Skip to content

feat(#407): native auto-rigging (Pinocchio is LGPL → native template embedding) #754

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fernandotonon wants to merge 12 commits into
base: master
Choose a base branch
from
Open

feat(#407): native auto-rigging (Pinocchio is LGPL → native template embedding) #754

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
a9c0c32
feat(#407): native auto-rig core + CLI rig subcommand
fernandotonon Jun 23, 2026
db6937e
feat(#407): MCP auto_rig tool + GUI Auto-Rig + rig CLI tests + docs
fernandotonon Jun 23, 2026
fe12534
fix(#407): compile AutoRig.cpp into the test common lib
fernandotonon Jun 23, 2026
d0ef84e
ci: re-trigger CI for #407 (missed synchronize webhook)
fernandotonon Jun 23, 2026
f80427b
Merge remote-tracking branch 'origin/master' into feat/ai-autorig-407
fernandotonon Jun 23, 2026
bede436
fix(#407): address review — QML registration, upAxis, error paths
fernandotonon Jun 23, 2026
79a7c1e
ci: key macOS caches on the resolved Xcode version (fix libz.tbd mism…
fernandotonon Jun 23, 2026
65d49e0
ci: bust stale macOS OGRE cache (xcode263) — fixes libz.tbd link error
fernandotonon Jun 23, 2026
8329bf6
ci: self-heal macOS OGRE cache across differing per-job Xcode images
fernandotonon Jun 23, 2026
b8d5159
ci: keep assimp macOS cache Xcode-agnostic (only ogre is Xcode-keyed)
fernandotonon Jun 23, 2026
142da63
test: fix flaky MainWindowTest.ModeBarLoadsAndModeChange (show window…
fernandotonon Jun 23, 2026
4fe583f
ci: pin SDKROOT so CMake ZLIB resolves under the selected Xcode (macOS)
fernandotonon Jun 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 84 additions & 7 deletions .github/workflows/deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,13 @@ env:
ASSIMP_DIR_VERSION: '6.0'
OGRE_VERSION: '14.5.2'
# Bump to bust the macOS assimp/ogre caches. The cached OGRE/Assimp SDKs bake
# absolute Xcode SDK paths (e.g. .../usr/lib/libz.tbd) into their CMake export;
# when the macos-latest runner image bumps Xcode, a stale cache hit makes
# build-macos fail with "No rule to make target '<old-SDK>/libz.tbd'". Bump
# this whenever the runner's Xcode/SDK changes.
MACOS_CACHE_VERSION: 'xcode26b'
# an absolute Xcode SDK path (e.g. .../usr/lib/libz.tbd) into their CMake
# export. The Pin-Xcode step also pins SDKROOT so CMake's ZLIB resolves under
# the selected Xcode (xcode-select alone didn't stop find_package(ZLIB) from
# picking xcrun's default 26.5 SDK). Bump this whenever the pinned Xcode/SDK
# changes so the SDK is rebuilt against it and stale libz.tbd paths are
# discarded. (sdkpin1 = first build under the SDKROOT-pinned environment.)
MACOS_CACHE_VERSION: 'sdkpin1'

jobs:
# send-slack-notification:
Expand Down Expand Up @@ -1580,6 +1582,22 @@ jobs:
echo "Selected Xcode: $DEV"
sudo xcode-select -s "$DEV"
echo "DEVELOPER_DIR=$DEV" >> "$GITHUB_ENV"
# Pin SDKROOT too. xcode-select / DEVELOPER_DIR alone don't stop
# CMake's find_package(ZLIB) from resolving to whatever SDK `xcrun`
# defaults to (on these images that was Xcode 26.5 even with 26.3
# selected), so OGRE's CMake export baked a 26.5 libz.tbd path that
# then failed to link under 26.3. Exporting SDKROOT makes clang AND
# CMake resolve system libs under the SAME pinned SDK everywhere.
SDKROOT_PATH="$(xcrun --sdk macosx --show-sdk-path 2>/dev/null)"
[ -n "$SDKROOT_PATH" ] && echo "SDKROOT=$SDKROOT_PATH" >> "$GITHUB_ENV"
echo "Pinned SDKROOT: $SDKROOT_PATH"
# The per-job runner images can carry DIFFERENT newest Xcodes
# (e.g. producer image has 26.5, consumer image only 26.3). Fold the
# resolved Xcode app into the cache key so each job only restores a
# cache built under its OWN Xcode; build-macos rebuilds OGRE on a
# miss (steps below) so a mismatch self-heals instead of failing
# with "No rule to make target '.../Xcode_XX/...libz.tbd'".
echo "XCODE_TAG=$(basename "$(dirname "$(dirname "$DEV")")")" >> "$GITHUB_ENV"

