IEP-1720: ci(macos) switch to release-sign action for code signing

[kolipakakondal]

Description

ci(macos): switch to release-sign action for code signing

Fixes # (IEP-1720)

Type of change

• Bug fix (non-breaking change which fixes an issue)

How has this been tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

• Test A
• Test B

Test Configuration:

• ESP-IDF Version:
• OS (Windows,Linux and macOS):

Dependent components impacted by this PR:

• Component 1
• Component 2

Checklist

• PR Self Reviewed
• Applied Code formatting
• Added Documentation
• Added Unit Test
• Verified on all platforms - Windows,Linux and macOS

Summary by CodeRabbit

• Chores
  • Improved macOS application signing and packaging processes.
  • Updated build infrastructure dependencies for enhanced reliability and maintainability.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR refactors the macOS code-signing workflow by replacing inline signing scripts with the dedicated espressif/release-sign action, upgrades the checkout action to v4, and adds DMG creation steps for both x86_64 and aarch64 architectures.

Changes

Cohort / File(s)	Summary
CI/CD Workflow Modernization .github/workflows/ci.yml	Replaces inline macOS code-signing with espressif/release-sign@master action and corresponding inputs, upgrades actions/checkout from v2 to v4 in build jobs, and adds two new DMG creation steps for macOS x86_64 and aarch64 architectures.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• IEP-1475: Signing Windows Executable #1228: Both modify release workflows to refactor code-signing and macOS artifact creation by replacing inline approaches with dedicated actions and updated workflow steps.
• ci: update the beta workflow and merge release&beta ci #1280: Both update CI workflows to alter macOS app signing and DMG/notarization handling with new step configurations.
• fix: for keychain lock issue while during notorization arm64 dmg #950: Both modify the macOS DMG release pipeline with standardized code signing and multi-architecture support (x86_64/aarch64).

Suggested reviewers

• alirana01
• sigmaaa

Poem

🐰 wiggles nose proudly

Code signing's clean and neat,
From scripts to actions sweet,
DMGs for both x86 and ARM arise,
With v4 checkout—a workflow prize! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title clearly and specifically describes the main change: switching macOS CI code signing to use the release-sign action instead of inline scripts.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch IEP-1720

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/ci.yml (2)

123-123: Rename duplicated step name for log clarity.

Line 123 reuses Codesign Espressif-IDE; use a distinct name (for example, Codesign DMG artifacts) to keep CI logs unambiguous.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml at line 123, The CI step name "Codesign
Espressif-IDE" is duplicated; update the step's name string in the workflow (the
step that currently shows name: "Codesign Espressif-IDE") to a distinct,
descriptive value such as "Codesign DMG artifacts" so logs are unambiguous and
each step can be distinguished in CI output.

---

123-130: Add explicit DMG signature verification before upload.

After signing, verify both DMGs before Lines 131-143 upload steps to avoid publishing unsigned/broken artifacts.

✅ Suggested follow-up step

+    - name: Verify DMG signatures
+      run: |
+        codesign --verify --deep --strict --verbose=2 releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
+        codesign --verify --deep --strict --verbose=2 releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 123 - 130, Add an explicit
verification step after the "Codesign Espressif-IDE" action to ensure both DMG
artifacts produced by releng/ide-dmg-builder are correctly signed before upload:
locate the "Codesign Espressif-IDE" step and insert a new job/step that finds
the two DMG files, runs hdiutil verify <dmg> and codesign -v --deep --strict
<dmg> (and optionally spctl --assess --type execute <dmg>) for each DMG, fails
the workflow if any verification command returns non-zero, and outputs clear
error messages identifying which DMG failed; reference the step name "Codesign
Espressif-IDE" and the artifact producer "releng/ide-dmg-builder" to place this
verification immediately after signing and before the upload steps.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Line 109: The workflow currently references the action string "uses:
espressif/release-sign@master", which is mutable; update both occurrences of
that exact string to pin to a specific commit SHA (e.g., "uses:
espressif/release-sign@<commit-sha>") so the release-sign action is immutable
and reproducible—replace both instances in the workflow.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Line 123: The CI step name "Codesign Espressif-IDE" is duplicated; update the
step's name string in the workflow (the step that currently shows name:
"Codesign Espressif-IDE") to a distinct, descriptive value such as "Codesign DMG
artifacts" so logs are unambiguous and each step can be distinguished in CI
output.
- Around line 123-130: Add an explicit verification step after the "Codesign
Espressif-IDE" action to ensure both DMG artifacts produced by
releng/ide-dmg-builder are correctly signed before upload: locate the "Codesign
Espressif-IDE" step and insert a new job/step that finds the two DMG files, runs
hdiutil verify <dmg> and codesign -v --deep --strict <dmg> (and optionally spctl
--assess --type execute <dmg>) for each DMG, fails the workflow if any
verification command returns non-zero, and outputs clear error messages
identifying which DMG failed; reference the step name "Codesign Espressif-IDE"
and the artifact producer "releng/ide-dmg-builder" to place this verification
immediately after signing and before the upload steps.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2261868 and 654be3f.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's check the file exists and view the relevant lines
cat -n .github/workflows/ci.yml | sed -n '105,130p'

Repository: espressif/idf-eclipse-plugin

Length of output: 1472

---

🏁 Script executed:

# Also verify the exact pattern at lines 109 and 124
sed -n '109p;124p' .github/workflows/ci.yml

Repository: espressif/idf-eclipse-plugin

Length of output: 155

---

🏁 Script executed:

# Search for all uses of espressif/release-sign in the file
rg -n 'espressif/release-sign' .github/workflows/ci.yml

Repository: espressif/idf-eclipse-plugin

Length of output: 163

---

🏁 Script executed:

# Search for all action uses in the workflow
rg -n 'uses:' .github/workflows/ci.yml | head -30

Repository: espressif/idf-eclipse-plugin

Length of output: 742

---

🏁 Script executed:

# Check what versions/tags are available for espressif/release-sign
# First let's see if there are any pinned versions in other workflows
fd -t f '\.yml$' -o '\.yaml$' .github/workflows/ -exec grep -l 'espressif/release-sign' {} \;

Repository: espressif/idf-eclipse-plugin

Length of output: 205

---

🏁 Script executed:

# Check for GitHub Actions best practices - search for pinned vs unpinned in entire workflow
rg '@(master|main|latest|develop|v[0-9])' .github/workflows/ci.yml | wc -l

Repository: espressif/idf-eclipse-plugin

Length of output: 74

---

Pin espressif/release-sign to a specific commit SHA.

Lines 109 and 124 use @master, which creates a mutable, non-reproducible release-signing path. All other actions in this workflow are pinned to specific versions. Replace both with a pinned commit SHA.

Suggested change

-      uses: espressif/release-sign@master
+      uses: espressif/release-sign@<commit-sha>

Apply to both line 109 and line 124.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml at line 109, The workflow currently references the
action string "uses: espressif/release-sign@master", which is mutable; update
both occurrences of that exact string to pin to a specific commit SHA (e.g.,
"uses: espressif/release-sign@<commit-sha>") so the release-sign action is
immutable and reproducible—replace both instances in the workflow.