small fixes and changes#3
Conversation
lukaskollmer
added
bug
📝 WalkthroughWalkthroughUpdates action organization references from ChangesCI Workflow Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 8
🧹 Nitpick comments (4)
.github/workflows/xcodebuild-or-fastlane.yml (2)
429-429: 💤 Low valueConsider breaking long line for readability.
This line exceeds 150 characters. Consider breaking it into multiple lines for better readability.
📏 Suggested formatting
if [ -n "${{ inputs.firebaseemulatorimport }}" ]; then echo "Importing firebase emulator data from ${{ inputs.firebaseemulatorimport }}" - firebase emulators:exec -c ${{ inputs.firebasejsonpath }} --import=${{ inputs.firebaseemulatorimport }} 'fastlane ${{ inputs.fastlanelane }}' + firebase emulators:exec \ + -c ${{ inputs.firebasejsonpath }} \ + --import=${{ inputs.firebaseemulatorimport }} \ + 'fastlane ${{ inputs.fastlanelane }}' else🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/xcodebuild-or-fastlane.yml at line 429, The firebase emulators:exec command at line 429 exceeds 150 characters and should be broken into multiple lines for readability. Break the long command into multiple lines by separating the firebase emulators:exec command, the -c parameter with firebasejsonpath, the --import parameter with firebaseemulatorimport, and the fastlane command portion into distinct lines using appropriate line continuation syntax for YAML shell commands, ensuring the command remains functionally equivalent.Source: Linters/SAST tools
452-455: ⚖️ Poor tradeoffClarify keychain cleanup condition logic.
The cleanup condition
(inputs.setupsigning && runner.environment != 'github-hosted') || failure()doesn't match the setup condition at line 284, which is simplyinputs.setupsigning.This means on github-hosted runners with signing enabled, signing materials are set up but only cleaned up on failure. While github-hosted runners are ephemeral (making this low-risk), the asymmetry is confusing and could be problematic if the runner type assumptions change.
Consider either:
- Always cleaning up when
inputs.setupsigningis true, OR- Adding a comment explaining why github-hosted success cases skip cleanup
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/xcodebuild-or-fastlane.yml around lines 452 - 455, The cleanup condition for the signing keychain deletion step is asymmetrical with the setup condition from line 284. The setup uses just `inputs.setupsigning`, but the cleanup uses `(inputs.setupsigning && runner.environment != 'github-hosted') || failure()`, which means on github-hosted runners with signing enabled, the signing materials are set up but only cleaned up on failure. Simplify the cleanup condition to match the setup condition by changing it to just `inputs.setupsigning` to ensure consistent behavior across all runner types, or alternatively, add a comment explaining why github-hosted success cases deliberately skip cleanup despite setting up signing materials..github/workflows/firebase-emulators-exec.yml (2)
149-154: 💤 Low valuePath construction could be more robust.
The path
${{ inputs.path }}/${{ inputs.artifact }}uses simple string concatenation. While this works for typical cases (e.g.,./myfile.txt), it may produce unexpected results if:
inputs.pathhas a trailing slash:.//myfile.txt(benign but inelegant)inputs.artifacthas a leading slash (unlikely but possible)GitHub Actions expressions don't offer built-in path joining, so this approach is pragmatic. However, consider documenting the expected format or adding an example in the input description.
Note: The static analysis tool flagged the unpinned
actions/upload-artifact@v7reference. This is consistent with the project's style throughout this file (all actions use version tags rather than commit SHAs), so it's a project-wide policy rather than a localized concern.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/firebase-emulators-exec.yml around lines 149 - 154, The path construction in the upload-artifact step uses simple string concatenation that could produce inelegant or problematic results if inputs.path has a trailing slash or inputs.artifact has a leading slash. While GitHub Actions lacks built-in path joining utilities, add documentation or examples to the input descriptions for inputs.path and inputs.artifact to clarify the expected format (e.g., inputs.path should not have a trailing slash, inputs.artifact should not have a leading slash) to help users provide correctly formatted values and prevent edge cases like .//myfile.txt.
