fix(desktop): green Windows smoke + Linux AppImage PG packaging checks#2138
Conversation
|
Warning Review limit reached
Next review available in: 26 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (11)
📝 WalkthroughWalkthroughAdds a Linux AppImage verifier for embedded Postgres packaging, wires it into desktop packaging and release workflows, and runs Windows embedded-Postgres smoke tests under a prepared non-admin helper account. ChangesDesktop embedded Postgres validation
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant ReleaseWorkflow
participant verifyDesktopLinuxPgPackaging
participant AppImageUnpackedTree
participant AsarCli
ReleaseWorkflow->>verifyDesktopLinuxPgPackaging: run Linux AppImage verification
verifyDesktopLinuxPgPackaging->>AppImageUnpackedTree: inspect resources and embedded Postgres files
verifyDesktopLinuxPgPackaging->>AsarCli: list and extract app.asar contents
AsarCli-->>verifyDesktopLinuxPgPackaging: return packaged paths and package.json
verifyDesktopLinuxPgPackaging-->>ReleaseWorkflow: pass or set failure exit code
Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Greptile SummaryThis PR strengthens desktop packaging and embedded PostgreSQL checks. The main changes are:
Confidence Score: 5/5This looks safe to merge.
Important Files Changed
Reviews (7): Last reviewed commit: "fix(ci): bundle plugin schema shim from ..." | Re-trigger Greptile |
There was a problem hiding this comment.
Actionable comments posted: 6
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/desktop-windows.yml:
- Around line 63-83: Replace the hardcoded D:\a\Fusion\Fusion workspace
references in the workflow’s icacls and generated smoke.bat commands with
$env:GITHUB_WORKSPACE, including the cd /d command, so the workflow uses the
runner-provided workspace path.
- Line 83: Replace the hardcoded workspace path in the Windows workflow command
with the runner-provided $env:GITHUB_WORKSPACE value, preserving the existing
directory-change behavior without assuming a repository name or runner path.
- Line 63: Update the icacls command in the Windows workflow to use the
$env:GITHUB_WORKSPACE environment variable as the target path instead of the
hardcoded D:\a\Fusion\Fusion path, while preserving the existing permissions and
command options.
In `@scripts/verify-desktop-linux-pg-packaging.mjs`:
- Around line 219-222: Update listIncludesAsarPath to parse the ASAR listing
into newline-delimited normalized paths and compare exact entries rather than
using substring includes checks. Ensure validation requires the exact
/dist/main-bootstrap.cjs path and each OMP entrypoint, preserving handling for
listings with or without a leading slash.
- Around line 175-201: Update the manifest-entry validation in the soname
verification loop to fail when an entry is missing valid string source or target
fields instead of silently continuing. Increment the missing count and report
the malformed entry through fail, so a manifest containing only malformed
entries cannot reach the missing === 0 success path; preserve existing link
checks for valid entries.
- Around line 245-258: Update the platform validation loop around
assertPlatformSonameLinks to derive the expected linux platform package for each
unpacked output, reject linux-* entries that do not match that expected
architecture, and validate initdb, pg_ctl, and postgres with a regular-file and
executable-mode check instead of existsSync alone. Preserve the existing
missing-package and SONAME-link validations.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 5ab899f2-5a32-4d81-a759-0e5fc44cf063
📒 Files selected for processing (6)
.github/workflows/desktop-packaging.yml.github/workflows/desktop-windows.yml.github/workflows/release.yml.github/workflows/test-release.ymlpackages/desktop/src/__tests__/release-workflow.test.tsscripts/verify-desktop-linux-pg-packaging.mjs
bb4a773 to
ab09202
Compare
- Run Windows embedded-PG smoke as non-admin fusion-pg (prewarm profile) so elevated windows-latest runners no longer hit postgres admin-token refusal - Add AppImage packaging content verifier (main-bootstrap, natives, omp-runtime) to release, test-release, and the advisory desktop packaging PR lane - Fix eslint no-undef on URL in the verifier script
Avoid recursive icacls over the entire monorepo (30–40m on windows-latest). Grant non-recursive RX on ancestors and recursive only on packages/core, pnpm store, and tooling paths the non-admin smoke needs.
Narrow ACL grants caused silent exit 1. Restore full recursive workspace grants (win-pg-diag green path) and tee the non-admin bat output to smoke.log so failures surface in the Actions log.
ab09202 to
d1af9da
Compare
Summary
fusion-pg(with profile prewarm) so elevatedwindows-latestrunners stop failing with PostgreSQL’s admin-token refusal. Packaging still runs as the job user.main-bootstrap,@embedded-postgresnatives, andomp-runtimedist entrypoints; wire it intorelease.yml,test-release.yml, and the advisory Desktop packaging PR lane (afterelectron-builder --dir).no-undefon bareURLin the verifier script (was red on fix(desktop): assert Linux AppImage embeds Postgres packaging #2131).Context
Desktop packaging on Ubuntu was mostly green; Windows desktop builds and the AppImage packaging PR (#2131 lint) were the remaining red paths. The win-pg-diag pivot (run smoke as non-admin) proved green on CI; this ports that approach without removing main’s elevated-token product path for end-user “Run as administrator” cases (smoke simply does not take that path when the process is non-admin).
Test plan
pnpm --filter @fusion/desktop exec vitest run src/__tests__/release-workflow.test.tspnpm exec eslint scripts/verify-desktop-linux-pg-packaging.mjsSummary by CodeRabbit
Bug Fixes
Tests