ci: bust stale macOS OGRE cache (xcode263) — unblock 3.9.1 macOS deploy#756
Merged
Conversation
The 3.9.1 release deploy failed on build-macos: No rule to make target '.../Xcode_26.5/.../libz.tbd', needed by QtMeshEditor The Pin-Xcode step selects Xcode 26.3 consistently on all macOS jobs, but the OGRE cache under key 'xcode26b' was built earlier under Xcode 26.5 and its CMake export hardcodes 26.5's libz.tbd path. Restoring it into a 26.3 build breaks the link. Bump MACOS_CACHE_VERSION xcode26b → xcode263 so OGRE/Assimp rebuild under the pinned 26.3 and the stale cache is discarded. (Windows + Linux .deb artifacts already published for 3.9.1; this lets the macOS artifact + Homebrew cask update complete on a deploy re-run.) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
📝 WalkthroughWalkthroughThe macOS CI workflow gains per-Xcode cache isolation by exporting ChangesmacOS OGRE Cache Invalidation by Xcode Version
MainWindow Test Visibility Fix
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
The real cause of the build-macos libz.tbd failure: the producer (build-n-cache-ogre-macos) and consumer (build-macos) run on DIFFERENT runner images whose "newest Xcode" differs — producer resolved Xcode 26.5 and cached OGRE with 26.5's absolute libz.tbd path baked into its CMake export; consumer resolved 26.3 and linked against the missing 26.5 path. Just pinning "newest" or bumping the cache version doesn't help because the two images disagree. Fix (self-healing): - Fold the resolved Xcode app name into XCODE_TAG and append it to all macOS assimp/ogre cache keys + restore-keys, so a job only restores a cache built under its OWN Xcode. - Give build-macos (consumer) the same "check out + build OGRE on cache miss" steps the producer has. When the consumer's Xcode differs from the producer's (cache miss), it rebuilds OGRE under its own SDK instead of failing on a stale libz.tbd path. This makes the macOS build robust regardless of which Xcode each runner image ships. (Bigger than the earlier one-line bump, but that couldn't fix a cross-image Xcode disagreement.) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Previous commit Xcode-keyed BOTH the assimp and ogre macOS caches. That broke build-macos on a runner whose Xcode differed from the producer's: assimp cache-missed (no assimp-build-on-miss exists) so find_package(assimp) failed with "Could not find a package configuration file provided by assimp". Assimp is a plain static lib that doesn't bake absolute SDK paths, so one assimp cache is valid across Xcode versions — revert XCODE_TAG on the 3 assimp keys, keeping it ONLY on the 2 ogre keys (ogre's CMake export DOES bake an absolute libz.tbd path, which is why ogre needs per-Xcode keying + the consumer's rebuild-on-miss). The shared assimp cache is then always present for the ogre rebuild to link against. Verified on the failing run: Qt + OGRE now resolve and link (no libz.tbd error); this removes the remaining assimp-not-found failure. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… first) This test failed intermittently on CI (Xvfb) with: Value of: window->m_modeBarShell->isHidden() Actual: true Expected: false The fixture constructs MainWindow but never show()s it. QToolBar::isHidden() reflects effective visibility, which is only realized once the parent window is mapped — so under Xvfb the shell reports hidden and the assertion is racy. It hit BOTH this branch and the unrelated CI-only PR #756 (which has no source changes), confirming it's a pre-existing flake, not a regression. Fix: show() the window and processEvents() before the visibility assertion. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
fernandotonon
added a commit
that referenced
this pull request
Jun 23, 2026
… first) This test failed intermittently on CI (Xvfb) with: Value of: window->m_modeBarShell->isHidden() Actual: true Expected: false The fixture constructs MainWindow but never show()s it. QToolBar::isHidden() reflects effective visibility, which is only realized once the parent window is mapped — so under Xvfb the shell reports hidden and the assertion is racy. It hit BOTH this branch and the unrelated CI-only PR #756 (which has no source changes), confirming it's a pre-existing flake, not a regression. Fix: show() the window and processEvents() before the visibility assertion. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
