Skip to content

Upgrade project environment#754

Merged
ikostan merged 52 commits into
mainfrom
upgrade-project-environment
Jun 17, 2026
Merged

Upgrade project environment#754
ikostan merged 52 commits into
mainfrom
upgrade-project-environment

Conversation

@ikostan

@ikostan ikostan commented Jun 12, 2026

Copy link
Copy Markdown
Owner

name: Default Pull Request Template
about: Suggesting changes to SkyLockAssault
title: ''
labels: ''
assignees: ''

PR #754: Upgrade project environment to Godot 4.6.3

Author: @ikostan
Status: Merged (as of latest activity)
Linked Epic/Issue: #747
Milestone: Milestone 20: Resource-Based Settings & UI Acoustic Integration

Overview

This comprehensive PR upgrades the SkyLockAssault project from Godot 4.5.stable to Godot 4.6.3.stable. The update modernizes the development, testing, and deployment environment while introducing robustness improvements, security enhancements, and better test isolation. It addresses compatibility constraints with newer add-ons and resolves various engine behavior changes.

Key Changes

Major Upgrade

  • Core project updated to Godot 4.6.3 across project.godot, scenes, Docker, CI/CD workflows, and documentation.
  • Added legacy obsolete/godot_4.5_stable/Dockerfile for archival and fallback purposes.

Security & Reliability Enhancements

  • Added SHA-256 checksum verification for all downloaded Godot binaries and export templates in CI workflows and Dockerfile.
  • Improved AudioManager with safer audio bus handling (apply_volume_to_bus guards against invalid AudioServer access or missing buses) and a new cleanup_for_test() helper for deterministic test cleanup.
  • Fixed encrypted ConfigFile crashes by seeding dummy data before encryption in test fixtures.

Testing Improvements

  • Hardened GUT and GDUnit4 test suites for compatibility with Godot 4.6.3.
  • Enhanced workspace/run_gut_unit_tests.sh with temporary gdUnit4 disable/restore logic and better cache handling.
  • Increased verbosity and reliability in CI test jobs (GDUnit4, GUT, browser tests).
  • Updated test scenes and configurations (audio_settings.tscn, default_bus_layout.tres, etc.).

CI/CD Updates

  • Updated workflows: gdunit4_tests.yml, gut_tests.yml, browser_test.yml, deploy_to_itch.yml.
  • Bumped GDUnit4 to v6.1.3 where applicable.
  • Refined Docker setup (Playwright dependencies, quiet downloads, etc.).

Documentation

  • Updated README.md with new Godot version, supported tools, and Windows compatibility notes.

Impact

  • Ensures long-term maintainability and compatibility with the Godot ecosystem.
  • Strengthens supply-chain security via checksum verification.
  • Improves developer experience through more stable and verbose testing.
  • Maintains backward compatibility via the archived 4.5 Docker image.

This PR exemplifies a well-structured toolchain upgrade with proactive fixes for edge cases in testing and audio systems.


Description

What does this PR do? (e.g., "Fixes player jump physics in level 2" or "Adds
new enemy AI script")

Related Issue

Closes #ISSUE_NUMBER (if applicable)

Changes

  • List key changes here (e.g., "Updated Jump.gd to use Godot 4.4's new Tween
    system")
  • Any breaking changes? (e.g., "Deprecated old signal; migrate to new one")

Testing

  • Ran the game in Godot v4.5 editor—describe what you tested (e.g., "Jump
    works on Win10 with 60 FPS")
  • Any new unit tests added? (Link to test scene if yes)
  • Screenshots/GIFs if UI-related: (Attach below)

Checklist

  • Code follows Godot style guide (e.g., snake_case for variables)
  • No console errors in editor/output
  • Ready for review!

Additional Notes

Anything else? (e.g., "Tested on Win10 64-bit; needs Linux validation")

Summary by Sourcery

Upgrade the project to Godot 4.6.3 and update tooling, tests, and CI workflows to be compatible and more robust.

New Features:

  • Add a dedicated cleanup helper on AudioManager for unit tests to safely reset audio state between runs.

Bug Fixes:

  • Prevent engine crashes and C++ core errors in encrypted ConfigFile tests by ensuring non-empty content before encryption.
  • Avoid audio bus access errors by guarding AudioServer usage and handling missing buses safely.
  • Ensure GUT unit tests run reliably by disabling incompatible gdUnit4 during runs and restoring it afterward.

Enhancements:

  • Update Docker image, CI workflows, and documentation to use Godot 4.6.3 and newer GDUnit4 and tooling versions.
  • Add checksum verification when downloading Godot binaries in CI and Docker for improved supply-chain security.
  • Make GUT CI and local test runs more stable and verbose, including cache cleanup and refined test directory paths.

