Skip to content

ci: add GitHub Actions build workflow with optional signing and artifacts#2

Open
abwuge wants to merge 5 commits into
jason5545:mainfrom
abwuge:main
Open

ci: add GitHub Actions build workflow with optional signing and artifacts#2
abwuge wants to merge 5 commits into
jason5545:mainfrom
abwuge:main

Conversation

@abwuge

@abwuge abwuge commented Mar 29, 2026

Copy link
Copy Markdown

主要改动

  1. 新增并完善 Build CI 工作流
  2. 支持 push / pull request 自动触发和 workflow_dispatch 手动触发

文档更新

  1. README 增加 CI 使用入口说明
  2. 新增 ci.md,说明:
    • CI 触发方式
    • secrets 配置方法

验证结果

  1. 已在主分支触发并完成 Build App 流程
  2. 最新运行状态为 success
  3. 构建链路包含编译、可选签名与产物上传步骤

Copilot AI review requested due to automatic review settings March 29, 2026 11:17

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a GitHub Actions build pipeline for the macOS app (with optional code signing + artifact upload), and documents how to use/trigger it and configure signing secrets.

Changes:

  • Added a new Build App GitHub Actions workflow with build, optional signing/verification, zip packaging, and artifact upload.
  • Updated documentation: new ci.md and a README entry pointing to CI instructions.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File Description
ci.md New CI documentation covering triggers, steps, and signing secrets setup.
README.md Adds a link and short note directing users to CI build artifacts via ci.md.
.github/workflows/build.yml New build workflow implementing compilation, optional signing, packaging, and artifact upload.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
SIGNING_IDENTITY: ${{ secrets.SIGNING_IDENTITY }}
steps:
- uses: actions/checkout@v6

Copilot AI Mar 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow uses actions/checkout@v6, but the repo’s existing workflow uses actions/checkout@v3 (see .github/workflows/lint.yml:19). To reduce maintenance and avoid unexpected differences between workflows, standardize on a single major version across workflows (either bump both, or keep this aligned with the existing one).

Suggested change
- uses: actions/checkout@v6
- uses: actions/checkout@v3

Copilot uses AI. Check for mistakes.
uses: actions/cache@v5
with:
path: .build/SourcePackages
key: ${{ runner.os }}-spm-${{ hashFiles('**/Package.resolved') }}

Copilot AI Mar 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cache key is based on hashFiles('**/Package.resolved'), but there is no Package.resolved committed in this repo, so the hash will be empty and the cache key will effectively be constant. This can cause cache collisions and stale dependency restores; consider keying off a file that actually changes with dependencies (e.g. the Xcode project’s project.pbxproj or a committed SwiftPM resolved file).

Suggested change
key: ${{ runner.os }}-spm-${{ hashFiles('**/Package.resolved') }}
key: ${{ runner.os }}-spm-${{ hashFiles('Ice.xcodeproj/project.pbxproj') }}

Copilot uses AI. Check for mistakes.
jobs:
build:
if: '!github.event.pull_request.merged'
runs-on: macos-latest

Copilot AI Mar 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

runs-on: macos-latest can introduce sudden CI breakages when GitHub upgrades the default macOS/Xcode image. For more predictable builds, pin to a specific runner label (e.g. macos-14) and update intentionally when needed.

Suggested change
runs-on: macos-latest
runs-on: macos-14

Copilot uses AI. Check for mistakes.
Comment on lines +25 to +29
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
SIGNING_IDENTITY: ${{ secrets.SIGNING_IDENTITY }}
steps:

Copilot AI Mar 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All signing secrets are exported at the job level, which makes them available to every step and increases the chance of accidental exposure in logs (e.g., via debug output or third-party actions). Prefer scoping secrets to only the steps that need them (import/sign), and reference ${{ secrets.* }} directly in those steps instead of job-wide env.

Copilot uses AI. Check for mistakes.
Comment on lines +9 to +14
- "Ice/**"
pull_request:
paths:
- ".github/workflows/build.yml"
- "Ice.xcodeproj/**"
- "Ice/**"

Copilot AI Mar 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The paths filter doesn’t include Resources/**, but the Xcode project references files under the top-level Resources/ directory (e.g. Resources/Acknowledgements.rtf). As a result, changes to those resources won’t trigger a CI build on push/PR; consider adding Resources/** (and any other build-relevant paths) to the trigger filters.

Suggested change
- "Ice/**"
pull_request:
paths:
- ".github/workflows/build.yml"
- "Ice.xcodeproj/**"
- "Ice/**"
- "Ice/**"
- "Resources/**"
pull_request:
paths:
- ".github/workflows/build.yml"
- "Ice.xcodeproj/**"
- "Ice/**"
- "Resources/**"

Copilot uses AI. Check for mistakes.
@abwuge

abwuge commented Mar 29, 2026

Copy link
Copy Markdown
Author

This PR might have limited impact, considering that Thaw is actively maintained as the continuation of Ice. That said, I'd prefer to keep it open for now — feel free to close or merge it as you see fit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants