Skip to content

ci: bust stale macOS OGRE cache (xcode263) — unblock 3.9.1 macOS deploy #756

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fernandotonon merged 5 commits into from
Jun 23, 2026
+92 −7
Merged

ci: bust stale macOS OGRE cache (xcode263) — unblock 3.9.1 macOS deploy #756

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a10077a
ci: bust stale macOS OGRE cache (xcode263) — unblock the macOS deploy
fernandotonon Jun 23, 2026
f266c6b
ci: self-heal macOS OGRE cache across differing per-job Xcode images
fernandotonon Jun 23, 2026
28ab805
ci: keep assimp macOS cache Xcode-agnostic (only ogre is Xcode-keyed)
fernandotonon Jun 23, 2026
02d10d8
test: fix flaky MainWindowTest.ModeBarLoadsAndModeChange (show window…
fernandotonon Jun 23, 2026
ca71059
ci: pin SDKROOT so CMake ZLIB resolves under the selected Xcode (macOS)
fernandotonon Jun 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
92 changes: 85 additions & 7 deletions .github/workflows/deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,14 @@ env:
ASSIMP_DIR_VERSION: '6.0'
OGRE_VERSION: '14.5.2'
# Bump to bust the macOS assimp/ogre caches. The cached OGRE/Assimp SDKs bake
# absolute Xcode SDK paths (e.g. .../usr/lib/libz.tbd) into their CMake export;
# when the macos-latest runner image bumps Xcode, a stale cache hit makes
# build-macos fail with "No rule to make target '<old-SDK>/libz.tbd'". Bump
# this whenever the runner's Xcode/SDK changes.
MACOS_CACHE_VERSION: 'xcode26b'
# an absolute Xcode SDK path (e.g. .../usr/lib/libz.tbd) into their CMake
# export. The Pin-Xcode step below selects a CONSISTENT Xcode across all macOS
# jobs (currently 26.3), but a cache built earlier under a different Xcode
# (26.5) still carries that old libz.tbd path and, when restored into a 26.3
# build, fails with "No rule to make target '.../Xcode_26.5/...libz.tbd'"
# (this broke the 3.9.1 macOS deploy). Bump this whenever the pinned Xcode
# changes so the SDK is rebuilt against it. (xcode263 = under Pin step Xcode 26.3.)
MACOS_CACHE_VERSION: 'sdkpin1'

jobs:
# send-slack-notification:
Expand Down Expand Up @@ -1580,6 +1583,22 @@ jobs:
echo "Selected Xcode: $DEV"
sudo xcode-select -s "$DEV"
echo "DEVELOPER_DIR=$DEV" >> "$GITHUB_ENV"
# Pin SDKROOT too. xcode-select / DEVELOPER_DIR alone don't stop
# CMake's find_package(ZLIB) from resolving to whatever SDK `xcrun`
# defaults to (on these images that was Xcode 26.5 even with 26.3
# selected), so OGRE's CMake export baked a 26.5 libz.tbd path that
# then failed to link under 26.3. Exporting SDKROOT makes clang AND
# CMake resolve system libs under the SAME pinned SDK everywhere.
SDKROOT_PATH="$(xcrun --sdk macosx --show-sdk-path 2>/dev/null)"
[ -n "$SDKROOT_PATH" ] && echo "SDKROOT=$SDKROOT_PATH" >> "$GITHUB_ENV"
echo "Pinned SDKROOT: $SDKROOT_PATH"
# The per-job runner images can carry DIFFERENT newest Xcodes
# (e.g. producer image has 26.5, consumer image only 26.3). Fold the
# resolved Xcode app into the cache key so each job only restores a
# cache built under its OWN Xcode; build-macos rebuilds OGRE on a
# miss (steps below) so a mismatch self-heals instead of failing
# with "No rule to make target '.../Xcode_XX/...libz.tbd'".
echo "XCODE_TAG=$(basename "$(dirname "$(dirname "$DEV")")")" >> "$GITHUB_ENV"

