Skip to content

fix(ci): sanitize release signing key before tauri build#84

Merged
VariableThe merged 2 commits into
mainfrom
fix/ci-signing-key-sanitization
Jun 29, 2026
Merged

fix(ci): sanitize release signing key before tauri build#84
VariableThe merged 2 commits into
mainfrom
fix/ci-signing-key-sanitization

Conversation

@VariableThe

@VariableThe VariableThe commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Summary

Fixes base64 decoding failure (Invalid symbol 37, offset 348) during tauri build asset bundling. Adds a workflow sanitization step to strip trailing terminal prompt EOF symbols (%) or URL-encoding artifacts before running tauri-action.

Summary by CodeRabbit

  • Bug Fixes
    • Fixed release builds so signing keys are handled more reliably during packaging, reducing the chance of failed signed releases.
  • Documentation
    • Updated the changelog with the latest fix.
    • Added a new audit log entry for the release process update.

…ove trailing terminal prompt artifact (%) or URL encoding
@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@VariableThe, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 30 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0804e344-b61f-4026-ade5-647b921b284b

📥 Commits

Reviewing files that changed from the base of the PR and between 2ebe3c5 and b778246.

📒 Files selected for processing (1)
  • .github/workflows/release.yml
📝 Walkthrough

Walkthrough

The release workflow gains a Python-based step that strips trailing % characters and URL-decodes TAURI_SIGNING_PRIVATE_KEY before passing it to tauri-apps/tauri-action. The changelog and audit log are updated to document this fix.

CI Signing Key Sanitization

Layer / File(s) Summary
Sanitize step and env wiring
.github/workflows/release.yml, CHANGELOG.md, AUDIT_LOG.md
Adds a "Sanitize Tauri Signing Key" step using a Python inline script to strip trailing % and URL-decode the raw secret, masks the result, exports it to GITHUB_ENV, and updates the tauri-apps/tauri-action step to reference env.TAURI_SIGNING_PRIVATE_KEY. Changelog and audit log entries record the fix.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A key with a % at its tail,
Would cause the signing step to fail.
🐇 So Python strips the trailing mess,
URL-decodes the whole address,
And masks it safe before the build sets sail! 🔑

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes the main CI change: sanitizing the release signing key before the Tauri build.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/ci-signing-key-sanitization

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 59-67: The Sanitize Tauri Signing Key step in the release workflow
is using Bash/POSIX syntax without an explicit shell, so the Windows runner may
execute it in PowerShell and fail. Update the sanitize step in release.yml to
force Bash by adding a shell setting, or rewrite the block for PowerShell, and
keep the logic aligned with the existing Sanitize Tauri Signing Key step so
tauri-action still receives TAURI_SIGNING_PRIVATE_KEY correctly.
🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f007bf85-bc41-4a96-a65a-151df9921c52

📥 Commits

Reviewing files that changed from the base of the PR and between 825bd54 and 2ebe3c5.

📒 Files selected for processing (3)
  • .github/workflows/release.yml
  • AUDIT_LOG.md
  • CHANGELOG.md

Comment thread .github/workflows/release.yml
@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

The agent generated fixes only for .github/workflows/ files, which cannot be committed due to permission restrictions. Please apply these changes manually.


⚠️ 1 file(s) could not be committed — the agent does not have permission to push to .github/workflows/. Please apply these changes manually:

.github/workflows/release.yml — 1 change:

Lines 57–62
       - run: npm ci
         
       - name: Sanitize Tauri Signing Key
+        shell: bash
         env:
           RAW_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
         run: |

@VariableThe VariableThe merged commit 646acb1 into main Jun 29, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant