "Notarization of
Espressif-IDE dmg files", and "Upload build assets to
dl.espressif.com"/S3/CloudFront publish steps (the aws s3 rm / upload /
CloudFront invalidation steps) so they never run for PR events.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: ecb75a5e-8b4c-4acd-8e0f-702cd3704137
📒 Files selected for processing (1)
.github/workflows/nightly.yml
| pull_request: | ||
| branches: | ||
| - master | ||
| - release/** |
There was a problem hiding this comment.
Critical: pull_request trigger will overwrite production nightly artifacts and expose signing secrets on every PR.
This workflow is not a build-only pipeline — downstream steps perform destructive, production-impacting actions that must not run for PRs:
- Line 235:
aws s3 rm s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/updates/nightly --recursivewipes the live nightly update site. - Lines 236–238: publicly re-upload the PR's build output to the live nightly location and invalidate CloudFront.
- The workflow also consumes Azure Key Vault signing, Apple codesign certs, and notarization credentials. For same-repo PRs these secrets are passed to code under review (supply-chain risk); for fork PRs the secrets are unavailable and the run will fail partway through after already having performed work.
Net effect: every PR merged-or-not against master/release/** will replace the published nightly build with artifacts from an unmerged branch, and potentially sign/notarize unreviewed code with production credentials.
If the intent is only to validate that the build/codesign/keychain change works in CI before merge, please either (a) revert this trigger and test via workflow_dispatch on a branch, or (b) split the workflow so only the build + codesign verification steps run on pull_request, while az login, notarization, and all S3/CloudFront publishing steps remain gated to schedule (or push to master).
🛡️ Suggested minimal guard (Option B sketch)
At minimum, gate the publish/notarize steps so they never run for PRs. For example, add if: github.event_name != 'pull_request' to each of:
Authenticate to AzureGet Azure Key Vault Access TokenSign JAR files with Azure Key VaultNotarization of Espressif-IDE dmg filesUpload build assets to dl.espressif.com
…and consider whether Codesign Espressif-IDE itself should also be skipped on PR events, given the macOS cert secret exposure.
Alternatively, keep the PR trigger only on a dedicated validation workflow that performs mvn clean install and the keychain/codesign smoke test without secrets that touch production.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/nightly.yml around lines 9 - 12, The workflow currently
triggers on pull_request and can run destructive publishing and secret-consuming
steps; change triggers or gate risky steps so PRs cannot publish or use
production secrets. Either remove or restrict the pull_request trigger and run
PR validation via workflow_dispatch on a branch, or keep pull_request only for
build/codesign smoke-tests and add if: github.event_name != 'pull_request' (or
equivalent) to each sensitive job/step such as "Authenticate to Azure", "Get
Azure Key Vault Access Token", "Sign JAR files with Azure Key Vault", "Codesign
Espressif-IDE", "Notarization of Espressif-IDE dmg files", and "Upload build
assets to dl.espressif.com"/S3/CloudFront publish steps (the aws s3 rm / upload
/ CloudFront invalidation steps) so they never run for PR events.
|
We have tested and updated the new certificates. Hence closing this issue. |
1 participant
Description
Please include a summary of the change and which issue is fixed.
Fixes # (IEP-XXX)
Type of change
Please delete options that are not relevant.
How has this been tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
Test Configuration:
Dependent components impacted by this PR:
Checklist
Summary by CodeRabbit