- name: change folder permissions
run: |
Expand All @@ -1603,6 +1622,9 @@ jobs:
/usr/local/lib/libzlibstatic.a
#key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('/home/runner/work/QtMeshEditor/QtMeshEditor/assimp') }}
# Need to delete manually if needed to rebuild. Until I find a better solution for detecting changes in the assimp repo.
# NOTE: assimp is NOT Xcode-keyed (unlike ogre): it's a plain static lib
# that doesn't bake absolute SDK paths, so one assimp cache works across
# Xcode versions and stays shared so the ogre-rebuild-on-miss can use it.
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MACOS_CACHE_VERSION }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MACOS_CACHE_VERSION }}-
Expand Down Expand Up @@ -1633,6 +1655,22 @@ jobs:
echo "Selected Xcode: $DEV"
sudo xcode-select -s "$DEV"
echo "DEVELOPER_DIR=$DEV" >> "$GITHUB_ENV"
# Pin SDKROOT too. xcode-select / DEVELOPER_DIR alone don't stop
# CMake's find_package(ZLIB) from resolving to whatever SDK `xcrun`
# defaults to (on these images that was Xcode 26.5 even with 26.3
# selected), so OGRE's CMake export baked a 26.5 libz.tbd path that
# then failed to link under 26.3. Exporting SDKROOT makes clang AND
# CMake resolve system libs under the SAME pinned SDK everywhere.
SDKROOT_PATH="$(xcrun --sdk macosx --show-sdk-path 2>/dev/null)"
[ -n "$SDKROOT_PATH" ] && echo "SDKROOT=$SDKROOT_PATH" >> "$GITHUB_ENV"
echo "Pinned SDKROOT: $SDKROOT_PATH"
# The per-job runner images can carry DIFFERENT newest Xcodes
# (e.g. producer image has 26.5, consumer image only 26.3). Fold the
# resolved Xcode app into the cache key so each job only restores a
# cache built under its OWN Xcode; build-macos rebuilds OGRE on a
# miss (steps below) so a mismatch self-heals instead of failing
# with "No rule to make target '.../Xcode_XX/...libz.tbd'".
echo "XCODE_TAG=$(basename "$(dirname "$(dirname "$DEV")")")" >> "$GITHUB_ENV"

- name: change folder permissions
run: |
Expand Down Expand Up @@ -1665,7 +1703,7 @@ jobs:
cache-name: cache-ogre-macos
with:
path: ${{github.workspace}}/ogre/SDK
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MACOS_CACHE_VERSION }}
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MACOS_CACHE_VERSION }}-${{ env.XCODE_TAG }}

- if: steps.cache-ogre-macos.outputs.cache-hit != 'true'
name: Check out ogre repo
Expand Down Expand Up @@ -1698,6 +1736,22 @@ jobs:
echo "Selected Xcode: $DEV"
sudo xcode-select -s "$DEV"
echo "DEVELOPER_DIR=$DEV" >> "$GITHUB_ENV"
# Pin SDKROOT too. xcode-select / DEVELOPER_DIR alone don't stop
# CMake's find_package(ZLIB) from resolving to whatever SDK `xcrun`
# defaults to (on these images that was Xcode 26.5 even with 26.3
# selected), so OGRE's CMake export baked a 26.5 libz.tbd path that
# then failed to link under 26.3. Exporting SDKROOT makes clang AND
# CMake resolve system libs under the SAME pinned SDK everywhere.
SDKROOT_PATH="$(xcrun --sdk macosx --show-sdk-path 2>/dev/null)"
[ -n "$SDKROOT_PATH" ] && echo "SDKROOT=$SDKROOT_PATH" >> "$GITHUB_ENV"
echo "Pinned SDKROOT: $SDKROOT_PATH"
# The per-job runner images can carry DIFFERENT newest Xcodes
# (e.g. producer image has 26.5, consumer image only 26.3). Fold the
# resolved Xcode app into the cache key so each job only restores a
# cache built under its OWN Xcode; build-macos rebuilds OGRE on a
# miss (steps below) so a mismatch self-heals instead of failing
# with "No rule to make target '.../Xcode_XX/...libz.tbd'".
echo "XCODE_TAG=$(basename "$(dirname "$(dirname "$DEV")")")" >> "$GITHUB_ENV"

- name: change folder permissions
run: |
Expand Down Expand Up @@ -1761,7 +1815,31 @@ jobs:
cache-name: cache-ogre-macos
with:
path: ${{github.workspace}}/ogre/SDK
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MACOS_CACHE_VERSION }}
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MACOS_CACHE_VERSION }}-${{ env.XCODE_TAG }}

# If this runner image's Xcode differs from the one the producer cached
# under, the key above misses. Rebuild OGRE here under THIS job's Xcode so
# the SDK's baked libz.tbd path matches what we link against (self-heals the
# cross-image Xcode mismatch instead of failing on a stale libz.tbd path).
- if: steps.cache-ogre-macos.outputs.cache-hit != 'true'
name: Check out ogre repo (cache miss)
uses: actions/checkout@master
with:
repository: OGRECave/ogre
ref: v${{ env.OGRE_VERSION }}
path: ${{github.workspace}}/ogre
Comment on lines +1824 to +1830

@coderabbitai coderabbitai Bot Jun 23, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/deploy.yml"

echo "1) Find mutable checkout refs in workflow:"
rg -n 'uses:\s*actions/checkout@master' "$FILE" || true

echo
echo "2) Inspect new cache-miss checkout block context:"
sed -n '1822,1832p' "$FILE"

echo
echo "3) Verify whether credential persistence is explicitly disabled in that block:"
if sed -n '1824,1832p' "$FILE" | rg -q 'persist-credentials:\s*false'; then
  echo "persist-credentials: false is present"
else
  echo "persist-credentials: false is MISSING"
fi

Repository: fernandotonon/QtMeshEditor

Length of output: 1154

Pin the checkout action and disable credential persistence in the new cache-miss checkout.