- name: change folder permissions
run: |
Expand All @@ -1603,6 +1621,9 @@ jobs:
/usr/local/lib/libzlibstatic.a
#key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('/home/runner/work/QtMeshEditor/QtMeshEditor/assimp') }}
# Need to delete manually if needed to rebuild. Until I find a better solution for detecting changes in the assimp repo.
# NOTE: assimp is NOT Xcode-keyed (unlike ogre): it's a plain static lib
# that doesn't bake absolute SDK paths, so one assimp cache works across
# Xcode versions and stays shared so the ogre-rebuild-on-miss can use it.
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MACOS_CACHE_VERSION }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MACOS_CACHE_VERSION }}-
Expand Down Expand Up @@ -1633,6 +1654,22 @@ jobs:
echo "Selected Xcode: $DEV"
sudo xcode-select -s "$DEV"
echo "DEVELOPER_DIR=$DEV" >> "$GITHUB_ENV"
# Pin SDKROOT too. xcode-select / DEVELOPER_DIR alone don't stop
# CMake's find_package(ZLIB) from resolving to whatever SDK `xcrun`
# defaults to (on these images that was Xcode 26.5 even with 26.3
# selected), so OGRE's CMake export baked a 26.5 libz.tbd path that
# then failed to link under 26.3. Exporting SDKROOT makes clang AND
# CMake resolve system libs under the SAME pinned SDK everywhere.
SDKROOT_PATH="$(xcrun --sdk macosx --show-sdk-path 2>/dev/null)"
[ -n "$SDKROOT_PATH" ] && echo "SDKROOT=$SDKROOT_PATH" >> "$GITHUB_ENV"
echo "Pinned SDKROOT: $SDKROOT_PATH"
# The per-job runner images can carry DIFFERENT newest Xcodes
# (e.g. producer image has 26.5, consumer image only 26.3). Fold the
# resolved Xcode app into the cache key so each job only restores a
# cache built under its OWN Xcode; build-macos rebuilds OGRE on a
# miss (steps below) so a mismatch self-heals instead of failing
# with "No rule to make target '.../Xcode_XX/...libz.tbd'".
echo "XCODE_TAG=$(basename "$(dirname "$(dirname "$DEV")")")" >> "$GITHUB_ENV"

- name: change folder permissions
run: |
Expand Down Expand Up @@ -1665,7 +1702,7 @@ jobs:
cache-name: cache-ogre-macos
with:
path: ${{github.workspace}}/ogre/SDK
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MACOS_CACHE_VERSION }}
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MACOS_CACHE_VERSION }}-${{ env.XCODE_TAG }}

- if: steps.cache-ogre-macos.outputs.cache-hit != 'true'
name: Check out ogre repo
Expand Down Expand Up @@ -1698,6 +1735,22 @@ jobs:
echo "Selected Xcode: $DEV"
sudo xcode-select -s "$DEV"
echo "DEVELOPER_DIR=$DEV" >> "$GITHUB_ENV"
# Pin SDKROOT too. xcode-select / DEVELOPER_DIR alone don't stop
# CMake's find_package(ZLIB) from resolving to whatever SDK `xcrun`
# defaults to (on these images that was Xcode 26.5 even with 26.3
# selected), so OGRE's CMake export baked a 26.5 libz.tbd path that
# then failed to link under 26.3. Exporting SDKROOT makes clang AND
# CMake resolve system libs under the SAME pinned SDK everywhere.
SDKROOT_PATH="$(xcrun --sdk macosx --show-sdk-path 2>/dev/null)"
[ -n "$SDKROOT_PATH" ] && echo "SDKROOT=$SDKROOT_PATH" >> "$GITHUB_ENV"
echo "Pinned SDKROOT: $SDKROOT_PATH"
# The per-job runner images can carry DIFFERENT newest Xcodes
# (e.g. producer image has 26.5, consumer image only 26.3). Fold the
# resolved Xcode app into the cache key so each job only restores a
# cache built under its OWN Xcode; build-macos rebuilds OGRE on a
# miss (steps below) so a mismatch self-heals instead of failing
# with "No rule to make target '.../Xcode_XX/...libz.tbd'".
echo "XCODE_TAG=$(basename "$(dirname "$(dirname "$DEV")")")" >> "$GITHUB_ENV"

