fix(ci): replace broken eSigner action with direct CodeSignTool#2143
Conversation
PR SummaryMedium Risk Overview Updates S3 upload steps to select production vs staging AWS credentials and bucket names based on Written by Cursor Bugbot for commit aab804c. This will update automatically on new commits. Configure here. |
tofikwest
force-pushed
the
tofik/fix-windows-signing
branch
from
7759353 to
7385797
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
tofikwest
force-pushed
the
tofik/fix-windows-signing
branch
from
7385797 to
a294123
Compare
tofikwest
force-pushed
the
tofik/fix-windows-signing
branch
from
a294123 to
f7e2ad4
Compare
| -override="true" | ||
| if ($LASTEXITCODE -ne 0) { throw "Code signing failed for $($_.Name)" } | ||
| Write-Host "Signed $($_.Name) successfully" | ||
| } |
There was a problem hiding this comment.
Signing step silently succeeds when no exe files found
Medium Severity
Get-ChildItem -Filter "*.exe" | ForEach-Object { ... } silently succeeds when no .exe files are found, since PowerShell's ForEach-Object simply doesn't iterate on an empty pipeline. The signing step would pass without signing anything. While the subsequent hash recalculation step would catch a missing .exe, it would produce a confusing error rather than clearly indicating that signing was skipped. Adding a count check before the loop (similar to the jar-not-found check on line 203) would fail fast with a clear message if no files are present to sign.
tofikwest
force-pushed
the
tofik/fix-windows-signing
branch
from
f7e2ad4 to
8c7ec37
Compare
…deSignTool invocation The sslcom/esigner-codesign GitHub Action (both @develop and @v1.3.2) has a bug where it fails to pass -username and -password flags to the CodeSignTool CLI. Replaced with direct download and invocation of CodeSignTool v1.3.0 via PowerShell. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
tofikwest
force-pushed
the
tofik/fix-windows-signing
branch
from
8c7ec37 to
aab804c
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| AWS_SECRET_ACCESS_KEY: ${{ needs.detect-version.outputs.s3_env == 'production' && secrets.APP_AWS_SECRET_ACCESS_KEY || secrets.APP_AWS_SECRET_ACCESS_KEY_STAGING }} | ||
| AWS_REGION: ${{ secrets.APP_AWS_REGION }} | ||
| S3_BUCKET: ${{ secrets.FLEET_AGENT_BUCKET_NAME }} | ||
| S3_BUCKET: ${{ needs.detect-version.outputs.s3_env == 'production' && secrets.FLEET_AGENT_BUCKET_NAME || secrets.FLEET_AGENT_BUCKET_NAME_STAGING }} |
There was a problem hiding this comment.
Ternary &&/|| pattern silently falls through on empty secrets
Medium Severity
The condition && A || B pattern in GitHub Actions expressions is not a true ternary — if A is falsy (e.g., the production secret is empty or unconfigured), the expression silently falls through to B (the staging secret) even when the condition is true. This means a production release could silently upload artifacts using staging credentials to the staging S3 bucket without any error, if a production secret happens to be missing.
Additional Locations (1)
## [1.83.1](v1.83.0...v1.83.1) (2026-02-17) ### Bug Fixes * **ci:** fix Linux artifact names and consolidate all CI fixes ([#2144](#2144)) ([cbcf420](cbcf420)) * **ci:** handle pre-release tags in device agent version detection ([#2137](#2137)) ([b37f225](b37f225)) * **ci:** pin Windows code signing to stable sslcom/esigner-codesign@v1.3.2 ([#2141](#2141)) ([5f35e35](5f35e35)) * **ci:** replace broken sslcom/esigner-codesign action with direct CodeSignTool invocation ([#2143](#2143)) ([884e0d2](884e0d2))
|
🎉 This PR is included in version 1.83.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
2 participants
Summary
sslcom/esigner-codesignGitHub Action (both@developand@v1.3.2) has a bug where it fails to pass-usernameand-passwordflags to the underlying CodeSignTool CLITest plan
🤖 Generated with Claude Code