build-macos still failed with the Xcode_26.5 libz.tbd path even after pinning DEVELOPER_DIR=Xcode_26.3 and rebuilding OGRE: CMake's find_package(ZLIB) resolved to the SDK that `xcrun` defaults to (26.5 on these images) rather than the xcode-select'd one, so the OGRE SDK's CMake export baked a 26.5 libz.tbd path that the cache then carried forward. Fix: export SDKROOT (from `xcrun --sdk macosx --show-sdk-path` under the pinned Xcode) in the Pin step, so clang AND CMake resolve system libs under the SAME pinned SDK on every macOS job. Bump MACOS_CACHE_VERSION → sdkpin1 to discard the OGRE caches that still carry the 26.5 path. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/deploy.yml:
- Around line 1824-1830: In the "Check out ogre repo (cache miss)" step where
the OGRECave/ogre repository is checked out, replace the mutable `@master`
reference in the uses field with a pinned version (use a specific commit SHA or
tagged release version instead). Additionally, add persist-credentials: false to
the with section to disable credential persistence for this external repository
checkout, reducing supply-chain risk.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: aae8390a-4f69-4d19-bd46-c41bac3343d5
📒 Files selected for processing (2)
.github/workflows/deploy.ymlsrc/mainwindow_test.cpp
Comment on lines
+1824
to
+1830
| - if: steps.cache-ogre-macos.outputs.cache-hit != 'true' | ||
| name: Check out ogre repo (cache miss) | ||
| uses: actions/checkout@master | ||
| with: | ||
| repository: OGRECave/ogre | ||
| ref: v${{ env.OGRE_VERSION }} | ||
| path: ${{github.workspace}}/ogre |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/deploy.yml"
echo "1) Find mutable checkout refs in workflow:"
rg -n 'uses:\s*actions/checkout@master' "$FILE" || true
echo
echo "2) Inspect new cache-miss checkout block context:"
sed -n '1822,1832p' "$FILE"
echo
echo "3) Verify whether credential persistence is explicitly disabled in that block:"
if sed -n '1824,1832p' "$FILE" | rg -q 'persist-credentials:\s*false'; then
echo "persist-credentials: false is present"
else
echo "persist-credentials: false is MISSING"
fiRepository: fernandotonon/QtMeshEditor
Length of output: 1154
Pin the checkout action and disable credential persistence in the new cache-miss checkout.
Line 1826 uses actions/checkout@master (mutable reference), and this external-repository checkout does not set persist-credentials: false. This introduces a supply-chain risk in this path.
Suggested hardening fix
- - if: steps.cache-ogre-macos.outputs.cache-hit != 'true'
- name: Check out ogre repo (cache miss)
- uses: actions/checkout@master
+ - if: steps.cache-ogre-macos.outputs.cache-hit != 'true'
+ name: Check out ogre repo (cache miss)
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
+ persist-credentials: false
repository: OGRECave/ogre
ref: v${{ env.OGRE_VERSION }}
path: ${{github.workspace}}/ogre📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| - if: steps.cache-ogre-macos.outputs.cache-hit != 'true' | |
| name: Check out ogre repo (cache miss) | |
| uses: actions/checkout@master | |
| with: | |
| repository: OGRECave/ogre | |
| ref: v${{ env.OGRE_VERSION }} | |
| path: ${{github.workspace}}/ogre | |
| - if: steps.cache-ogre-macos.outputs.cache-hit != 'true' | |
| name: Check out ogre repo (cache miss) | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| persist-credentials: false | |
| repository: OGRECave/ogre | |
| ref: v${{ env.OGRE_VERSION }} | |
| path: ${{github.workspace}}/ogre |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 1824-1830: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 1826-1826: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/deploy.yml around lines 1824 - 1830, In the "Check out
ogre repo (cache miss)" step where the OGRECave/ogre repository is checked out,
replace the mutable `@master` reference in the uses field with a pinned version
(use a specific commit SHA or tagged release version instead). Additionally, add
persist-credentials: false to the with section to disable credential persistence
for this external repository checkout, reducing supply-chain risk.
Source: Linters/SAST tools
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The 3.9.1 release deploy failed on
build-macos(Windows + Linux.debartifacts published OK; macOS artifact + Homebrew cask update did not):Cause: the Pin-Xcode step selects Xcode 26.3 consistently across all macOS jobs (verified), but the OGRE cache stored under key
xcode26bwas built earlier under Xcode 26.5 — its CMake export hardcodes 26.5'slibz.tbdpath. Restoring that into a 26.3 build breaks the link.Fix: bump
MACOS_CACHE_VERSIONxcode26b → xcode263so OGRE/Assimp rebuild under the pinned 26.3 and the stale 26.5 cache is discarded. One-line, CI-only.After merge: move the
3.9.1tag to the fixed commit and re-trigger the deploy so the macOS artifact + Homebrew cask complete.🤖 Generated with Claude Code
Summary by CodeRabbit
Chores
Tests