fix: sign only idf repo plugins and simplifying the P2 metadata

[kolipakakondal]

Description

Please include a summary of the change and which issue is fixed.

Fixes # (IEP-XXX)

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How has this been tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

• Test A
• Test B

Test Configuration:

• ESP-IDF Version:
• OS (Windows,Linux and macOS):

Dependent components impacted by this PR:

• Component 1
• Component 2

Checklist

• PR Self Reviewed
• Applied Code formatting
• Added Documentation
• Added Unit Test
• Verified on all platforms - Windows,Linux and macOS

Summary by CodeRabbit

• Chores
  • Improved CI/CD release process with refined JAR signing targeting for IDF plugins and features.
  • Strengthened error handling to detect and report signing failures in the release pipeline.
  • Enhanced logging and messaging for better release process visibility and diagnostics.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Modified CI release workflow's JAR signing process to target only IDF-related plugins and features with stricter file filtering and additional signing parameters. Improved error handling for signing failures and adjusted metadata regeneration step by removing explicit repositoryPath argument with fallback logic.

Changes

Cohort / File(s)	Summary
JAR Signing Rework .github/workflows/ci_release.yml	Introduced REPO_DIR and SIGFILE variables; updated signing loop to filter JARs matching (plugins|features)/com.espressif.; added signing flags (-sigfile, -digestalg, -certs, -verbose); implemented proper error handling (exit on failure); expanded logging to indicate signed vs. skipped JARs.
Metadata Regeneration Adjustment .github/workflows/ci_release.yml	Removed explicit repositoryPath argument from initial Tycho command invocation in regenerator step; retained fallback command without explicit path.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Focus on JAR filtering regex pattern (plugins\|features)/com.espressif. to ensure correct file selection
• Verify error handling logic correctly exits with non-zero on signing failure while allowing skipped JARs to continue
• Confirm path argument removal in Tycho command doesn't break metadata regeneration flow

Possibly related PRs

• v3.7.1 #1365: Modifies the same CI workflow's P2 metadata regeneration step (Tycho invocation with path-specific handling and fallback logic)
• fix: Dynamic discovery of of signtool.exe #1328: Changes the CI release workflow's JAR signing discovery and invocation mechanism while this PR refines file filtering and signing parameters

Suggested reviewers

• alirana01
• sigmaaa
• AndriiFilippov

Poem

🐰 A rabbit hops through GitHub's halls,
Signs jars with careful paws,
IDF plugins get their seal,
While others pass, that's the deal!
Error handling, paths so true—
CI workflows, shiny and new! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly relates to the main changes: restricting JAR signing to IDF-related plugins and simplifying P2 metadata regeneration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jarsigner_sha

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/ci_release.yml (1)

75-76: Minor: Duplicate variable definition across steps.

REPO_DIR is defined in both the signing step (line 75) and the metadata regeneration step (line 128). Consider defining it once as an environment variable at the job level to reduce duplication and improve maintainability.

Move to the job-level env section:

  - name: Sign JAR files with jarsigner
    env:
      AZURE_TOKEN: ${{ steps.get-token.outputs.token }}
      CERT_CHAIN: ${{ secrets.AZURE_KEYVAULT_CERTCHAIN }}
+     REPO_DIR: "releng/com.espressif.idf.update/target/repository"
+     SIGFILE: "ECLIPSE"
    run: |
-   REPO_DIR="releng/com.espressif.idf.update/target/repository"
-   SIGFILE="ECLIPSE"

And remove the redefinition on line 128 in the metadata step.

Also applies to: 128-128

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 63c3340 and 74bc498.

📒 Files selected for processing (1)

• .github/workflows/ci_release.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build_macos
• GitHub Check: build_windows
• GitHub Check: build

🔇 Additional comments (1)

.github/workflows/ci_release.yml (1)

131-137: Clarify: P2 metadata regeneration fallback behavior.

The fallback logic silently retries without the explicit repositoryPath argument if the first command fails. This is reasonable for robustness, but it's unclear whether the failure is expected or signals a real problem. If the path is guaranteed to exist, the first command should always succeed—if it doesn't, the silent fallback might mask underlying issues.

Please clarify:

• Is the first command expected to fail in any normal scenario?
• Should we add logging to indicate when/why the fallback is triggered?
• Are there any Maven or Tycho version constraints that would require the fallback?

Alternatively, consider making the fallback explicit with logging:

mvn -f releng/com.espressif.idf.update/pom.xml \
  org.eclipse.tycho:tycho-p2-repository-plugin:fix-artifacts-metadata \
  -DrepositoryPath="$REPO_DIR" \
  -DskipTests=true || {
  echo "Warning: Metadata regeneration with explicit path failed, retrying without path..."
  mvn -f releng/com.espressif.idf.update/pom.xml \
    org.eclipse.tycho:tycho-p2-repository-plugin:fix-artifacts-metadata \
    -DskipTests=true
}

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Error handling broken in piped loop—signing failures won't fail the workflow.

The find ... | while read pattern creates a subshell. The exit 1 on line 106 exits the subshell, not the parent workflow step, so signing failures silently succeed. Additionally, $? -eq 0 on line 102 evaluates the exit status of the preceding echo command (due to piping), not the jarsigner command.

