Skip to content

Improve CI#15189

Merged
koppor merged 12 commits into
mainfrom
fix-ci
Feb 22, 2026
Merged

Improve CI#15189
koppor merged 12 commits into
mainfrom
fix-ci

Conversation

@koppor

@koppor koppor commented Feb 22, 2026

Copy link
Copy Markdown
Member

PR Description

Improves the CI based on our experience of the last release

Steps to test

See CI passing

Checklist

  • I own the copyright of the code submitted and I license it under the MIT license
  • [/] I manually tested my changes in running JabRef (always required)
  • [/] I added JUnit tests for changes (if applicable)
  • [/] I added screenshots in the PR description (if change is visible to the user)
  • [/] I added a screenshot in the PR description showing a library with a single entry with me as author and as title the issue number
  • [/] I described the change in CHANGELOG.md in a way that can be understood by the average user (if change is visible to the user)
  • [/] I checked the user documentation for up to dateness and submitted a pull request to our user documentation repository

@qodo-free-for-open-source-projects

qodo-free-for-open-source-projects Bot commented Feb 22, 2026

Copy link
Copy Markdown
Contributor

Review Summary by Qodo

Improve CI pipeline with macOS fixes and upload conditions

✨ Enhancement

Grey Divider

Walkthroughs

Description 
• Use gradlew wrapper on macOS instead of gradle command
• Add codesign verification for macOS builds
• Extend notarization to main-release branch
• Fix upload conditions for non-PR events
• Handle tag builds with proper path normalization
• Add progress indicator to wget downloads
• Remove unused useEaJdk parameter from workflows
• Improve artifact naming with shadowJar suffix
Diagram 
flowchart LR
  A["CI Improvements"] --> B["macOS Build Changes"]
  A --> C["Upload & Notarization Logic"]
  A --> D["Artifact & Naming Updates"]
  B --> B1["Use gradlew wrapper"]
  B --> B2["Add codesign verification"]
  C --> C1["Extend to main-release"]
  C --> C2["Fix non-PR conditions"]
  C --> C3["Tag build path handling"]
  D --> D1["Remove useEaJdk param"]
  D --> D2["Add shadowJar suffix"]
Loading

Grey Divider

File Changes

1. .github/actions/package/action.yml ✨ Enhancement +11/-1

Add codesign verification and improve artifact naming

• Added secretsPresent input parameter for conditional codesign verification
• Added codesign verification step for macOS builds when secrets are available
• Updated artifact upload name to include (shadowJar) suffix for clarity

.github/actions/package/action.yml

2. .github/workflows/binaries.yml ✨ Enhancement +21/-8

Fix macOS builds and upload conditions

• Changed macOS gradle command from gradle to ./gradlew wrapper
• Extended notarization condition to include main-release branch
• Updated upload condition to check for main-release branch alongside main
• Added logic to skip disk space check for non-PR events
• Fixed tag build path normalization to use proper branch name
• Removed unused useEaJdk parameter from all package action calls
• Added secretsPresent parameter to all package action invocations

.github/workflows/binaries.yml

3. .github/workflows/upload-release.yml ✨ Enhancement +1/-1

Show wget download progress

• Added --show-progress flag to wget command for better visibility during downloads

.github/workflows/upload-release.yml

Grey Divider

Qodo Logo

Siedlerchr
Siedlerchr previously approved these changes Feb 22, 2026
View reviewed changes
Siedlerchr
Siedlerchr reviewed Feb 22, 2026
View reviewed changes
Comment thread .github/workflows/binaries.yml
gradleCommand: ${{ matrix.gradleCommand }}
component: jabgui
componentShort: jabgui
useEaJdk: ${{ needs.conditions.outputs.useEaJdk }}

@Siedlerchr Siedlerchr Feb 22, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ea jdk option is no lonver available?

@koppor koppor Feb 22, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is available, but setup in binaries, not in the custom action.

@qodo-free-for-open-source-projects

qodo-free-for-open-source-projects Bot commented Feb 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (1) 📎 Requirement gaps (0)

Grey Divider


Action required

1. codesign verify unguarded step 📘 Rule violation ⛯ Reliability
Description 
A codesign --verify step runs unconditionally and will likely fail on non-macOS runners or when no
.dmg exists. Additionally, the guarded step checks inputs.os == 'macos-latest', but the workflow
passes macOS values like macos-15/macos-15-intel, so the condition is incorrect and the intended
gating may never apply.
Code

.github/actions/package/action.yml[R63-70]

+    - name: Validate signature
+      if: ${{ inputs.secretsPresent == 'true' && inputs.os == 'macos-latest' }}
+      shell: bash
+      run: |
+        codesign --verify --verbose ${{ inputs.component }}/build/packages/${{ inputs.os }}/*.dmg
+    - shell: bash
+      run: |
+        codesign --verify --verbose ${{ inputs.component }}/build/packages/${{ inputs.os }}/*.dmg
Evidence 
PR Compliance ID 3 requires handling failure points/edge cases; running codesign without an
OS/file-existence guard introduces a brittle CI failure point. PR Compliance ID 25 requires correct
conditional logic; the if compares against macos-latest while the workflow uses macos-15 and
macos-15-intel, making the condition mismatched to actual inputs.