70-75: ⚡ Quick winClarify the
artifactinput description and consider separating concerns.The description states "name and path" but
artifactis a single string used both as the artifact name (line 153) and concatenated into the upload path (line 154). This dual-purpose design may confuse callers:
- If a user provides
test-results.xml, it works cleanly (name:test-results.xml, path:./<file>)- If a user provides
build/output/results.xml, the artifact name becomesbuild/output/results.xml(slashes are flattened by GitHub Actions, but this is non-intuitive)Additionally, "at the end of the build" is inaccurate—this workflow executes commands, not builds.
Consider either:
- Clarifying the description to specify that
artifactshould be a relative path frominputs.pathand will also be used as the artifact name, or- Splitting into
artifact_nameandartifact_pathinputs for clearer semantics🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/firebase-emulators-exec.yml around lines 70 - 75, Update the description for the `artifact` input parameter in the reusable workflow to clarify its dual-purpose usage. The current description states "name and path" but `artifact` is a single string that serves both as the artifact name (used at line 153) and is concatenated into the upload path (used at line 154). Revise the description to explicitly state that `artifact` should be a relative file path from inputs.path and will also be used as the artifact name, noting that directory separators will be flattened by GitHub Actions. Additionally, correct the inaccurate phrase "at the end of the build" since this workflow executes commands rather than performing a build. If appropriate, consider whether splitting the input into separate `artifact_name` and `artifact_path` parameters would provide clearer semantics for workflow callers.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/coverage.yml:
- Line 84: The SchmiedmayerLab/xccov2lcov action is referenced with a mutable
tag `@v1` which weakens supply-chain integrity in the CI workflow. Replace the `@v1`
tag with a full immutable commit SHA to pin the action to a specific version and
prevent unexpected changes from tag reassignment.
In @.github/workflows/xcodebuild-or-fastlane.yml:
- Line 225: Fix the typo in the description comment on line 225 of the
xcodebuild-or-fastlane.yml workflow file by replacing the misspelled word
"arguemnt" with the correct spelling "argument" in the phrase "Replace the file
found at googleserviceinfoplistpath if the argument is set."
- Line 264: Fix the typo in the deprecation warning message by changing "Plase"
to "Please" in the echo command that outputs the warning about the removal of
.derivedData folder caching.
- Line 63: There is a spelling error in the comment description for the workflow
input. In the line describing the iOS simulators flag, change the misspelled
word "shoud" to "should" so the text reads "Flag indicating if all iOS
simulators matching the `destination` input should be setup."
- Around line 242-247: Add the `persist-credentials: false` parameter to the
checkout action step to prevent the GitHub token from being persisted in the
workspace. This parameter should be added alongside the existing `token`,
`submodules`, and `lfs` parameters in the `with:` section of the
`actions/checkout@v4` action to enhance security by limiting credential exposure
in subsequent steps.
- Line 347: The scheme parameter in the xcrun xcodebuild command is not quoted,
which will cause issues if the scheme contains spaces or special characters. Add
double quotes around the ${{ inputs.scheme }} variable in the xcodebuild command
so that the parameter is properly escaped and can handle any characters safely.
- Around line 358-365: The scheme parameter in the xcodebuild command is not
quoted, which will cause failures if the scheme contains spaces or special
characters. Add double quotes around the ${{ inputs.scheme }} variable reference
in the -scheme parameter of the xcodebuild command to safely handle scheme names
with special characters.
- Around line 457-459: The cleanup condition at the Google credentials removal
step checks if inputs.fastlanelane is not empty, but the credentials are only
created when inputs.setupfirebaseemulator is true (as shown at line 423). Update
the if condition on the cleanup step to match the credential creation condition
by checking inputs.setupfirebaseemulator instead of inputs.fastlanelane, while
keeping the || failure() part to ensure cleanup happens even when the workflow
fails.
