Skip to content

ci: migrate from self-hosted to GitHub-hosted runners #318

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
datlechin merged 8 commits into from
Mar 14, 2026
Merged

ci: migrate from self-hosted to GitHub-hosted runners #318

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
c7ac3bb
ci: migrate from self-hosted to GitHub-hosted runners
datlechin Mar 14, 2026
464c27a
fix: resolve SwiftLint violations across codebase
datlechin Mar 14, 2026
dfd17ea
fix: resolve remaining SwiftLint violations
datlechin Mar 14, 2026
36994c1
fix: use inline swiftlint disable for type_body_length
datlechin Mar 14, 2026
39105ce
fix: restore x86_64 Homebrew/Rosetta install, add skipPackagePluginVa…
datlechin Mar 14, 2026
146ff45
fix: surface xcodebuild showBuildSettings errors in CI output
datlechin Mar 14, 2026
a294f4e
fix: use macos-15 runner with Xcode 26.2 for Swift 6.1 compatibility
datlechin Mar 14, 2026
b1217e7
fix: update verify-build to only check built-in plugins
datlechin Mar 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
234 changes: 134 additions & 100 deletions .github/workflows/build-plugin.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,15 +17,40 @@ env:
XCODE_PROJECT: TablePro.xcodeproj

jobs:
resolve-tags:
name: Resolve Plugin Tags
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.tags.outputs.matrix }}
steps:
- id: tags
run: |
if [ -n "${{ inputs.tags }}" ]; then
IFS=',' read -ra TAGS <<< "${{ inputs.tags }}"
else
TAGS=("${{ github.ref_name }}")
fi
JSON='{"include":['
FIRST=true
for TAG in "${TAGS[@]}"; do
TAG=$(echo "$TAG" | xargs)
if [ "$FIRST" = true ]; then FIRST=false; else JSON+=','; fi
JSON+="{\"tag\":\"$TAG\"}"
done
JSON+=']}'
echo "matrix=$JSON" >> "$GITHUB_OUTPUT"
echo "Matrix: $JSON"

build-plugin:
name: Build Plugin
runs-on: self-hosted
timeout-minutes: 60
name: "Build ${{ matrix.tag }}"
needs: resolve-tags
runs-on: macos-15
timeout-minutes: 30
strategy:
matrix: ${{ fromJson(needs.resolve-tags.outputs.matrix) }}
fail-fast: false
Comment on lines +49 to +51
Copy link

@coderabbitai coderabbitai bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

❓ Verification inconclusive

Script executed:

cd .github/workflows && wc -l build-plugin.yml

Repository: datlechin/TablePro

Repository: datlechin/TablePro
Exit code: 0

stdout:

283 build-plugin.yml

Script executed:

cat -n .github/workflows/build-plugin.yml | sed -n '40,60p'

Repository: datlechin/TablePro

Repository: datlechin/TablePro
Exit code: 0

stdout:

    40	          JSON+=']}'
    41	          echo "matrix=$JSON" >> "$GITHUB_OUTPUT"
    42	          echo "Matrix: $JSON"
    43	
    44	  build-plugin:
    45	    name: "Build ${{ matrix.tag }}"
    46	    needs: resolve-tags
    47	    runs-on: macos-latest
    48	    timeout-minutes: 30
    49	    strategy:
    50	      matrix: ${{ fromJson(needs.resolve-tags.outputs.matrix) }}
    51	      fail-fast: false
    52	
    53	    steps:
    54	      - name: Checkout code
    55	        uses: actions/checkout@v4
    56	        with:
    57	          lfs: true
    58	
    59	      - name: Pull LFS files
    60	        run: git lfs pull

Script executed:

cat -n .github/workflows/build-plugin.yml | sed -n '210,280p'

Repository: datlechin/TablePro

Repository: datlechin/TablePro
Exit code: 0

stdout:

