Skip to content

fix(desktop): green Windows smoke + Linux AppImage PG packaging checks#2138

Merged
gsxdsm merged 6 commits into
mainfrom
fix/desktop-ci-green
Jul 15, 2026
Merged

fix(desktop): green Windows smoke + Linux AppImage PG packaging checks#2138
gsxdsm merged 6 commits into
mainfrom
fix/desktop-ci-green

Conversation

@gsxdsm

@gsxdsm gsxdsm commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Windows CI: run the embedded Postgres smoke as non-admin fusion-pg (with profile prewarm) so elevated windows-latest runners stop failing with PostgreSQL’s admin-token refusal. Packaging still runs as the job user.
  • Linux AppImage: add a packaging content verifier for main-bootstrap, @embedded-postgres natives, and omp-runtime dist entrypoints; wire it into release.yml, test-release.yml, and the advisory Desktop packaging PR lane (after electron-builder --dir).
  • Fix eslint no-undef on bare URL in the verifier script (was red on fix(desktop): assert Linux AppImage embeds Postgres packaging #2131).

Context

Desktop packaging on Ubuntu was mostly green; Windows desktop builds and the AppImage packaging PR (#2131 lint) were the remaining red paths. The win-pg-diag pivot (run smoke as non-admin) proved green on CI; this ports that approach without removing main’s elevated-token product path for end-user “Run as administrator” cases (smoke simply does not take that path when the process is non-admin).

Test plan

  • pnpm --filter @fusion/desktop exec vitest run src/__tests__/release-workflow.test.ts
  • pnpm exec eslint scripts/verify-desktop-linux-pg-packaging.mjs
  • Desktop packaging workflow on this PR
  • Desktop Windows Build (workflow_dispatch)
  • Confirm fix(desktop): assert Linux AppImage embeds Postgres packaging #2131 supersession if this lands the same AppImage checks

Summary by CodeRabbit

  • Bug Fixes

    • Strengthened Linux desktop AppImage validation to confirm embedded PostgreSQL artifacts, required binaries, symlink hydration, and the expected app entrypoints are present after packaging.
    • Improved Windows embedded PostgreSQL smoke testing by running under a non-administrator helper user with a prewarmed profile environment.
  • Tests

    • Added automated packaging/release workflow verification steps (Linux and Windows) to catch embedded PostgreSQL content regressions earlier, including during artifact build and release verification.

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@gsxdsm, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 26 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d1ffb0a0-b2f0-4956-81c3-95e38241e38b

📥 Commits

Reviewing files that changed from the base of the PR and between 4f48363 and ebc50f7.

📒 Files selected for processing (11)
  • .changeset/friendly-shims-fix.md
  • .github/workflows/desktop-packaging.yml
  • .github/workflows/desktop-windows.yml
  • .github/workflows/release.yml
  • .github/workflows/test-release.yml
  • packages/cli/src/__tests__/plugin-sdk-export.test.ts
  • packages/cli/src/plugin-sdk-core-runtime-shim.mjs
  • packages/cli/src/plugin-sdk-core-runtime-shim.ts
  • packages/cli/tsup.config.ts
  • packages/desktop/src/__tests__/release-workflow.test.ts
  • scripts/verify-desktop-linux-pg-packaging.mjs
📝 Walkthrough

Walkthrough

Adds a Linux AppImage verifier for embedded Postgres packaging, wires it into desktop packaging and release workflows, and runs Windows embedded-Postgres smoke tests under a prepared non-admin helper account.

Changes

Desktop embedded Postgres validation

Layer / File(s) Summary
Linux verifier discovery and validation
scripts/verify-desktop-linux-pg-packaging.mjs
Discovers electron-builder unpacked Linux trees, resolves asar, and validates Postgres packages, native binaries, symlinks, runtime entrypoints, and the packaged main field.
Linux packaging workflow gates
.github/workflows/desktop-packaging.yml, .github/workflows/test-release.yml, .github/workflows/release.yml
Runs the Linux AppImage packaging verifier after artifact generation and before release signing, checksums, and uploads.
Windows smoke execution
.github/workflows/desktop-windows.yml
Creates and prepares the fusion-pg helper account, grants required access, and launches the embedded-Postgres smoke test with Start-Process.
Workflow regression tests
packages/desktop/src/__tests__/release-workflow.test.ts
Checks the Windows helper-user workflow behavior and verifies Linux verifier wiring across all three workflows.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant ReleaseWorkflow
  participant verifyDesktopLinuxPgPackaging
  participant AppImageUnpackedTree
  participant AsarCli
  ReleaseWorkflow->>verifyDesktopLinuxPgPackaging: run Linux AppImage verification
  verifyDesktopLinuxPgPackaging->>AppImageUnpackedTree: inspect resources and embedded Postgres files
  verifyDesktopLinuxPgPackaging->>AsarCli: list and extract app.asar contents
  AsarCli-->>verifyDesktopLinuxPgPackaging: return packaged paths and package.json
  verifyDesktopLinuxPgPackaging-->>ReleaseWorkflow: pass or set failure exit code
Loading

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 27.27% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the two main changes: fixing Windows smoke tests and adding Linux AppImage Postgres packaging checks.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/desktop-ci-green

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@greptile-apps

greptile-apps Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR strengthens desktop packaging and embedded PostgreSQL checks. The main changes are:

  • Run the Windows PostgreSQL smoke as a prewarmed non-admin helper user.
  • Verify Linux packages contain PostgreSQL binaries, SONAME links, bootstrap code, and OMP entrypoints.
  • Add the Linux verifier to packaging, release, and test-release workflows.
  • Bundle the PostgreSQL schema through an ESM runtime shim for the published CLI.