Build:

  • Introduce an obsolete Dockerfile preserving the previous Godot 4.5 environment for archival or fallback use.

CI:

  • Update GitHub Actions workflows to use Godot 4.6.3 artifacts with checksum verification and newer GDUnit4, and improve GUT job logging and cache handling.

Documentation:

  • Refresh README to document the new Godot version, supported Windows versions, and updated tooling versions.

Tests:

  • Adjust GUT and GDUnit4 tests to work with the new encryption behavior and AudioManager cleanup flow, and refine the GUT test runner script for Windows.

Summary by Sourcery

Upgrade the project environment and tooling to Godot 4.6.3 with stronger CI security and more robust audio/testing behavior.

New Features:

  • Add a dedicated AudioManager cleanup helper for deterministic test-time audio reset.

Bug Fixes:

  • Prevent crashes and core errors when encrypting empty ConfigFiles in tests by seeding minimal data before encryption.
  • Avoid audio bus access errors by guarding AudioServer usage and missing buses in AudioManager.

Enhancements:

  • Update Docker image, project configuration, and CI workflows to use Godot 4.6.3 and GDUnit4 v6.1.3.
  • Introduce a legacy Dockerfile preserving the previous Godot 4.5 environment for fallback use.
  • Harden local and CI GUT/GDUnit4 test execution with cache cleanup, verbose output, and isolation between test frameworks.
  • Improve deployment workflow by serving Godot binaries via a locally verified HTTP source and adding SHA-256 checksum verification for downloads.
  • Refresh README and milestone documentation to reflect the new engine version, supported platforms, and tooling.

Summary by CodeRabbit

  • Chores

    • Upgraded Godot toolchain to 4.6.3 across CI workflows, Docker, and README; added archived legacy build.
    • Updated project settings metadata and enabled additional editor plugins for testing.
  • Bug Fixes

    • Improved config save reliability by avoiding empty encrypted payloads.
    • Added safer handling for audio bus operations when the engine isn’t available.
  • Tests

    • Hardened CI with SHA-256 verification, cache cleaning, and more robust GDUnit4/GUT handling, plus verbose runner output.
  • Refactor

    • Added stable unique IDs to the audio settings scene for improved reliability.

Bots/AI Contributions to PR #754

This PR primarily upgrades the SkyLockAssault project environment to Godot 4.6.3, updates related CI/CD workflows, Docker setup, tests, documentation, and introduces safety fixes for audio/config handling. AI-assisted tools and bots provided significant value through automated summaries, reviews, code suggestions, and refinements.

AI/Bot-Assisted Contributions (@sourcery-ai, @coderabbitai, etc.)

  • @sourcery-ai: Generated a detailed PR summary highlighting new features (e.g., AudioManager cleanup helper), bug fixes (e.g., encrypted ConfigFile crash prevention, audio bus guards), enhancements (Godot/Docker/CI updates, checksum verification), and testing improvements. Also contributed a Reviewer's Guide with sequence diagrams, file-level change breakdowns, and issue linkage assessment. This aided in structuring the PR description and review process.
  • @coderabbitai: Provided a concise summary categorizing changes into Chores (toolchain upgrades, project settings), Bug Fixes (config reliability, audio handling), Tests (CI hardening), and Refactor (stable IDs in scenes). One commit explicitly lists co-authorship with @ikostan (e.g., updates to browser_test.yml or related files), indicating direct code suggestions or automated edits integrated by the maintainer.
  • Other potential bots: No direct commits or mentions of @dependabot in this PR. Standard GitHub bots (e.g., for actions or workflows) may have run in the background but are not prominently featured in conversation or commits.

DeepsourceReview: No explicit mentions, comments, or contributions from Deepsource (e.g., @deepsource-io or similar) were visible in the PR conversation, commits, or summaries. If Deepsource was configured for static analysis/linting, its review may have occurred implicitly via CI without a named bot comment.

These tools enhanced code quality, documentation, and maintainability without replacing core human-driven changes.