   210	          gh release create "$TAG" \
   211	            --title "$DISPLAY_NAME v$VERSION" \
   212	            --notes "$RELEASE_BODY" \
   213	            build/Plugins/${BUNDLE_NAME}-arm64.zip \
   214	            build/Plugins/${BUNDLE_NAME}-x86_64.zip
   215	
   216	          # Update plugin registry
   217	          if [ -n "${REGISTRY_DEPLOY_KEY:-}" ]; then
   218	            ARM64_URL="https://github.com/${{ github.repository }}/releases/download/${TAG}/${BUNDLE_NAME}-arm64.zip"
   219	            X86_64_URL="https://github.com/${{ github.repository }}/releases/download/${TAG}/${BUNDLE_NAME}-x86_64.zip"
   220	
   221	            WORK=$(mktemp -d)
   222	            eval "$(ssh-agent -s)"
   223	            echo "$REGISTRY_DEPLOY_KEY" | ssh-add -
   224	
   225	            git clone git@github.com:datlechin/tablepro-plugins.git "$WORK/registry"
   226	            cd "$WORK/registry"
   227	            git pull --rebase origin main
   228	
   229	            python3 - \
   230	              "$BUNDLE_ID" "$DISPLAY_NAME" "$VERSION" "$SUMMARY" \
   231	              "$DB_TYPE_IDS" "$ARM64_URL" "$ARM64_SHA" \
   232	              "$X86_64_URL" "$X86_SHA" "$MIN_APP_VERSION" \
   233	              "$ICON" "$HOMEPAGE" "$CATEGORY" \
   234	              <<'PYTHON_SCRIPT'
   235	          import json, sys
   236	
   237	          bundle_id, name, version, summary = sys.argv[1:5]
   238	          db_type_ids = json.loads(sys.argv[5])
   239	          arm64_url, arm64_sha = sys.argv[6], sys.argv[7]
   240	          x86_64_url, x86_64_sha = sys.argv[8], sys.argv[9]
   241	          min_app_version, icon, homepage = sys.argv[10], sys.argv[11], sys.argv[12]
   242	          category = sys.argv[13] if len(sys.argv) > 13 else "database-driver"
   243	
   244	          with open("plugins.json", "r") as f:
   245	              manifest = json.load(f)
   246	
   247	          entry = {
   248	              "id": bundle_id, "name": name, "version": version,
   249	              "summary": summary,
   250	              "author": {"name": "TablePro", "url": "https://tablepro.app"},
   251	              "homepage": homepage, "category": category,
   252	              "databaseTypeIds": db_type_ids,
   253	              "downloadURL": arm64_url, "sha256": arm64_sha,
   254	              "binaries": [
   255	                  {"architecture": "arm64", "downloadURL": arm64_url, "sha256": arm64_sha},
   256	                  {"architecture": "x86_64", "downloadURL": x86_64_url, "sha256": x86_64_sha}
   257	              ],
   258	              "minAppVersion": min_app_version,
   259	              "minPluginKitVersion": 1,
   260	              "iconName": icon, "isVerified": True
   261	          }
   262	
   263	          manifest["plugins"] = [p for p in manifest["plugins"] if p["id"] != bundle_id]
   264	          manifest["plugins"].append(entry)
   265	
   266	          with open("plugins.json", "w") as f:
   267	              json.dump(manifest, f, indent=2)
   268	              f.write("\n")
   269	          PYTHON_SCRIPT
   270	
   271	            git config user.name "github-actions[bot]"
   272	            git config user.email "github-actions[bot]@users.noreply.github.com"
   273	            git add plugins.json
   274	            git commit -m "Update $DISPLAY_NAME to v$VERSION"
   275	            git push
   276	
   277	            ssh-add -D
   278	            eval "$(ssh-agent -k)"
   279	            cd -
   280	            rm -rf "$WORK"

Script executed:

cat -n .github/workflows/build-plugin.yml | sed -n '273,276p'

Repository: datlechin/TablePro

Repository: datlechin/TablePro
Exit code: 0

stdout:

   273	            git add plugins.json
   274	            git commit -m "Update $DISPLAY_NAME to v$VERSION"
   275	            git push
   276