Line 1826 uses actions/checkout@master (mutable reference), and this external-repository checkout does not set persist-credentials: false. This introduces a supply-chain risk in this path.

Suggested hardening fix 
-    - if: steps.cache-ogre-macos.outputs.cache-hit != 'true'
-      name: Check out ogre repo (cache miss)
-      uses: actions/checkout@master
+    - if: steps.cache-ogre-macos.outputs.cache-hit != 'true'
+      name: Check out ogre repo (cache miss)
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       with:
+          persist-credentials: false
           repository: OGRECave/ogre
           ref: v${{ env.OGRE_VERSION }}
           path: ${{github.workspace}}/ogre
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- if: steps.cache-ogre-macos.outputs.cache-hit != 'true'
name: Check out ogre repo (cache miss)
uses: actions/checkout@master
with:
repository: OGRECave/ogre
ref: v${{ env.OGRE_VERSION }}
path: ${{github.workspace}}/ogre
- if: steps.cache-ogre-macos.outputs.cache-hit != 'true'
name: Check out ogre repo (cache miss)
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
repository: OGRECave/ogre
ref: v${{ env.OGRE_VERSION }}
path: ${{github.workspace}}/ogre
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 1824-1830: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 1826-1826: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy.yml around lines 1824 - 1830, In the "Check out
ogre repo (cache miss)" step where the OGRECave/ogre repository is checked out,
replace the mutable `@master` reference in the uses field with a pinned version
(use a specific commit SHA or tagged release version instead). Additionally, add
persist-credentials: false to the with section to disable credential persistence
for this external repository checkout, reducing supply-chain risk.

Source: Linters/SAST tools


- if: steps.cache-ogre-macos.outputs.cache-hit != 'true'
name: Build Ogre3D repo (cache miss)
run: |
cd ${{github.workspace}}/ogre/
sudo cmake -S . -DOGRE_BUILD_PLUGIN_ASSIMP=ON -Dassimp_DIR=/usr/local/lib/cmake/assimp-${{ env.ASSIMP_DIR_VERSION }}/ \
-DOGRE_BUILD_PLUGIN_DOT_SCENE=ON -DOGRE_BUILD_RENDERSYSTEM_GL=ON -DOGRE_BUILD_RENDERSYSTEM_GL3PLUS=ON \
-DOGRE_BUILD_RENDERSYSTEM_GLES2=OFF -DOGRE_BUILD_TESTS=OFF -DOGRE_BUILD_TOOLS=OFF -DOGRE_BUILD_SAMPLES=OFF \
-DOGRE_BUILD_COMPONENT_CSHARP=OFF -DOGRE_BUILD_COMPONENT_JAVA=OFF -DOGRE_BUILD_COMPONENT_PYTHON=OFF \
-DOGRE_INSTALL_TOOLS=OFF -DOGRE_INSTALL_DOCS=OFF -DOGRE_INSTALL_SAMPLES=OFF -DOGRE_BUILD_LIBS_AS_FRAMEWORKS=OFF \
-DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}}
sudo make install -j8

- name: Configure CMake
env:
Expand Down
7 changes: 7 additions & 0 deletions src/mainwindow_test.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,6 +282,13 @@ TEST_F(MainWindowTest, ModeBarLoadsAndModeChangeUpdatesStatusIndicator)
ASSERT_EQ(window->m_modeBar->status(), QQuickWidget::Ready);
EXPECT_GE(window->m_modeBar->minimumWidth(), 560);
EXPECT_EQ(window->toolBarArea(window->m_modeBarShell), Qt::TopToolBarArea);
// QToolBar::isHidden() reflects effective visibility, which is only
// meaningful once the parent window has been shown. The fixture constructs
// MainWindow without show()ing it, so under Xvfb this assertion was flaky
// (the shell reports hidden until the window is mapped). Show the window and
// drain events so the toolbar's visibility is realized before asserting.
window->show();
app->processEvents();
EXPECT_FALSE(window->m_modeBarShell->isHidden());
ASSERT_NE(window->m_editModeLabel, nullptr);

Expand Down
Loading