---
Nitpick comments:
In @.github/workflows/firebase-emulators-exec.yml:
- Around line 149-154: The path construction in the upload-artifact step uses
simple string concatenation that could produce inelegant or problematic results
if inputs.path has a trailing slash or inputs.artifact has a leading slash.
While GitHub Actions lacks built-in path joining utilities, add documentation or
examples to the input descriptions for inputs.path and inputs.artifact to
clarify the expected format (e.g., inputs.path should not have a trailing slash,
inputs.artifact should not have a leading slash) to help users provide correctly
formatted values and prevent edge cases like .//myfile.txt.
- Around line 70-75: Update the description for the `artifact` input parameter
in the reusable workflow to clarify its dual-purpose usage. The current
description states "name and path" but `artifact` is a single string that serves
both as the artifact name (used at line 153) and is concatenated into the upload
path (used at line 154). Revise the description to explicitly state that
`artifact` should be a relative file path from inputs.path and will also be used
as the artifact name, noting that directory separators will be flattened by
GitHub Actions. Additionally, correct the inaccurate phrase "at the end of the
build" since this workflow executes commands rather than performing a build. If
appropriate, consider whether splitting the input into separate `artifact_name`
and `artifact_path` parameters would provide clearer semantics for workflow
callers.
In @.github/workflows/xcodebuild-or-fastlane.yml:
- Line 429: The firebase emulators:exec command at line 429 exceeds 150
characters and should be broken into multiple lines for readability. Break the
long command into multiple lines by separating the firebase emulators:exec
command, the -c parameter with firebasejsonpath, the --import parameter with
firebaseemulatorimport, and the fastlane command portion into distinct lines
using appropriate line continuation syntax for YAML shell commands, ensuring the
command remains functionally equivalent.
- Around line 452-455: The cleanup condition for the signing keychain deletion
step is asymmetrical with the setup condition from line 284. The setup uses just
`inputs.setupsigning`, but the cleanup uses `(inputs.setupsigning &&
runner.environment != 'github-hosted') || failure()`, which means on
github-hosted runners with signing enabled, the signing materials are set up but
only cleaned up on failure. Simplify the cleanup condition to match the setup
condition by changing it to just `inputs.setupsigning` to ensure consistent
behavior across all runner types, or alternatively, add a comment explaining why
github-hosted success cases deliberately skip cleanup despite setting up signing
materials.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 06cd2cda-e2e4-4f65-b006-9f74f99a76a5
📒 Files selected for processing (4)
.github/workflows/coverage.yml.github/workflows/firebase-emulators-exec.yml.github/workflows/swiftlint.yml.github/workflows/xcodebuild-or-fastlane.yml
| mv "${FILES[0]}" CodeCoverage.xcresult | ||
| fi | ||
| - uses: stanfordbdhg/xccov2lcov@v1 | ||
| - uses: SchmiedmayerLab/xccov2lcov@v1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
repo="SchmiedmayerLab/xccov2lcov"
tag="v1"
ref_type="$(gh api "repos/${repo}/git/ref/tags/${tag}" --jq '.object.type')"
ref_sha="$(gh api "repos/${repo}/git/ref/tags/${tag}" --jq '.object.sha')"
if [ "$ref_type" = "tag" ]; then
commit_sha="$(gh api "repos/${repo}/git/tags/${ref_sha}" --jq '.object.sha')"
else
commit_sha="$ref_sha"
fi
echo "${repo}@${tag} -> ${commit_sha}"Repository: SchmiedmayerLab/.github
Length of output: 141
🏁 Script executed:
# Check if the file exists and read the content around line 84
if [ -f ".github/workflows/coverage.yml" ]; then
echo "=== File exists ==="
wc -l ".github/workflows/coverage.yml"
echo "=== Content around line 84 ==="
sed -n '80,90p' ".github/workflows/coverage.yml"
else
echo "File not found"
fiRepository: SchmiedmayerLab/.github
Length of output: 557
Pin SchmiedmayerLab/xccov2lcov to an immutable commit SHA.
