Skip to content

Commit d14801f

Browse files
committed
ci(macos): run real keychain tests against an unlocked temp keychain
Replaces the macOS sync/keychain ctest exclusion with a real unlocked keychain: create + unlock + set-default a temp keychain (same mechanism as the Codesign step) before ctest, mirroring a logged-in user's unlocked login keychain. This lets qtkeychain's Security.framework path store/read PATs headlessly, restoring macOS coverage of the sync/keychain code AND verifying the macOS keychain path actually works rather than skipping it.
1 parent 3abd29a commit d14801f

1 file changed

Lines changed: 16 additions & 9 deletions

File tree

.github/workflows/ci-macos.yml

Lines changed: 16 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -156,17 +156,24 @@ jobs:
156156
# libs) then run them headlessly via the Qt offscreen platform plugin.
157157
# VNOTE_BUILD_TESTS defaults to ON, so no extra -D is needed.
158158
#
159-
# The sync/keychain tests are EXCLUDED on macOS: their only
160-
# macOS-specific code under test is third-party qtkeychain
161-
# (keychain_apple.mm + Security.framework), which throws an uncaught
162-
# NSInvalidArgumentException on a headless runner (no usable unlocked
163-
# default keychain). The platform-agnostic sync LOGIC they cover is
164-
# already exercised against the real backend on Linux + Windows, so
165-
# macOS loses no unique signal. (Reclaiming this coverage via an
166-
# in-memory credentials backend is a tracked follow-up.)
159+
# Sync/keychain tests ARE run: we create + unlock a temporary default
160+
# keychain (same mechanism as the Codesign step) so the real qtkeychain
161+
# Security.framework path can store/read PATs, mirroring a logged-in
162+
# user's unlocked login keychain. Without this, headless macOS has no
163+
# usable default keychain and the SecItem* error path throws an uncaught
164+
# NSInvalidArgumentException. This both restores coverage AND verifies
165+
# the macOS keychain path actually works.
167166
run: |
168167
set -e
169168
cmake --build .
169+
# Unlocked, no-timeout temp keychain as the default + only search entry.
170+
KEYCHAIN="${{runner.workspace}}/vnote-test.keychain-db"
171+
KC_PW="vnote-test-pw"
172+
security create-keychain -p "$KC_PW" "$KEYCHAIN"
173+
security set-keychain-settings -lut 21600 "$KEYCHAIN"
174+
security unlock-keychain -p "$KC_PW" "$KEYCHAIN"
175+
security list-keychains -d user -s "$KEYCHAIN"
176+
security default-keychain -s "$KEYCHAIN"
170177
export QT_QPA_PLATFORM=offscreen
171178
# Force a UTF-8 locale so std::filesystem::path round-trips through
172179
# std::string preserve non-ASCII bytes. Without this, CJK filenames
@@ -178,7 +185,7 @@ jobs:
178185
# libVTextEdit.dylib lives next to the parent build's VNote binary;
179186
# add it to DYLD_LIBRARY_PATH so Qt-side test exes resolve it at load.
180187
export DYLD_LIBRARY_PATH="${{runner.workspace}}/build/libs/vtextedit/src:${DYLD_LIBRARY_PATH:-}"
181-
ctest --output-on-failure -E '(sync|bootstrap|credential|keychain|syncinfo)'
188+
ctest --output-on-failure
182189
working-directory: ${{runner.workspace}}/build
183190

184191
- name: Re-run failed tests with extra-verbose output (debug aid)

0 commit comments

Comments
 (0)