Confidence Score: 5/5

This looks safe to merge.

  • Exact ASAR path matching prevents source maps from satisfying required entrypoint checks.
  • Invalid SONAME manifest records now fail verification instead of being skipped.
  • The new ESM imports are supported by the Node runtime used in the affected workflows.
  • No blocking issues remain in the changed code.

Important Files Changed

Filename Overview
scripts/verify-desktop-linux-pg-packaging.mjs Adds Linux package validation and fixes exact ASAR path matching and malformed SONAME manifest handling.
.github/workflows/desktop-windows.yml Runs the PostgreSQL smoke under a prewarmed non-admin Windows account.
.github/workflows/desktop-packaging.yml Adds Linux package content verification to the advisory packaging lane.
.github/workflows/release.yml Checks Linux desktop package contents before signing release artifacts.
.github/workflows/test-release.yml Mirrors Linux package content verification in the test-release workflow.
packages/cli/src/plugin-sdk-core-runtime-shim.mjs Provides an ESM runtime shim that bundles the PostgreSQL schema from source.
packages/cli/tsup.config.ts Points plugin bundle aliases at the new ESM runtime shim.

Reviews (7): Last reviewed commit: "fix(ci): bundle plugin schema shim from ..." | Re-trigger Greptile

Comment thread scripts/verify-desktop-linux-pg-packaging.mjs Outdated
Comment thread scripts/verify-desktop-linux-pg-packaging.mjs

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/desktop-windows.yml:
- Around line 63-83: Replace the hardcoded D:\a\Fusion\Fusion workspace
references in the workflow’s icacls and generated smoke.bat commands with
$env:GITHUB_WORKSPACE, including the cd /d command, so the workflow uses the
runner-provided workspace path.
- Line 83: Replace the hardcoded workspace path in the Windows workflow command
with the runner-provided $env:GITHUB_WORKSPACE value, preserving the existing
directory-change behavior without assuming a repository name or runner path.
- Line 63: Update the icacls command in the Windows workflow to use the
$env:GITHUB_WORKSPACE environment variable as the target path instead of the
hardcoded D:\a\Fusion\Fusion path, while preserving the existing permissions and
command options.

In `@scripts/verify-desktop-linux-pg-packaging.mjs`:
- Around line 219-222: Update listIncludesAsarPath to parse the ASAR listing
into newline-delimited normalized paths and compare exact entries rather than
using substring includes checks. Ensure validation requires the exact
/dist/main-bootstrap.cjs path and each OMP entrypoint, preserving handling for
listings with or without a leading slash.
- Around line 175-201: Update the manifest-entry validation in the soname
verification loop to fail when an entry is missing valid string source or target
fields instead of silently continuing. Increment the missing count and report
the malformed entry through fail, so a manifest containing only malformed
entries cannot reach the missing === 0 success path; preserve existing link
checks for valid entries.
- Around line 245-258: Update the platform validation loop around
assertPlatformSonameLinks to derive the expected linux platform package for each
unpacked output, reject linux-* entries that do not match that expected
architecture, and validate initdb, pg_ctl, and postgres with a regular-file and
executable-mode check instead of existsSync alone. Preserve the existing
missing-package and SONAME-link validations.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 5ab899f2-5a32-4d81-a759-0e5fc44cf063

📥 Commits

Reviewing files that changed from the base of the PR and between 49a459a and ff83849.

📒 Files selected for processing (6)
  • .github/workflows/desktop-packaging.yml
  • .github/workflows/desktop-windows.yml
  • .github/workflows/release.yml
  • .github/workflows/test-release.yml
  • packages/desktop/src/__tests__/release-workflow.test.ts
  • scripts/verify-desktop-linux-pg-packaging.mjs

Comment thread .github/workflows/desktop-windows.yml Outdated
Comment thread .github/workflows/desktop-windows.yml Outdated
Comment thread .github/workflows/desktop-windows.yml Outdated
Comment thread scripts/verify-desktop-linux-pg-packaging.mjs
Comment thread scripts/verify-desktop-linux-pg-packaging.mjs
Comment thread scripts/verify-desktop-linux-pg-packaging.mjs
@gsxdsm gsxdsm force-pushed the fix/desktop-ci-green branch from bb4a773 to ab09202 Compare July 15, 2026 19:37
gsxdsm added 4 commits July 15, 2026 12:41
- Run Windows embedded-PG smoke as non-admin fusion-pg (prewarm profile) so
  elevated windows-latest runners no longer hit postgres admin-token refusal
- Add AppImage packaging content verifier (main-bootstrap, natives, omp-runtime)
  to release, test-release, and the advisory desktop packaging PR lane
- Fix eslint no-undef on URL in the verifier script
Avoid recursive icacls over the entire monorepo (30–40m on windows-latest).
Grant non-recursive RX on ancestors and recursive only on packages/core,
pnpm store, and tooling paths the non-admin smoke needs.
Narrow ACL grants caused silent exit 1. Restore full recursive workspace
grants (win-pg-diag green path) and tee the non-admin bat output to smoke.log
so failures surface in the Actions log.
@gsxdsm gsxdsm force-pushed the fix/desktop-ci-green branch from ab09202 to d1af9da Compare July 15, 2026 19:41
@gsxdsm gsxdsm merged commit 5caf360 into main Jul 15, 2026
7 checks passed
@gsxdsm gsxdsm deleted the fix/desktop-ci-green branch July 15, 2026 20:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant