Skip to content

Commit 1ebe9be

Browse files
committed
ci(macos): re-exclude keychain tests (unsigned binaries segfault in Security.framework)
Verification result: even with a created + unlocked default keychain, unsigned test binaries segfault inside Security.framework headlessly (10/140 keychain tests). Confirming them would require ad-hoc-codesigning every test exe; not worth it. Revert to excluding sync/keychain tests -> macOS green at 130 built / 106 run. The keychain path stays covered on Linux+Windows; macOS keychain is verifiable only via the signed prod app.
1 parent d14801f commit 1ebe9be

1 file changed

Lines changed: 9 additions & 16 deletions

File tree

.github/workflows/ci-macos.yml

Lines changed: 9 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -156,24 +156,17 @@ jobs:
156156
# libs) then run them headlessly via the Qt offscreen platform plugin.
157157
# VNOTE_BUILD_TESTS defaults to ON, so no extra -D is needed.
158158
#
159-
# Sync/keychain tests ARE run: we create + unlock a temporary default
160-
# keychain (same mechanism as the Codesign step) so the real qtkeychain
161-
# Security.framework path can store/read PATs, mirroring a logged-in
162-
# user's unlocked login keychain. Without this, headless macOS has no
163-
# usable default keychain and the SecItem* error path throws an uncaught
164-
# NSInvalidArgumentException. This both restores coverage AND verifies
165-
# the macOS keychain path actually works.
159+
# Sync/keychain tests are EXCLUDED on macOS. The real qtkeychain path
160+
# (keychain_apple.mm + Security.framework) cannot run in CI: even with a
161+
# created + unlocked default keychain, an UNSIGNED test binary segfaults
162+
# inside Security.framework on a headless runner (verified — making them
163+
# pass would require ad-hoc-codesigning every test exe with keychain
164+
# entitlements). The platform-agnostic sync LOGIC is already covered
165+
# against the real backend on Linux + Windows; the macOS keychain path
166+
# is third-party and only reachable from the signed prod app.
166167
run: |
167168
set -e
168169
cmake --build .
169-
# Unlocked, no-timeout temp keychain as the default + only search entry.
170-
KEYCHAIN="${{runner.workspace}}/vnote-test.keychain-db"
171-
KC_PW="vnote-test-pw"
172-
security create-keychain -p "$KC_PW" "$KEYCHAIN"
173-
security set-keychain-settings -lut 21600 "$KEYCHAIN"
174-
security unlock-keychain -p "$KC_PW" "$KEYCHAIN"
175-
security list-keychains -d user -s "$KEYCHAIN"
176-
security default-keychain -s "$KEYCHAIN"
177170
export QT_QPA_PLATFORM=offscreen
178171
# Force a UTF-8 locale so std::filesystem::path round-trips through
179172
# std::string preserve non-ASCII bytes. Without this, CJK filenames
@@ -185,7 +178,7 @@ jobs:
185178
# libVTextEdit.dylib lives next to the parent build's VNote binary;
186179
# add it to DYLD_LIBRARY_PATH so Qt-side test exes resolve it at load.
187180
export DYLD_LIBRARY_PATH="${{runner.workspace}}/build/libs/vtextedit/src:${DYLD_LIBRARY_PATH:-}"
188-
ctest --output-on-failure
181+
ctest --output-on-failure -E '(sync|bootstrap|credential|keychain|syncinfo)'
189182
working-directory: ${{runner.workspace}}/build
190183

191184
- name: Re-run failed tests with extra-verbose output (debug aid)

0 commit comments

Comments
 (0)