Restructure the loop to properly propagate errors:

- find "$REPO_DIR" -type f -name "*.jar" | while read -r file; do
-   if [[ "$file" =~ (plugins|features)/com\.espressif\. ]]; then
-     echo "Signing IDF plugin/feature JAR: $file"
-     
-     jarsigner \
-       -J-cp -Jjsign-7.4.jar \
-       -J--add-modules -Jjava.sql \
-       -providerClass net.jsign.jca.JsignJcaProvider \
-       -providerArg "${{ secrets.AZURE_KEYVAULT_URI }}" \
-       -keystore NONE \
-       -storetype AZUREKEYVAULT \
-       -storepass "$AZURE_TOKEN" \
-       -sigfile "$SIGFILE" \
-       -digestalg SHA-256 \
-       -tsa http://timestamp.digicert.com \
-       $CERTCHAIN_ARG \
-       -certs \
-       -verbose \
-       "$file" \
-       "${{ secrets.AZURE_KEYVAULT_CERT_NAME }}"
-     
-     if [ $? -eq 0 ]; then
-       echo "Successfully signed: $file"
-     else
-       echo "Failed to sign: $file"
-       exit 1
-     fi
-   else
-     echo "Skipping non-IDF JAR: $file"
-   fi
- done
+ set -e
+ while IFS= read -r file; do
+   if [[ "$file" =~ (plugins|features)/com\.espressif\. ]]; then
+     echo "Signing IDF plugin/feature JAR: $file"
+     
+     jarsigner \
+       -J-cp -Jjsign-7.4.jar \
+       -J--add-modules -Jjava.sql \
+       -providerClass net.jsign.jca.JsignJcaProvider \
+       -providerArg "${{ secrets.AZURE_KEYVAULT_URI }}" \
+       -keystore NONE \
+       -storetype AZUREKEYVAULT \
+       -storepass "$AZURE_TOKEN" \
+       -sigfile "$SIGFILE" \
+       -digestalg SHA-256 \
+       -tsa http://timestamp.digicert.com \
+       $CERTCHAIN_ARG \
+       -certs \
+       -verbose \
+       "$file" \
+       "${{ secrets.AZURE_KEYVAULT_CERT_NAME }}" || { echo "Failed to sign: $file"; exit 1; }
+     
+     echo "Successfully signed: $file"
+   else
+     echo "Skipping non-IDF JAR: $file"
+   fi
+ done < <(find "$REPO_DIR" -type f -name "*.jar")

This uses process substitution < <(...) to avoid subshell context and set -e with inline error handling to ensure failures propagate.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	find "$REPO_DIR" -type f -name "*.jar" | while read -r file; do
	if [[ "$file" =~ (plugins|features)/com\.espressif\. ]]; then
	echo "Signing IDF plugin/feature JAR: $file"
	jarsigner \
	-J-cp -Jjsign-7.4.jar \
	-J--add-modules -Jjava.sql \
	-providerClass net.jsign.jca.JsignJcaProvider \
	-providerArg "${{ secrets.AZURE_KEYVAULT_URI }}" \
	-keystore NONE \
	-storetype AZUREKEYVAULT \
	-storepass "$AZURE_TOKEN" \
	-sigfile "$SIGFILE" \
	-digestalg SHA-256 \
	-tsa http://timestamp.digicert.com \
	$CERTCHAIN_ARG \
	-certs \
	-verbose \
	"$file" \
	"${{ secrets.AZURE_KEYVAULT_CERT_NAME }}"
	if [ $? -eq 0 ]; then
	echo "Successfully signed: $file"
	else
	echo "Failed to sign: $file"
	exit 1
	fi
	else
	echo "Failed to sign: $file"
	exit 1
	echo "Skipping non-IDF JAR: $file"
	fi
	done
	set -e
	while IFS= read -r file; do
	if [[ "$file" =~ (plugins|features)/com\.espressif\. ]]; then
	echo "Signing IDF plugin/feature JAR: $file"
	jarsigner \
	-J-cp -Jjsign-7.4.jar \
	-J--add-modules -Jjava.sql \
	-providerClass net.jsign.jca.JsignJcaProvider \
	-providerArg "${{ secrets.AZURE_KEYVAULT_URI }}" \
	-keystore NONE \
	-storetype AZUREKEYVAULT \
	-storepass "$AZURE_TOKEN" \
	-sigfile "$SIGFILE" \
	-digestalg SHA-256 \
	-tsa http://timestamp.digicert.com \
	$CERTCHAIN_ARG \
	-certs \
	-verbose \
	"$file" \
	"${{ secrets.AZURE_KEYVAULT_CERT_NAME }}" || { echo "Failed to sign: $file"; exit 1; }
	echo "Successfully signed: $file"
	else
	echo "Skipping non-IDF JAR: $file"
	fi
	done < <(find "$REPO_DIR" -type f -name "*.jar")

🤖 Prompt for AI Agents

.github/workflows/ci_release.yml around lines 81 to 111: the current "find ... |
while read" pipeline runs the loop in a subshell so any "exit 1" or failures
inside won't stop the parent job, and the "$? -eq 0" check after the echo
inspects the echo's exit status instead of jarsigner's. Replace the piped loop
with a loop that reads from process substitution (or otherwise avoids a
subshell) so exits propagate to the parent, and check jarsigner's exit
immediately (or use "set -e" plus "|| exit 1") right after the jarsigner
invocation instead of using "$?" after an intervening command; ensure signing
failures call "exit 1" in the same shell and that logs reflect jarsigner's
actual exit code.