Fix CI release build failures in Sentry debug symbol steps#175
Merged
fernandotonon merged 2 commits intomasterfrom Mar 6, 2026
Merged
Fix CI release build failures in Sentry debug symbol steps#175fernandotonon merged 2 commits intomasterfrom
fernandotonon merged 2 commits intomasterfrom
Conversation
- Linux: Add sudo to objcopy/strip (binary owned by root from sudo make) - macOS: Add sudo to dsymutil/strip (same root ownership issue) - Windows: Download sentry-cli binary directly instead of npm install (PATH override excluded Node.js, causing npm not found error) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
📝 WalkthroughWalkthroughThe PR updates the CI/CD deploy workflow ( Changes
Sequence Diagram(s)sequenceDiagram
participant GH as GitHub Actions Runner
participant Build as Build Environment (Windows/Linux/macOS)
participant Sentry as Sentry (sentry-cli)
participant Art as Artifact Storage
GH->>Build: run build & produce binary + debug file
Note right of Build: on Windows: use mingw-strip, copy\non Linux/macOS: objcopy/strip/dsymutil with sudo
Build->>Build: install sentry-cli via curl (or PowerShell script)
Build->>Sentry: upload debug symbols (sentry-cli)
Sentry->>Art: store symbol artifact
Build->>Build: cleanup (rm / sudo rm) and remove sentry-cli
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/deploy.yml:
- Around line 246-247: The workflow currently downloads an unpinned sentry-cli
binary and executes it (see the Invoke-WebRequest call and the subsequent call
to "${{github.workspace}}/sentry-cli.exe"); replace this with a safe install:
either install `@sentry/cli` via npm (use npm install -g `@sentry/cli` and invoke
sentry-cli from PATH) or use the official getsentry/action-release GitHub
Action, or if you must download a binary keep it pinned to a specific release
and add a checksum verification step against the GitHub release checksum before
executing the downloaded sentry-cli.exe to mitigate supply-chain risk.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: a4375833-0d5c-4ed8-8166-2979fda084b0
📒 Files selected for processing (1)
.github/workflows/deploy.yml
Address CodeRabbit review: replace unpinned binary download with the same curl-based install used by Linux/macOS (via Git Bash on Windows). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.github/workflows/deploy.yml (1)
243-248:⚠️ Potential issue | 🟠 MajorPin and verify
sentry-cliinstead of piping a remote installer script.Line 245 still runs
curl -sL https://sentry.io/get-cli/ | bash, which is unpinned and unverified. This is a supply-chain/reproducibility risk (same pattern also exists at Line 511, Line 1208, and Line 1440).🔐 Proposed hardening (Windows step example)
- curl -sL https://sentry.io/get-cli/ | bash - sentry-cli debug-files upload --include-sources "${{github.workspace}}/bin/QtMeshEditor.debug.exe" + SENTRY_CLI_VERSION="2.57.0" + SENTRY_CLI_ASSET="sentry-cli-Windows-x86_64.exe" + SENTRY_CLI_URL="https://github.com/getsentry/sentry-cli/releases/download/${SENTRY_CLI_VERSION}/${SENTRY_CLI_ASSET}" + curl -fsSL -o "${{github.workspace}}/sentry-cli.exe" "$SENTRY_CLI_URL" + echo "<sha256-from-release-page> ${{github.workspace}}/sentry-cli.exe" | sha256sum --check - + "${{github.workspace}}/sentry-cli.exe" debug-files upload --include-sources "${{github.workspace}}/bin/QtMeshEditor.debug.exe"Sentry CLI GitHub Actions installation: what is the recommended way to pin a specific version and verify SHA256 checksums for Windows, Linux, and macOS binaries?🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/deploy.yml around lines 243 - 248, Replace the unpinned piped installer ("curl -sL https://sentry.io/get-cli/ | bash") with a pinned, verified download of a specific sentry-cli release and checksum verification before executing; specifically, fetch a named release artifact (or use actions/download-release) for the desired version, verify its SHA256 against a checked-in or upstream-trusted checksum, then unpack/install and ensure the installed binary is on PATH so the subsequent sentry-cli debug-files upload call still works; apply the same change for the other occurrences referenced (the steps invoking curl | bash near the sentry-cli invocation and the uses of sentry-cli debug-files upload).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/deploy.yml:
- Around line 243-248: Replace the unpinned piped installer ("curl -sL
https://sentry.io/get-cli/ | bash") with a pinned, verified download of a
specific sentry-cli release and checksum verification before executing;
specifically, fetch a named release artifact (or use actions/download-release)
for the desired version, verify its SHA256 against a checked-in or
upstream-trusted checksum, then unpack/install and ensure the installed binary
is on PATH so the subsequent sentry-cli debug-files upload call still works;
apply the same change for the other occurrences referenced (the steps invoking
curl | bash near the sentry-cli invocation and the uses of sentry-cli
debug-files upload).
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: cf320bc4-034f-4423-9267-971b494c2325
📒 Files selected for processing (1)
.github/workflows/deploy.yml
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sudotoobjcopy/stripcommands (binary is owned by root fromsudo make install)sudotodsymutil/stripcommands (same root ownership issue)sentry-clibinary directly instead ofnpm install -g @sentry/cli(the PATH override excluded Node.js, causingnpm: not recognizederror)These failures only occur on
releaseevents (tag creation) since the Sentry debug symbol upload steps are gated byif: github.event_name == 'release'.Test plan
🤖 Generated with Claude Code
Summary by CodeRabbit