Rule 3: Generic: Robust Error Handling and Edge Case Management
.github/actions/package/action.yml[63-70]
.github/workflows/binaries.yml[396-413]
Best Practice: Learned patterns

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The composite action runs `codesign --verify` unconditionally and also contains an `if` guard that checks for `inputs.os == 'macos-latest'`, which does not match the macOS OS values used in the calling workflow (e.g., `macos-15`, `macos-15-intel`). This can cause CI failures on non-macOS runners and makes the intended conditional signature validation ineffective.
## Issue Context
The workflow matrix uses macOS identifiers like `macos-15`/`macos-15-intel`, so any condition expecting `macos-latest` will not trigger. `codesign` is macOS-specific and should not run on other OSes, and the `.dmg` path/glob should be validated before executing verification.
## Fix Focus Areas
- .github/actions/package/action.yml[63-70]
- .github/workflows/binaries.yml[396-413]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

qodo-free-for-open-source-projects[bot]
qodo-free-for-open-source-projects Bot reviewed Feb 22, 2026
View reviewed changes
Comment thread .github/actions/package/action.yml Outdated
Comment on lines +63 to +70
- name: Validate signature
if: ${{ inputs.secretsPresent == 'true' && inputs.os == 'macos-latest' }}
shell: bash
run: |
codesign --verify --verbose ${{ inputs.component }}/build/packages/${{ inputs.os }}/*.dmg
- shell: bash
run: |
codesign --verify --verbose ${{ inputs.component }}/build/packages/${{ inputs.os }}/*.dmg

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects Bot Feb 22, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. codesign verify unguarded step 📘 Rule violation ⛯ Reliability

A codesign --verify step runs unconditionally and will likely fail on non-macOS runners or when no
.dmg exists. Additionally, the guarded step checks inputs.os == 'macos-latest', but the workflow
passes macOS values like macos-15/macos-15-intel, so the condition is incorrect and the intended
gating may never apply.
Agent Prompt 
## Issue description
The composite action runs `codesign --verify` unconditionally and also contains an `if` guard that checks for `inputs.os == 'macos-latest'`, which does not match the macOS OS values used in the calling workflow (e.g., `macos-15`, `macos-15-intel`). This can cause CI failures on non-macOS runners and makes the intended conditional signature validation ineffective.

## Issue Context
The workflow matrix uses macOS identifiers like `macos-15`/`macos-15-intel`, so any condition expecting `macos-latest` will not trigger. `codesign` is macOS-specific and should not run on other OSes, and the `.dmg` path/glob should be validated before executing verification.

## Fix Focus Areas
- .github/actions/package/action.yml[63-70]
- .github/workflows/binaries.yml[396-413]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

@testlens-app

testlens-app Bot commented Feb 22, 2026
edited
Loading

Copy link
Copy Markdown

✅ All tests passed ✅

🏷️ Commit: 38bbd21
▶️ Tests: 10055 executed
⚪️ Checks: 66/66 completed

Learn more about TestLens at testlens.app.

@koppor koppor added the automerge PR is tagged with that label will be merged if workflows are green label Feb 22, 2026
@koppor koppor enabled auto-merge February 22, 2026 15:40
@koppor koppor added this pull request to the merge queue Feb 22, 2026
@github-actions github-actions Bot added the status: to-be-merged PRs which are accepted and should go into the merge-queue. label Feb 22, 2026
Merged via the queue into main with commit 70858c1 Feb 22, 2026
61 of 67 checks passed
@koppor koppor deleted the fix-ci branch February 22, 2026 16:21
Siedlerchr added a commit to LoayTarek5/jabref that referenced this pull request Feb 23, 2026
@Siedlerchr
Merge remote-tracking branch 'upstream/main' into feature-unlinked-fi…
c2b66fa 
…les-wizard-12709

* upstream/main: (106 commits)
  Merge common gating parts into composite action (JabRef#15197)
  Support protected institutional authors in PersonNamesChecker (JabRef#15175)
  adapt wix (JabRef#14969)
  Improve CI (JabRef#15189)
  Revert "Reduce complexity in dependencies setup (JabRef#15169)" (JabRef#15191)
  Fix compilation
  Fix heylogs test
  Fix icon on Linux (JabRef#15188)
  chore(deps): update dependency org.apache.maven.plugins:maven-surefire-plugin to v3.5.5 (JabRef#15178)
  New Crowdin updates (JabRef#15173)
  Reduce complexity in dependencies setup (JabRef#15169)
  Start new development cycle
  snapcraft
  snapcraft
  use snapctl
  update metadata fiels
  try with  mesa candidate
  fix snapcraft and skmanrc to use correct version
  Release v6.0-alpha.5
  chore(sbom): update CycloneDX SBOM files (JabRef#15172)
  ...
RakockiW pushed a commit to RakockiW/jabref that referenced this pull request Mar 1, 2026
@koppor @RakockiW
Improve CI (JabRef#15189)
815157e 
* Use gradlew also on macOS

* Show progress at wget

* Fix displayname

* Also notarize on main-release

* Fix condition for uploading

* Upload at non-pr

* Fix path for tag builds

* Remove non-used parameter useEaJdk

* Add codesign verification

* Always run (we did not see in the logs)

* Remove codesign call

---------

Co-authored-by: Oliver <koppor@red-debian.fritz.box>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Siedlerchr Siedlerchr Siedlerchr left review comments

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects[bot] qodo-free-for-open-source-projects[bot] left review comments

@jabref-machine jabref-machine jabref-machine approved these changes

Assignees

No one assigned

Labels

automerge PR is tagged with that label will be merged if workflows are green dev: ci-cd status: to-be-merged PRs which are accepted and should go into the merge-queue.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@koppor @Siedlerchr @jabref-machine