Line 84 uses a mutable tag (@v1), which weakens supply-chain integrity in CI. Pin this action to a full commit SHA.
Suggested change
- - uses: SchmiedmayerLab/xccov2lcov@v1
+ - uses: SchmiedmayerLab/xccov2lcov@697201fd774984499fd13fa0bc16335210e25c0f # v1📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: SchmiedmayerLab/xccov2lcov@v1 | |
| - uses: SchmiedmayerLab/xccov2lcov@697201fd774984499fd13fa0bc16335210e25c0f # v1 |
🧰 Tools
🪛 zizmor (1.25.2)
[error] 84-84: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/coverage.yml at line 84, The SchmiedmayerLab/xccov2lcov
action is referenced with a mutable tag `@v1` which weakens supply-chain integrity
in the CI workflow. Replace the `@v1` tag with a full immutable commit SHA to pin
the action to a specific version and prevent unexpected changes from tag
reassignment.
Source: Linters/SAST tools
| default: 'platform=iOS Simulator,name=iPhone 17 Pro' | ||
| setupSimulators: | ||
| description: | | ||
| Flag indicating if all iOS simulators matching the `destination` input shoud be setup. |
There was a problem hiding this comment.
Fix typo in description.
"shoud" should be "should".
📝 Proposed fix
- Flag indicating if all iOS simulators matching the `destination` input shoud be setup.
+ Flag indicating if all iOS simulators matching the `destination` input should be setup.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Flag indicating if all iOS simulators matching the `destination` input shoud be setup. | |
| Flag indicating if all iOS simulators matching the `destination` input should be setup. |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/xcodebuild-or-fastlane.yml at line 63, There is a spelling
error in the comment description for the workflow input. In the line describing
the iOS simulators flag, change the misspelled word "shoud" to "should" so the
text reads "Flag indicating if all iOS simulators matching the `destination`
input should be setup."
| GOOGLE_SERVICE_INFO_PLIST_BASE64: | ||
| description: | | ||
| The Base64 version of the GoogleService-Info.plist file that is used. | ||
| Replace the file found at googleserviceinfoplistpath if the arguemnt is set. |
There was a problem hiding this comment.
Fix typo in description.
"arguemnt" should be "argument".
📝 Proposed fix
- Replace the file found at googleserviceinfoplistpath if the arguemnt is set.
+ Replace the file found at googleserviceinfoplistpath if the argument is set.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Replace the file found at googleserviceinfoplistpath if the arguemnt is set. | |
| Replace the file found at googleserviceinfoplistpath if the argument is set. |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/xcodebuild-or-fastlane.yml at line 225, Fix the typo in
the description comment on line 225 of the xcodebuild-or-fastlane.yml workflow
file by replacing the misspelled word "arguemnt" with the correct spelling
"argument" in the phrase "Replace the file found at googleserviceinfoplistpath
if the argument is set."
| - uses: actions/checkout@v4 | ||
| with: | ||
| # This is GitHubs way of implementing ternary expressions (see https://docs.github.com/en/actions/learn-github-actions/expressions) | ||
| token: ${{ secrets.CHECKOUT_TOKEN != '' && secrets.CHECKOUT_TOKEN || github.token }} | ||
| submodules: ${{ inputs.checkout_submodules }} | ||
| lfs: ${{ inputs.checkout_lfs }} |
There was a problem hiding this comment.
Add persist-credentials: false to checkout action.
The checkout action should set persist-credentials: false to prevent the GitHub token from being persisted in the workspace and accessible to subsequent steps or artifacts. This is a security best practice to limit credential exposure.