Script executed:

grep -n "set -e\|set -o pipefail\||| true\|git commit" .github/workflows/build-plugin.yml

Repository: datlechin/TablePro

Repository: datlechin/TablePro
Exit code: 0

stdout:

209:          gh release delete "$TAG" --yes 2>/dev/null || true
274:            git commit -m "Update $DISPLAY_NAME to v$VERSION"

Script executed:

cat -n .github/workflows/build-plugin.yml | sed -n '145,220p'

Repository: datlechin/TablePro

Repository: datlechin/TablePro
Exit code: 0

stdout:

   145	                DISPLAY_NAME="Redis Driver"; SUMMARY="Redis in-memory data store driver via hiredis"
   146	                DB_TYPE_IDS='["Redis"]'; ICON="redis-icon"; BUNDLE_NAME="RedisDriver"
   147	                CATEGORY="database-driver"; HOMEPAGE="https://docs.tablepro.app/databases/redis" ;;
   148	              xlsx)
   149	                TARGET="XLSXExport"; BUNDLE_ID="com.TablePro.XLSXExportPlugin"
   150	                DISPLAY_NAME="XLSX Export"; SUMMARY="Export data to Microsoft Excel XLSX format"
   151	                DB_TYPE_IDS='null'; ICON="doc.richtext"; BUNDLE_NAME="XLSXExport"
   152	                CATEGORY="export-format"; HOMEPAGE="https://docs.tablepro.app/features/export" ;;
   153	              mql)
   154	                TARGET="MQLExport"; BUNDLE_ID="com.TablePro.MQLExportPlugin"
   155	                DISPLAY_NAME="MQL Export"; SUMMARY="Export MongoDB data as MQL statements"
   156	                DB_TYPE_IDS='null'; ICON="doc.text"; BUNDLE_NAME="MQLExport"
   157	                CATEGORY="export-format"; HOMEPAGE="https://docs.tablepro.app/features/export" ;;
   158	              sqlimport)
   159	                TARGET="SQLImport"; BUNDLE_ID="com.TablePro.SQLImportPlugin"
   160	                DISPLAY_NAME="SQL Import"; SUMMARY="Import data from SQL dump files"
   161	                DB_TYPE_IDS='null'; ICON="square.and.arrow.down"; BUNDLE_NAME="SQLImport"
   162	                CATEGORY="import-format"; HOMEPAGE="https://docs.tablepro.app/features/import" ;;
   163	              *) echo "Unknown plugin: $plugin_name"; return 1 ;;
   164	            esac
   165	          }
   166	
   167	          PLUGIN_NAME=$(echo "$TAG" | sed -E 's/^plugin-([a-z]+)-v.*$/\1/')
   168	          VERSION=$(echo "$TAG" | sed -E 's/^plugin-[a-z]+-v(.*)$/\1/')
   169	
   170	          resolve_plugin_info "$PLUGIN_NAME"
   171	
   172	          echo "Building $TARGET v$VERSION"
   173	
   174	          # Build Cassandra dependencies if needed
   175	          if [ "$PLUGIN_NAME" = "cassandra" ]; then
   176	            ./scripts/build-cassandra.sh both
   177	          fi
   178	
   179	          # Build both architectures
   180	          ./scripts/build-plugin.sh "$TARGET" arm64
   181	          ./scripts/build-plugin.sh "$TARGET" x86_64
   182	
   183	          # Capture SHA-256
   184	          ARM64_SHA=$(cat "build/Plugins/${BUNDLE_NAME}-arm64.zip.sha256")
   185	          X86_SHA=$(cat "build/Plugins/${BUNDLE_NAME}-x86_64.zip.sha256")
   186	
   187	          # Notarize if enabled
   188	          if [ "${NOTARIZE_PLUGINS:-}" = "true" ]; then
   189	            for zip in build/Plugins/${BUNDLE_NAME}-*.zip; do
   190	              xcrun notarytool submit "$zip" \
   191	                --keychain-profile "TablePro" \
   192	                --wait
   193	            done
   194	          fi
   195	
   196	          # Create GitHub Release
   197	          RELEASE_BODY="## $DISPLAY_NAME v$VERSION
   198	
   199	          Plugin release for TablePro.
   200	
   201	          ### Installation
   202	          TablePro will prompt you to install this plugin automatically when you select the database type. You can also install manually via **Settings > Plugins > Browse**.
   203	
   204	          ### SHA-256
   205	          - ARM64: \`$ARM64_SHA\`
   206	          - x86_64: \`$X86_SHA\`"
   207	
   208	          # Delete existing release if any, then create
   209	          gh release delete "$TAG" --yes 2>/dev/null || true
   210	          gh release create "$TAG" \
   211	            --title "$DISPLAY_NAME v$VERSION" \
   212	            --notes "$RELEASE_BODY" \
   213	            build/Plugins/${BUNDLE_NAME}-arm64.zip \
   214	            build/Plugins/${BUNDLE_NAME}-x86_64.zip
   215	
   216	          # Update plugin registry
   217	          if [ -n "${REGISTRY_DEPLOY_KEY:-}" ]; then
   218	            ARM64_URL="https://github.com/${{ github.repository }}/releases/download/${TAG}/${BUNDLE_NAME}-arm64.zip"
   219	            X86_64_URL="https://github.com/${{ github.repository }}/releases/download/${TAG}/${BUNDLE_NAME}-x86_64.zip"
   220