Human Contributions (@ikostan)

@ikostan (primary maintainer and author): Drove the entire PR as the main contributor. Key efforts include:

  • Planning and executing the Godot 4.6.3 upgrade across core files, workflows (browser_test.yml, gdunit4_tests.yml, gut_tests.yml, deploy_to_itch.yml), Dockerfile (with legacy 4.5 archival), project.godot, scenes, and test scripts.
  • Implementing bug fixes and robustness improvements (e.g., AudioManager guards/cleanup, empty ConfigFile handling to prevent crashes, GUT/GDUnit4 compatibility).
  • Adding security enhancements (SHA-256 checksum verification for downloads).
  • Refining tests, runner scripts, README, and CI for stability/verbosity.
  • Multiple iterative commits for polishing (e.g., GDUnit4 bumps, audio settings updates, cache handling).

ikostan added 7 commits June 11, 2026 18:16
Update the gdunit4_tests.yml workflow to use the Godot 4.6.3-stable binary for executing unit tests.
Update the gut_tests.yml workflow to use the Godot 4.6.3-stable binary for executing unit tests.
Update the browser_test.yml workflow to utilize the Godot 4.6.3-stable engine binary and export templates for Web functional testing.
Update the deploy_to_itch.yml workflow to utilize the Godot 4.6.3-stable engine binary and export templates for production builds.
Update the Dockerfile to utilize the Godot 4.6.3-stable engine binary and export templates to ensure the CI/CD container environment is synchronized with the new project standards.
Upgrade the core development environment from Godot 4.5.stable to Godot 4.6.3.stable. This update is expected to address compatibility constraints with newer community add-ons and may resolve existing API filtering issues that currently block framework integration within the Asset Library.
@ikostan ikostan self-assigned this Jun 12, 2026
@ikostan ikostan added the enhancement New feature or request label Jun 12, 2026
@ikostan ikostan linked an issue Jun 12, 2026 that may be closed by this pull request
@ikostan ikostan added the EPIC label Jun 12, 2026
@ikostan ikostan moved this to In Progress in Sky Lock Assault Project Jun 12, 2026
@sourcery-ai

sourcery-ai Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Reviewer's Guide

Upgrades the project environment from Godot 4.5 to 4.6.3, adding checksum-verified engine downloads, introducing a legacy 4.5 Docker image, hardening audio management and encrypted ConfigFile tests, and improving local/CI GUT and GDUnit4 test workflows and documentation.

Sequence diagram for AudioManager apply_volume_to_bus safety guards

sequenceDiagram
    participant AudioManager
    participant AudioServer

    AudioManager->>AudioManager: apply_volume_to_bus(bus_name, volume, muted)
    AudioManager->>AudioManager: is_instance_valid(AudioServer)?
    alt AudioServer not valid
        AudioManager-->>AudioManager: return
    else AudioServer valid
        AudioManager->>AudioServer: get_bus_index(bus_name)
        AudioServer-->>AudioManager: bus_idx
        alt bus_idx != -1
            AudioManager->>AudioServer: set_bus_volume_db(bus_idx, linear_to_db(volume))
            alt muted
                AudioManager->>AudioServer: set_bus_mute(bus_idx, true)
            else not muted
                AudioManager->>AudioServer: set_bus_mute(bus_idx, false)
            end
        else bus_idx == -1
            AudioManager-->>AudioManager: skip audio bus update
        end
    end
Loading

