fix(ci): installer fixes — NSIS MUI2, YAML heredoc, macOS dark mode & Gatekeeper signing#117
Merged
Merged
Conversation
MUI2 has no MUI_PAGE_README macro — valid pages are WELCOME, LICENSE, COMPONENTS, DIRECTORY, STARTMENU, INSTFILES, and FINISH. Using an unknown macro name causes makensis to abort with 'macro not found'. Remove the readme page entirely. The Welcome page already describes what is being installed and the Finish page shows first-run instructions with a link to the documentation. The unused readme.txt resource file and its workflow copy step are also removed. Wizard flow: Welcome → Directory → Installing → Finish
Contributor
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughRemoved the Windows installer "Read Me" page and its quick-start README file; updated the release workflow to stop copying that README. Separately, macOS installer HTML pages were updated to use system color tokens and CSS variables, and the release workflow gained conditional macOS signing and notarization steps. ChangesWindows installer README removal
macOS installer theming and packaging workflow
Sequence Diagram(s)sequenceDiagram
participant Actions as GitHub Actions
participant FS as Filesystem
participant Keychain as Temporary Keychain
participant Apple as Apple Notary
participant User as Maintainer
User->>Actions: Push release (with env vars set)
Actions->>FS: Build .pkg (VER_CLEAN, PKG_NAME)
alt MACOS_CERTIFICATE set
Actions->>FS: write base64 certificate
Actions->>Keychain: import certificate into temp keychain
Actions->>FS: productsign unsigned.pkg -> signed.pkg
Keychain->>Actions: remove temp keychain
FS->>FS: cleanup certificate file
else not set
Actions-->>Actions: skip signing
end
alt MACOS_NOTARIZATION_APPLE_ID set
Actions->>Apple: xcrun notarytool submit --wait signed.pkg
Apple-->>Actions: notarization result
Actions->>FS: xcrun stapler staple signed.pkg
else not set
Actions-->>Actions: skip notarization
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested labels
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 53 minutes and 9 seconds.Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
HTML pages:
- Replace hardcoded light-gray code backgrounds (#f2f2f7) with CSS
custom property var(--code-bg) that adapts via prefers-color-scheme.
Light mode: rgba(0,0,0,0.07), dark mode: rgba(255,255,255,0.12).
- Use color-scheme: light dark and -apple-system-label for body text
so colours track the system appearance automatically.
- Applied to welcome.html, readme.html, and conclusion.html.
Gatekeeper / code signing:
- Split the monolithic 'Build .pkg installer' step into four steps:
1. Build .pkg installer (pkgbuild + productbuild)
2. Sign .pkg with Developer ID (productsign — optional)
3. Notarize and staple .pkg (notarytool + stapler — optional)
4. Wrap .pkg in DMG (hdiutil)
- Signing step imports the Developer ID Installer certificate from
MACOS_CERTIFICATE (base64 .p12) into a temporary keychain, runs
productsign, then deletes the keychain and the decoded .p12.
- Notarization step submits to Apple with notarytool --wait, then
staples the ticket so Gatekeeper works offline too.
- Both steps exit 0 with a warning when their secrets are absent,
so builds succeed even without an Apple Developer account.
Required GitHub secrets (set in repo Settings → Secrets):
MACOS_CERTIFICATE base64-encoded Developer ID Installer .p12
MACOS_CERTIFICATE_PWD password for the .p12
MACOS_KEYCHAIN_PWD temporary keychain password (any string)
MACOS_IDENTITY 'Developer ID Installer: Name (TEAMID)'
MACOS_NOTARIZATION_APPLE_ID Apple ID email
MACOS_NOTARIZATION_TEAM_ID 10-char team ID
MACOS_NOTARIZATION_PWD app-specific password
fix(macos-installer): dark mode code styling and Gatekeeper signing
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/release.yml:
- Around line 128-142: The "Sign .pkg with Developer ID" step only checks
MACOS_CERTIFICATE and may attempt signing even if MACOS_CERTIFICATE_PWD,
MACOS_KEYCHAIN_PWD, or MACOS_IDENTITY are missing; update the shell conditional
that currently tests MACOS_CERTIFICATE to instead verify all required secrets
(MACOS_CERTIFICATE, MACOS_CERTIFICATE_PWD, MACOS_KEYCHAIN_PWD, MACOS_IDENTITY)
and exit 0 with the existing warning message when any are unset so the step
truly skips gracefully.
- Around line 168-186: The "Notarize and staple .pkg" step only checks
MACOS_NOTARIZATION_APPLE_ID before running xcrun notarytool submit, so missing
MACOS_NOTARIZATION_TEAM_ID or MACOS_NOTARIZATION_PWD will cause a failure;
update the guard to validate all three environment variables
(MACOS_NOTARIZATION_APPLE_ID, MACOS_NOTARIZATION_TEAM_ID,
MACOS_NOTARIZATION_PWD) and skip notarization (exit 0) if any are unset, and
include an informative echo listing which variables are missing before exiting
to avoid running xcrun notarytool submit with incomplete credentials.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 2b97c28f-818f-419b-8943-8bebac6dd53d
📒 Files selected for processing (4)
.github/macos-installer/conclusion.html.github/macos-installer/readme.html.github/macos-installer/welcome.html.github/workflows/release.yml
✅ Files skipped from review due to trivial changes (1)
- .github/macos-installer/conclusion.html
github-actions
Bot
added
the
documentation
iamvirul
changed the title
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: Virul Nirmala Wickramasinghe <89099391+iamvirul@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes in this PR
Fix 1 — YAML syntax error on release.yml L184
Inline heredoc (
<< 'EOF') inside arun: |block caused a YAML parse error. Moved the content to.github/windows-installer/readme.txt(static tracked file) and replaced the heredoc with acpcall.Fix 2 — Windows installer
MUI_PAGE_READMEmacro not foundMUI_PAGE_READMEdoes not exist in NSIS MUI2.makensisaborted with:Removed the non-existent page. Wizard flow: Welcome → Directory → Installing → Finish.
Fix 3 — macOS installer HTML broken in dark mode
<code>and<pre>elements used a hardcodedbackground: #f2f2f7(light gray) that rendered as a visual highlight artifact in macOS dark mode. Replaced with an adaptive CSS custom property:Applied to
welcome.html,readme.html, andconclusion.html.Fix 4 — macOS Gatekeeper "unrecognized developer" warning
Unsigned
.pkgfiles are blocked by Gatekeeper on first open. The release workflow now has dedicated Sign and Notarize steps:productsignnotarytool --wait+stapler stapleBoth steps exit 0 gracefully when secrets are absent — builds still succeed without an Apple Developer account.
Required secrets (Settings → Secrets → Actions):
MACOS_CERTIFICATEbase64 -i DevIDInstaller.p12MACOS_CERTIFICATE_PWDMACOS_KEYCHAIN_PWDMACOS_IDENTITYDeveloper ID Installer: Name (TEAMID)MACOS_NOTARIZATION_APPLE_IDMACOS_NOTARIZATION_TEAM_IDMACOS_NOTARIZATION_PWDRelease
These fixes ship as v1.4.3 (patch — CI/workflow only, no binary changes).