- name: change folder permissions
run: |
Expand Down Expand Up @@ -1761,7 +1814,31 @@ jobs:
cache-name: cache-ogre-macos
with:
path: ${{github.workspace}}/ogre/SDK
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MACOS_CACHE_VERSION }}
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MACOS_CACHE_VERSION }}-${{ env.XCODE_TAG }}

# If this runner image's Xcode differs from the one the producer cached
# under, the key above misses. Rebuild OGRE here under THIS job's Xcode so
# the SDK's baked libz.tbd path matches what we link against (self-heals the
# cross-image Xcode mismatch instead of failing on a stale libz.tbd path).
- if: steps.cache-ogre-macos.outputs.cache-hit != 'true'
name: Check out ogre repo (cache miss)
uses: actions/checkout@master
with:
repository: OGRECave/ogre
ref: v${{ env.OGRE_VERSION }}
path: ${{github.workspace}}/ogre
Comment on lines +1823 to +1829

@coderabbitai coderabbitai Bot Jun 23, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd /tmp && find . -name "deploy.yml" -o -name "*.yml" | head -20

Repository: fernandotonon/QtMeshEditor

Length of output: 164

🏁 Script executed:

fd -t f "deploy.yml" 2>/dev/null

Repository: fernandotonon/QtMeshEditor

Length of output: 164

🏁 Script executed:

git ls-files | grep -E "(workflow|deploy)" | head -20

Repository: fernandotonon/QtMeshEditor

Length of output: 263

🏁 Script executed:

sed -n '1800,1820p' .github/workflows/deploy.yml

Repository: fernandotonon/QtMeshEditor

Length of output: 1393

🌐 Web query:

GitHub Actions checkout action best practices security pinning commit SHA

💡 Result:

Pinning GitHub Actions—including the checkout action—to a full-length commit SHA is a critical security best practice to prevent supply chain attacks [1][2][3]. Why Pinning is Necessary GitHub Action tags (e.g., @v4) are mutable references, meaning a repository maintainer or an attacker who compromises an action's repository can reassign the tag to a malicious commit [2][4][5]. By pinning to a specific, immutable full-length commit SHA (a 40-character hash), you ensure that your workflow executes only the exact code you have vetted [6][5][7]. Best Practices for SHA Pinning 1. Use Full-Length SHAs: Always use the full 40-character SHA. Short SHAs are vulnerable to collisions and are not recommended [6]. 2. Include Human-Readable Comments: Because SHAs are not human-readable, append the original version tag as a comment [6][8]. This maintains context for updates and is required by many automation tools to function correctly [9][8]. Example: - uses: actions/checkout@b4ffde6 # v4.1.1 3. Automate Updates: Use tools like Dependabot or Renovate to keep your pinned SHAs up to date [1][2][10]. These tools can automatically open pull requests when new releases are available, mitigating the maintenance burden of manual pinning [1][9]. 4. Enforce via Policy: Organizations can mandate SHA pinning through GitHub's built-in policy features, which prevent workflows from running if they use unpinned actions [11][5][7]. 5. Audit Your Workflows: Use security auditing tools such as OSSF Scorecard, zizmor, or other dedicated pinning tools (e.g., pinact, ratchet, frizbee) to detect and remediate unpinned actions in your repositories [3][10][8]. While GitHub-owned actions (actions/*) are generally considered lower risk due to internal supply chain controls, current security guidance emphasizes a uniform "pin-everything" approach for all third-party dependencies to maximize protection [9][7][3].

Citations:

🌐 Web query:

GitHub Actions checkout persist-credentials security third-party repositories

💡 Result:

The persist-credentials input in the GitHub Actions actions/checkout action controls whether the repository's authentication token (typically GITHUB_TOKEN) is configured in the local Git configuration of the runner [1][2]. By default, this is set to true, which allows subsequent steps in the same job to execute authenticated Git commands (e.g., git push or git fetch) without needing to manually re-authenticate [1][2][3]. Security Implications: 1. Credential Exposure: When set to true, any subsequent step in the workflow job—including those running third-party actions or scripts—can access the persisted credentials [4][5]. If an attacker compromises a third-party dependency used in the workflow, they could potentially steal this token [6][3]. 2. Artifact Leakage: A known attack vector involves the inadvertent inclusion of the.git directory or files containing these credentials in build artifacts [6]. If these artifacts are uploaded and made public (e.g., in a public repository), the credentials can be extracted, potentially leading to supply chain compromises [6][7]. 3. Principle of Least Privilege: Because many workflows only require read access to check out code and do not need to perform Git operations (like pushing commits), leaving this enabled violates the principle of least privilege [3]. Recommendations: - Default to False: It is a widely recommended security best practice to set persist-credentials: false by default in all workflows [8][3][5]. - Explicitly Enable When Needed: Only set persist-credentials: true in specific jobs that genuinely require authenticated Git operations [3]. - Token Permissions: Regardless of this setting, always ensure that your GITHUB_TOKEN has the minimum permissions necessary for the job's requirements [4][9]. - Modern Guardrails: While recent versions of actions/checkout have improved security by storing credentials in a separate file under $RUNNER_TEMP rather than directly in.git/config, setting persist-credentials: false remains the standard recommendation to minimize the attack surface [1][2][10].

Citations:

Pin the checkout action and disable persisted credentials in the OGRE cache-miss step.

Line 1808 uses actions/checkout@master, an unpinned reference that is mutable and vulnerable to supply chain attacks. Additionally, credentials are persisted by default, unnecessarily exposing the GitHub token to any subsequent step or third-party action. Pin the action to a full-length commit SHA and set persist-credentials: false.

Suggested patch 
-    - if: steps.cache-ogre-macos.outputs.cache-hit != 'true'
-      name: Check out ogre repo (cache miss)
-      uses: actions/checkout@master
-      with:
-          repository: OGRECave/ogre
-          ref: v${{ env.OGRE_VERSION }}
-          path: ${{github.workspace}}/ogre
+    - if: steps.cache-ogre-macos.outputs.cache-hit != 'true'
+      name: Check out ogre repo (cache miss)
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      with:
+          persist-credentials: false
+          repository: OGRECave/ogre
+          ref: v${{ env.OGRE_VERSION }}
+          path: ${{github.workspace}}/ogre
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- if: steps.cache-ogre-macos.outputs.cache-hit != 'true'
name: Check out ogre repo (cache miss)
uses: actions/checkout@master
with:
repository: OGRECave/ogre
ref: v${{ env.OGRE_VERSION }}
path: ${{github.workspace}}/ogre
- if: steps.cache-ogre-macos.outputs.cache-hit != 'true'
name: Check out ogre repo (cache miss)
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
persist-credentials: false
repository: OGRECave/ogre
ref: v${{ env.OGRE_VERSION }}
path: ${{github.workspace}}/ogre
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 1806-1812: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 1808-1808: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy.yml around lines 1806 - 1812, In the "Check out
ogre repo (cache miss)" step, replace the unpinned `actions/checkout@master`
reference with a pinned commit SHA (e.g., `actions/checkout@<full-commit-sha>`),
and add `persist-credentials: false` to the `with` block to prevent unnecessary
token exposure. This applies the same security practices to the OGRE cache-miss
checkout that should be used across all checkout actions in the workflow.

Source: Linters/SAST tools


- if: steps.cache-ogre-macos.outputs.cache-hit != 'true'
name: Build Ogre3D repo (cache miss)
run: |
cd ${{github.workspace}}/ogre/
sudo cmake -S . -DOGRE_BUILD_PLUGIN_ASSIMP=ON -Dassimp_DIR=/usr/local/lib/cmake/assimp-${{ env.ASSIMP_DIR_VERSION }}/ \
-DOGRE_BUILD_PLUGIN_DOT_SCENE=ON -DOGRE_BUILD_RENDERSYSTEM_GL=ON -DOGRE_BUILD_RENDERSYSTEM_GL3PLUS=ON \
-DOGRE_BUILD_RENDERSYSTEM_GLES2=OFF -DOGRE_BUILD_TESTS=OFF -DOGRE_BUILD_TOOLS=OFF -DOGRE_BUILD_SAMPLES=OFF \
-DOGRE_BUILD_COMPONENT_CSHARP=OFF -DOGRE_BUILD_COMPONENT_JAVA=OFF -DOGRE_BUILD_COMPONENT_PYTHON=OFF \
-DOGRE_INSTALL_TOOLS=OFF -DOGRE_INSTALL_DOCS=OFF -DOGRE_INSTALL_SAMPLES=OFF -DOGRE_BUILD_LIBS_AS_FRAMEWORKS=OFF \
-DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}}
sudo make install -j8

- name: Configure CMake
env:
Expand Down
Loading
Loading