File-Level Changes

Change Details Files
Upgrade Docker-based development image and testing addons to Godot 4.6.3 with checksum-verified downloads and newer GDUnit4.
  • Bump GODOT_VERSION env to 4.6.3.stable and switch Godot binary/template URLs to 4.6.3 artifacts.
  • Add SHA-256 checksum verification for the Godot editor archive before unzip in the Docker image.
  • Update export template download and extraction to use the 4.6.3 release.
  • Upgrade GDUnit4 from v6.0.0 to v6.1.3 in the Docker image and use quiet wget invocations.
  • Simplify Playwright installation by removing redundant install-deps call while still installing Chromium with dependencies.
Dockerfile
Introduce a legacy Godot 4.5 Docker image preserved under an obsolete path for fallback use.
  • Add a standalone Ubuntu-based Dockerfile pinned to Godot 4.5, mirroring the previous main toolchain.
  • Include GDUnit4 v6.0.0, GUT v9.5.0, and Playwright setup compatible with the older engine version.
obsolete/godot_4.5_stable/Dockerfile
Harden audio management against invalid bus access and add a deterministic cleanup hook for unit tests.
  • Guard apply_volume_to_bus with an is_instance_valid(AudioServer) check to avoid engine-level errors when AudioServer is unavailable.
  • Check the resolved bus index for -1 before performing volume/mute operations to avoid p_ptr null errors.
  • Introduce cleanup_for_test() that clears audio caches, stops and frees all SFX players, and recreates the SFX pool only in debug builds.
scripts/managers/audio_manager.gd
Improve GUT and GDUnit4 CI workflows by parameterizing Godot version, verifying binaries, cleaning caches, and updating addons.
  • Add workflow_call inputs for godot_version and godot_sha256 and expose them as env vars in gut_tests and gdunit4_tests.
  • Replace hard-coded 4.5 download URLs with templated 4.6.3 paths for the Linux editor zip.
  • Validate downloaded Godot archives against the provided SHA-256 checksum and fail the job on mismatch.
  • Update GDUnit4 installation in the GDUnit4 workflow to v6.1.3 and remove old version folders.
  • Add .godot cache cleanup and verbose flags for GUT runs to improve determinism and logging.
.github/workflows/gut_tests.yml
.github/workflows/gdunit4_tests.yml
Secure export and browser-test workflows with 4.6.3 artifacts and checksum-verified downloads.
  • Add a pre-export step in the deploy_to_itch workflow that downloads Godot 4.6.3 editor and templates plus official SHA-256SUMS, verifies them, then serves them via a local HTTP server for the export action.
  • Switch deploy_to_itch to consume the locally served 4.6.3 archives instead of remote 4.5 builds.
  • Parameterize the Godot version in browser_test and update export URLs to 4.6.3-based GitHub release paths.
.github/workflows/deploy_to_itch.yml
.github/workflows/browser_test.yml
Make local GUT test runner more robust and isolated from GDUnit4 when executed on Windows.
  • Clarify the script header to target Godot 4.x generally and simplify .gutconfig.json assumptions.
  • Add a trap-based cleanup function that restores the gdUnit4 addon directory if it was temporarily disabled.
  • Temporarily move the gdUnit4 addon out of the addons folder before running GUT and restore it afterwards.
  • Narrow the GUT test directory to res://test/gut/ to avoid accidentally running non-GUT tests.
workspace/run_gut_unit_tests.sh
Stabilize tests involving encrypted ConfigFile saving by ensuring non-empty content before encryption and cleaning audio artifacts per test.
  • In audio-related GUT tests, add after_each hooks calling AudioManager.cleanup_for_test (if available) and deleting temporary config files.
  • Before calling save_encrypted_pass in GUT and GDUnit4 tests, set dummy values (e.g., in a meta section) to avoid the engine’s 0-byte encryption crash.
  • Apply this pattern consistently across settings, UI audio persistence, and input mapping tests that write encrypted fixtures.
test/gut/test_basic_save_load_without_other_settings.gd
test/gut/test_settings_ec.gd
test/gut/test_ui_audio_persistence.gd
test/gdunit4/test_settings.gd
Update project configuration, scenes, and documentation for Godot 4.6.3 and the new environment.
  • Adjust project.godot and default_bus_layout/audio_settings scenes for compatibility with Godot 4.6.3 and the new audio setup (including stable node IDs and bus names as needed).
  • Refresh README with Godot 4.6.3 as the target version, add Windows 11 to supported OSes, and bump referenced Docker Desktop and GitHub Desktop versions.
  • Add a milestone document that describes PR Upgrade project environment #754, its key changes, and contributor roles for the 4.6.3 upgrade.
project.godot
default_bus_layout.tres
scenes/audio_settings.tscn
README.md
files/docs/milestones/20/Part_2_Upgrade_project_environment_to_Godot_4_6_3.md

Assessment against linked issues

Issue Objective Addressed Explanation
#747 Update the core project configuration and documentation to target Godot 4.6.3.stable instead of 4.5.stable (including project settings, scenes, and README).
#747 Update the Docker-based development environment and supporting tooling to install and use Godot 4.6.3.stable, while preserving any needed legacy 4.5 setup separately.
#747 Update CI/CD workflows and automated tests (GUT, GDUnit4, browser/web export, deploy-to-itch) to run against Godot 4.6.3.stable, adding any necessary compatibility fixes so tests and exports pass under the new engine version.
#749 Update godot_executable_download_url in .github/workflows/browser_test.yml to use the Godot 4.6.3-stable Linux binary.
#749 Update godot_export_templates_download_url in .github/workflows/browser_test.yml to use the Godot 4.6.3-stable export templates.
#751 Update the gdunit4_tests.yml GitHub Actions workflow to download and use the Godot 4.6.3-stable Linux binary instead of 4.5-stable.
#751 Ensure the GDUnit4 version used in gdunit4_tests.yml is compatible and stable with Godot 4.6.3 (updating the installed GDUnit4 version if needed).
#751 Keep GDUnit4 automated test execution and report generation in gdunit4_tests.yml functional after upgrading to Godot 4.6.3.
#752 Update the gut_tests.yml GitHub Actions workflow to download and use the Godot 4.6.3-stable Linux binary instead of 4.5-stable.
#752 Ensure GUT v9.5.0 runs correctly with Godot 4.6.3, including proper project initialization and stable GUT test execution.
#752 Maintain correct generation and handling of GUT test artifacts (e.g., JUnit XML) and preserve existing CI reporting integrations such as Codecov when moving to Godot 4.6.3.
#753 Update the Dockerfile GODOT_VERSION environment variable to use Godot 4.6.3-stable.
#753 Update the Dockerfile Godot engine binary and export template download URLs to use the 4.6.3-stable artifacts.