Prevent concurrent registry pushes—serialize with max-parallel: 1 or move to downstream job.

Matrix jobs execute concurrently by default. Each clones the registry, modifies plugins.json, and pushes to main (lines 216–275). Multi-tag dispatches will race on the remote, and reruns fail at line 274 when plugins.json is unchanged—git commit exits with "nothing to commit" and no error handler is present.

Add max-parallel: 1 to the strategy block to serialize execution, or extract the registry update into a single downstream job triggered after all builds complete. If keeping it in the matrix, add a guard: git diff --cached --quiet || git commit -m "Update..." before the push.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-plugin.yml around lines 49 - 51, The matrix strategy
runs jobs concurrently and causes race conditions when each job clones and
pushes registry changes; update the workflow by adding max-parallel: 1 under the
existing strategy/matrix block to serialize execution, or refactor the registry
update into a single downstream job that runs after the matrix completes; if you
keep the registry update inside the matrix, add a pre-commit guard around the
commit/push sequence (the place that updates plugins.json and runs git commit)
that checks for staged changes (e.g., run a quiet git-diff check before
committing) so git commit is only invoked when there are actual changes to
commit.


steps:
- name: Install Git LFS
run: brew list git-lfs &>/dev/null || brew install git-lfs; git lfs install

- name: Checkout code
uses: actions/checkout@v4
with:
Expand All @@ -34,17 +59,44 @@ jobs:
- name: Pull LFS files
run: git lfs pull

- name: Build and release plugins
- name: Select Xcode
uses: maxim-lobanov/setup-xcode@v1
with:
xcode-version: "26.2"

- name: Import signing certificate
env:
CERTIFICATES_P12: ${{ secrets.CERTIFICATES_P12 }}
CERTIFICATES_PASSWORD: ${{ secrets.CERTIFICATES_PASSWORD }}
run: |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
security create-keychain -p "" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "" "$KEYCHAIN_PATH"
echo "$CERTIFICATES_P12" | base64 --decode > $RUNNER_TEMP/certificate.p12
security import $RUNNER_TEMP/certificate.p12 -P "$CERTIFICATES_PASSWORD" \
-A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
security set-key-partition-list -S apple-tool:,apple: -k "" "$KEYCHAIN_PATH"
security list-keychain -d user -s "$KEYCHAIN_PATH" login.keychain
Comment on lines +67 to +80
Copy link

@coderabbitai coderabbitai bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

macOS security command list-keychains vs list-keychain documentation

💡 Result:

security’s documented subcommand is list-keychains (plural). In Apple’s security(1) man page it’s described as:

  • list-keychains [-h] [-d user|system|common|dynamic] [-s [keychain...]] — “Display or manipulate the keychain search list.” [1]

There is no documented security list-keychain (singular) subcommand in the security(1) command list; when you see “list-keychain” online, it’s typically a typo/misremembering of list-keychains (e.g., posts discussing it in that mistaken form). [1], [2]

If you want to confirm on your Mac, run:

  • security help (lists valid subcommands)
  • man security (official local documentation) [1]

Sources: [1] security(1) man page (manpagez mirror) [2] Stack Overflow discussion referencing “security list-keychain” in the singular (as used/mistyped in the question)

Fix the keychain search-list command.

security exposes list-keychains (plural); list-keychain is not a valid subcommand.

Suggested fix 
-          security list-keychain -d user -s "$KEYCHAIN_PATH" login.keychain
+          security list-keychains -d user -s "$KEYCHAIN_PATH" login.keychain
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Import signing certificate
env:
CERTIFICATES_P12: ${{ secrets.CERTIFICATES_P12 }}
CERTIFICATES_PASSWORD: ${{ secrets.CERTIFICATES_PASSWORD }}
run: |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
security create-keychain -p "" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "" "$KEYCHAIN_PATH"
echo "$CERTIFICATES_P12" | base64 --decode > $RUNNER_TEMP/certificate.p12
security import $RUNNER_TEMP/certificate.p12 -P "$CERTIFICATES_PASSWORD" \
-A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
security set-key-partition-list -S apple-tool:,apple: -k "" "$KEYCHAIN_PATH"
security list-keychain -d user -s "$KEYCHAIN_PATH" login.keychain
- name: Import signing certificate
env:
CERTIFICATES_P12: ${{ secrets.CERTIFICATES_P12 }}
CERTIFICATES_PASSWORD: ${{ secrets.CERTIFICATES_PASSWORD }}
run: |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
security create-keychain -p "" "$KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "" "$KEYCHAIN_PATH"
echo "$CERTIFICATES_P12" | base64 --decode > $RUNNER_TEMP/certificate.p12
security import $RUNNER_TEMP/certificate.p12 -P "$CERTIFICATES_PASSWORD" \
-A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
security set-key-partition-list -S apple-tool:,apple: -k "" "$KEYCHAIN_PATH"
security list-keychains -d user -s "$KEYCHAIN_PATH" login.keychain
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-plugin.yml around lines 67 - 80, Replace the
incorrect macOS security subcommand "list-keychain" with the correct plural
"list-keychains" in the "Import signing certificate" step so the final
invocation uses security list-keychains -d user -s "$KEYCHAIN_PATH"
login.keychain (the line that references KEYCHAIN_PATH and login.keychain).


- name: Configure notarization
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
NOTARY_PASSWORD: ${{ secrets.NOTARY_PASSWORD }}
run: |
xcrun notarytool store-credentials "TablePro" \
--apple-id "$APPLE_ID" \
--team-id "$APPLE_TEAM_ID" \
--password "$NOTARY_PASSWORD"

- name: Build and release plugin
env:
REGISTRY_DEPLOY_KEY: ${{ secrets.REGISTRY_DEPLOY_KEY }}
GH_TOKEN: ${{ github.token }}
run: |
# Build tag list: from input (comma-separated) or from push event (single tag)
if [ -n "${{ inputs.tags }}" ]; then
IFS=',' read -ra TAGS <<< "${{ inputs.tags }}"
else
TAGS=("${{ github.ref_name }}")
fi
TAG="${{ matrix.tag }}"
echo "Processing: $TAG"

# Get current app version for minAppVersion
MIN_APP_VERSION=$(sed -n 's/.*MARKETING_VERSION = \(.*\);/\1/p' \
Expand Down Expand Up @@ -112,46 +164,37 @@ jobs:
esac
}

for TAG in "${TAGS[@]}"; do
TAG=$(echo "$TAG" | xargs) # trim whitespace
echo ""
echo "========================================"
echo "Processing: $TAG"
echo "========================================"