🔒 Proposed fix
- uses: actions/checkout@v4
with:
+ persist-credentials: false
# This is GitHubs way of implementing ternary expressions (see https://docs.github.com/en/actions/learn-github-actions/expressions)
token: ${{ secrets.CHECKOUT_TOKEN != '' && secrets.CHECKOUT_TOKEN || github.token }}
submodules: ${{ inputs.checkout_submodules }}
lfs: ${{ inputs.checkout_lfs }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v4 | |
| with: | |
| # This is GitHubs way of implementing ternary expressions (see https://docs.github.com/en/actions/learn-github-actions/expressions) | |
| token: ${{ secrets.CHECKOUT_TOKEN != '' && secrets.CHECKOUT_TOKEN || github.token }} | |
| submodules: ${{ inputs.checkout_submodules }} | |
| lfs: ${{ inputs.checkout_lfs }} | |
| - uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| # This is GitHubs way of implementing ternary expressions (see https://docs.github.com/en/actions/learn-github-actions/expressions) | |
| token: ${{ secrets.CHECKOUT_TOKEN != '' && secrets.CHECKOUT_TOKEN || github.token }} | |
| submodules: ${{ inputs.checkout_submodules }} | |
| lfs: ${{ inputs.checkout_lfs }} |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 242-247: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 242-242: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/xcodebuild-or-fastlane.yml around lines 242 - 247, Add the
`persist-credentials: false` parameter to the checkout action step to prevent
the GitHub token from being persisted in the workspace. This parameter should be
added alongside the existing `token`, `submodules`, and `lfs` parameters in the
`with:` section of the `actions/checkout@v4` action to enhance security by
limiting credential exposure in subsequent steps.
Source: Linters/SAST tools
| - name: Cache .derivedData folder (Deprecated) | ||
| if: ${{ inputs.cacheDerivedData }} | ||
| run: | | ||
| echo "::warning::Caching of the .derivedData folder was removed and is deprecated. Plase stop using this option." |
There was a problem hiding this comment.
Fix typo in deprecation warning.
"Plase" should be "Please".
📝 Proposed fix
- echo "::warning::Caching of the .derivedData folder was removed and is deprecated. Plase stop using this option."
+ echo "::warning::Caching of the .derivedData folder was removed and is deprecated. Please stop using this option."📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| echo "::warning::Caching of the .derivedData folder was removed and is deprecated. Plase stop using this option." | |
| echo "::warning::Caching of the .derivedData folder was removed and is deprecated. Please stop using this option." |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/xcodebuild-or-fastlane.yml at line 264, Fix the typo in
the deprecation warning message by changing "Plase" to "Please" in the echo
command that outputs the warning about the removal of .derivedData folder
caching.
| - name: Check available Simulators | ||
| if: ${{ inputs.scheme != '' }} | ||
| run: | | ||
| xcrun xcodebuild -scheme ${{ inputs.scheme }} -showdestinations |
There was a problem hiding this comment.
Quote the scheme parameter.
The scheme input should be quoted to handle schemes with spaces or special characters safely.
🛡️ Proposed fix
- xcrun xcodebuild -scheme ${{ inputs.scheme }} -showdestinations
+ xcrun xcodebuild -scheme '${{ inputs.scheme }}' -showdestinations📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| xcrun xcodebuild -scheme ${{ inputs.scheme }} -showdestinations | |
| xcrun xcodebuild -scheme '${{ inputs.scheme }}' -showdestinations |
🧰 Tools
🪛 zizmor (1.25.2)
[error] 347-347: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/xcodebuild-or-fastlane.yml at line 347, The scheme
parameter in the xcrun xcodebuild command is not quoted, which will cause issues
if the scheme contains spaces or special characters. Add double quotes around
the ${{ inputs.scheme }} variable in the xcodebuild command so that the
parameter is properly escaped and can handle any characters safely.
Source: Linters/SAST tools
| run: | | ||
| xcodebuild \ | ||
| -scheme ${{ inputs.scheme }} \ | ||
| -resolvePackageDependencies \ | ||
| -derivedDataPath ".derivedData" \ | ||
| ${{ inputs.spm-disable-prebuilts && '-IDEPackageEnablePrebuilts=NO' || '' }} \ | ||
| | xcbeautify \ | ||
| || true |
There was a problem hiding this comment.
Quote the scheme parameter in dependency resolution.
The scheme input should be quoted to handle schemes with spaces or special characters safely.
🛡️ Proposed fix
xcodebuild \
- -scheme ${{ inputs.scheme }} \
+ -scheme '${{ inputs.scheme }}' \
-resolvePackageDependencies \
-derivedDataPath ".derivedData" \
${{ inputs.spm-disable-prebuilts && '-IDEPackageEnablePrebuilts=NO' || '' }} \📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| run: | | |
| xcodebuild \ | |
| -scheme ${{ inputs.scheme }} \ | |
| -resolvePackageDependencies \ | |
| -derivedDataPath ".derivedData" \ | |
| ${{ inputs.spm-disable-prebuilts && '-IDEPackageEnablePrebuilts=NO' || '' }} \ | |
| | xcbeautify \ | |
| || true | |
| run: | | |
| xcodebuild \ | |
| -scheme '${{ inputs.scheme }}' \ | |
| -resolvePackageDependencies \ | |
| -derivedDataPath ".derivedData" \ | |
| ${{ inputs.spm-disable-prebuilts && '-IDEPackageEnablePrebuilts=NO' || '' }} \ | |
| | xcbeautify \ | |
| || true |
🧰 Tools
🪛 zizmor (1.25.2)
[error] 360-360: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/xcodebuild-or-fastlane.yml around lines 358 - 365, The
scheme parameter in the xcodebuild command is not quoted, which will cause
failures if the scheme contains spaces or special characters. Add double quotes
around the ${{ inputs.scheme }} variable reference in the -scheme parameter of
the xcodebuild command to safely handle scheme names with special characters.
Source: Linters/SAST tools
| if: ${{ inputs.fastlanelane != '' || failure() }} | ||
| run: | | ||
| rm -rf $RUNNER_TEMP/google-application-credentials.json || true |
There was a problem hiding this comment.
Fix Google credentials cleanup condition mismatch.
The cleanup runs when inputs.fastlanelane != '' but the credentials are only created (line 423) when inputs.setupfirebaseemulator is true. This condition mismatch means:
- If
fastlanelaneis set withoutsetupfirebaseemulator, cleanup attempts to remove a non-existent file - If
setupfirebaseemulatoris true butfastlanelaneis empty (e.g., usingcustomcommand), credentials may not be cleaned up
🔧 Proposed fix
- name: Clean up Google application credentials
- if: ${{ inputs.fastlanelane != '' || failure() }}
+ if: ${{ inputs.setupfirebaseemulator || failure() }}
run: |
rm -rf $RUNNER_TEMP/google-application-credentials.json || true🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/xcodebuild-or-fastlane.yml around lines 457 - 459, The
cleanup condition at the Google credentials removal step checks if
inputs.fastlanelane is not empty, but the credentials are only created when
inputs.setupfirebaseemulator is true (as shown at line 423). Update the if
condition on the cleanup step to match the credential creation condition by
checking inputs.setupfirebaseemulator instead of inputs.fastlanelane, while
keeping the || failure() part to ensure cleanup happens even when the workflow
fails.
PSchmiedmayer
left a comment
PSchmiedmayer
left a comment
There was a problem hiding this comment.
Thanks @lukaskollmer; happy to merge once the lint issues are resolved.
2 participants
small fixes and changes
⚙️ Release Notes
xcodebuild-or-fastlaneworkflow as an alternative to the new firebase-emulators-exec workflow (which currently doesn't have artifact uploading support)📚 Documentation
n/a
✅ Testing
n/a
Code of Conduct & Contributing Guidelines
By creating and submitting this pull request, you agree to follow our Code of Conduct and Contributing Guidelines:
Summary by CodeRabbit
Chores
New Features