PLUGIN_NAME=$(echo "$TAG" | sed -E 's/^plugin-([a-z]+)-v.*$/\1/')
VERSION=$(echo "$TAG" | sed -E 's/^plugin-[a-z]+-v(.*)$/\1/')

resolve_plugin_info "$PLUGIN_NAME" || continue

echo "Building $TARGET v$VERSION"

# Build Cassandra dependencies if needed
if [ "$PLUGIN_NAME" = "cassandra" ]; then
./scripts/build-cassandra.sh both
fi

# Build both architectures
./scripts/build-plugin.sh "$TARGET" arm64
./scripts/build-plugin.sh "$TARGET" x86_64

# Capture SHA-256
ARM64_SHA=$(cat "build/Plugins/${BUNDLE_NAME}-arm64.zip.sha256")
X86_SHA=$(cat "build/Plugins/${BUNDLE_NAME}-x86_64.zip.sha256")

# Notarize if enabled
if [ "${NOTARIZE_PLUGINS:-}" = "true" ]; then
for zip in build/Plugins/${BUNDLE_NAME}-*.zip; do
xcrun notarytool submit "$zip" \
--apple-id "$APPLE_ID" \
--team-id "D7HJ5TFYCU" \
--keychain-profile "notarytool-profile" \
--wait
done
fi

# Create GitHub Release
RELEASE_BODY="## $DISPLAY_NAME v$VERSION
PLUGIN_NAME=$(echo "$TAG" | sed -E 's/^plugin-([a-z]+)-v.*$/\1/')
VERSION=$(echo "$TAG" | sed -E 's/^plugin-[a-z]+-v(.*)$/\1/')

resolve_plugin_info "$PLUGIN_NAME"

echo "Building $TARGET v$VERSION"

# Build Cassandra dependencies if needed
if [ "$PLUGIN_NAME" = "cassandra" ]; then
./scripts/build-cassandra.sh both
fi

# Build both architectures
./scripts/build-plugin.sh "$TARGET" arm64
./scripts/build-plugin.sh "$TARGET" x86_64

# Capture SHA-256
ARM64_SHA=$(cat "build/Plugins/${BUNDLE_NAME}-arm64.zip.sha256")
X86_SHA=$(cat "build/Plugins/${BUNDLE_NAME}-x86_64.zip.sha256")

# Notarize if enabled
if [ "${NOTARIZE_PLUGINS:-}" = "true" ]; then
for zip in build/Plugins/${BUNDLE_NAME}-*.zip; do
xcrun notarytool submit "$zip" \
--keychain-profile "TablePro" \
--wait
done
fi
Comment on lines +187 to +194
Copy link

@coderabbitai coderabbitai bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

This notarization block is currently unreachable.

NOTARIZE_PLUGINS is never set in this workflow, so the ZIPs are always released without going through notarytool submit. If notarization is intended here, wire it to a job env/input instead of an unset shell variable.

One possible wiring 
       - name: Build and release plugin
         env:
           REGISTRY_DEPLOY_KEY: ${{ secrets.REGISTRY_DEPLOY_KEY }}
           GH_TOKEN: ${{ github.token }}
+          NOTARIZE_PLUGINS: "true"
         run: |
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-plugin.yml around lines 187 - 194, The notarization
block is unreachable because NOTARIZE_PLUGINS is never provided to the runner;
wire that value into the workflow (e.g., add a workflow input or job/env entry
named NOTARIZE_PLUGINS and reference it in the job Env) so the shell if [
"${NOTARIZE_PLUGINS:-}" = "true" ] can evaluate correctly; update the workflow
to set NOTARIZE_PLUGINS via a workflow input or job env (or default to "false")
and ensure the run step that invokes xcrun notarytool submit uses the same
BUNDLE_NAME and build/Plugins path as shown.


# Create GitHub Release
RELEASE_BODY="## $DISPLAY_NAME v$VERSION

Plugin release for TablePro.

Expand All @@ -162,33 +205,33 @@ jobs:
- ARM64: \`$ARM64_SHA\`
- x86_64: \`$X86_SHA\`"

# Delete existing release if any, then create
gh release delete "$TAG" --yes 2>/dev/null || true
gh release create "$TAG" \
--title "$DISPLAY_NAME v$VERSION" \
--notes "$RELEASE_BODY" \
build/Plugins/${BUNDLE_NAME}-arm64.zip \
build/Plugins/${BUNDLE_NAME}-x86_64.zip

# Update plugin registry
if [ -n "${REGISTRY_DEPLOY_KEY:-}" ]; then
ARM64_URL="https://github.com/${{ github.repository }}/releases/download/${TAG}/${BUNDLE_NAME}-arm64.zip"
X86_64_URL="https://github.com/${{ github.repository }}/releases/download/${TAG}/${BUNDLE_NAME}-x86_64.zip"

WORK=$(mktemp -d)
eval "$(ssh-agent -s)"
echo "$REGISTRY_DEPLOY_KEY" | ssh-add -

git clone git@github.com:datlechin/tablepro-plugins.git "$WORK/registry"
cd "$WORK/registry"
git pull --rebase origin main

python3 - \
"$BUNDLE_ID" "$DISPLAY_NAME" "$VERSION" "$SUMMARY" \
"$DB_TYPE_IDS" "$ARM64_URL" "$ARM64_SHA" \
"$X86_64_URL" "$X86_SHA" "$MIN_APP_VERSION" \
"$ICON" "$HOMEPAGE" "$CATEGORY" \
<<'PYTHON_SCRIPT'
# Delete existing release if any, then create
gh release delete "$TAG" --yes 2>/dev/null || true
gh release create "$TAG" \
--title "$DISPLAY_NAME v$VERSION" \
--notes "$RELEASE_BODY" \
build/Plugins/${BUNDLE_NAME}-arm64.zip \
build/Plugins/${BUNDLE_NAME}-x86_64.zip

# Update plugin registry
if [ -n "${REGISTRY_DEPLOY_KEY:-}" ]; then
ARM64_URL="https://github.com/${{ github.repository }}/releases/download/${TAG}/${BUNDLE_NAME}-arm64.zip"
X86_64_URL="https://github.com/${{ github.repository }}/releases/download/${TAG}/${BUNDLE_NAME}-x86_64.zip"

WORK=$(mktemp -d)
eval "$(ssh-agent -s)"
echo "$REGISTRY_DEPLOY_KEY" | ssh-add -

git clone git@github.com:datlechin/tablepro-plugins.git "$WORK/registry"
cd "$WORK/registry"
git pull --rebase origin main

python3 - \
"$BUNDLE_ID" "$DISPLAY_NAME" "$VERSION" "$SUMMARY" \
"$DB_TYPE_IDS" "$ARM64_URL" "$ARM64_SHA" \
"$X86_64_URL" "$X86_SHA" "$MIN_APP_VERSION" \
"$ICON" "$HOMEPAGE" "$CATEGORY" \
<<'PYTHON_SCRIPT'
import json, sys

bundle_id, name, version, summary = sys.argv[1:5]
Expand Down Expand Up @@ -225,25 +268,16 @@ jobs:
f.write("\n")
PYTHON_SCRIPT

git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add plugins.json
git commit -m "Update $DISPLAY_NAME to v$VERSION"
git push
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add plugins.json
git commit -m "Update $DISPLAY_NAME to v$VERSION"
git push

ssh-add -D
eval "$(ssh-agent -k)"
cd -
rm -rf "$WORK"
fi

# Clean plugin build artifacts for next iteration
rm -f build/Plugins/${BUNDLE_NAME}-*.zip build/Plugins/${BUNDLE_NAME}-*.sha256

echo "✅ $DISPLAY_NAME v$VERSION released"
done
ssh-add -D
eval "$(ssh-agent -k)"
cd -
rm -rf "$WORK"
fi

echo ""
echo "========================================"
echo "All plugins processed!"
echo "========================================"
echo "$DISPLAY_NAME v$VERSION released"
Loading
Loading