Possibly linked issues


Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@ikostan ikostan linked an issue Jun 12, 2026 that may be closed by this pull request
@coderabbitai

coderabbitai Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Upgrades tooling and assets from Godot 4.5-stable to 4.6.3-stable: CI workflows and Dockerfile now fetch 4.6.3, project files and scenes reflect the newer format, tests add encryption-workaround fixtures and audio test helpers, and the legacy 4.5 Dockerfile is archived under obsolete/.

Changes

Godot 4.5 to 4.6.3 Upgrade

Layer / File(s) Summary
GitHub Actions CI/CD workflows upgrade to 4.6.3
.github/workflows/browser_test.yml, .github/workflows/deploy_to_itch.yml, .github/workflows/gdunit4_tests.yml, .github/workflows/gut_tests.yml
Workflows now download and use Godot 4.6.3-stable binaries and export templates; workflows add SHA-256 verification where present, gut_tests adds a cache-clean step and --verbose flag, and gdUnit4 installer bumped to v6.1.3.
Main Docker image Godot engine upgrade to 4.6.3
Dockerfile
GODOT_VERSION set to 4.6.3.stable; install steps updated to download/unpack 4.6.3 binary and export templates with checksum verification; GDUnit4 bumped to v6.1.3 and Playwright step streamlined.
Legacy Godot 4.5 stable environment archival
obsolete/godot_4.5_stable/Dockerfile
Adds an archived Dockerfile reproducing the prior Ubuntu-based Godot 4.5 CI image with system deps, Python/Node tooling, GDScript test addons, Playwright setup, healthcheck, and default command.
Project configuration version update to 4.6
project.godot
Bumps config/features from "4.5" to "4.6", adds [animation] compatibility setting, sets audio default bus layout UID, and enables gdUnit4 plus gut in editor plugins.
Resource & scene format updates
default_bus_layout.tres, scenes/audio_settings.tscn
Engine-updated AudioBusLayout header removed load_steps; scenes/audio_settings.tscn adds unique_id attributes to multiple nodes.
AudioManager test support and test fixes
scripts/managers/audio_manager.gd, test/gut/test_basic_save_load_without_other_settings.gd, test/gut/test_settings_ec.gd, test/gut/test_ui_audio_persistence.gd, test/gdunit4/test_settings.gd, workspace/run_gut_unit_tests.sh
Adds a guard in apply_volume_to_bus, new cleanup_for_test() to reset audio pools; tests insert minimal metadata before encrypted saves to avoid 0-byte encryption bug; after_each() cleanup added; test runner disables incompatible gdUnit4 addon and points GUT to res://test/gut/.
README and environment documentation
README.md
Update project prerequisites to reference Godot 4.6.3, add Windows 11 support, and refresh pinned Docker Desktop and GitHub Desktop versions.

Sequence Diagram

sequenceDiagram
  participant DevEnv as Dockerfile
  participant CI as GitHubWorkflows
  participant Tests as GUT/GDUnit4 tests
  participant Godot as "Godot 4.6.3-stable release"

  CI->>Godot: download engine binary & export templates (sha256 verified where present)
  DevEnv->>Godot: download engine binary & templates for image
  Tests->>DevEnv: run headless engine (uses installed 4.6.3)
  Tests->>Godot: rely on 4.6.3 behavior for test fixtures
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

Possibly related PRs

  • ikostan/SkyLockAssault#713 — Overlaps UI audio persistence tests and encrypted-config handling; this PR adjusts test fixtures around the 0-byte encryption bug workaround.

Suggested labels

setup, testing, dependencies

Poem

🐰 From four-point-five to four-point-six-three I hop,
CI fetches fresh engines, the artifacts don't stop;
Scenes sparkle with IDs, tests tidy up their state,
Old Docker rests peacefully while new builds accelerate;
The stable release carrot: a flick that feels great!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The title 'Upgrade project environment' is partially related to the changeset, referring to a real aspect of the changes (Godot version upgrade and environment configuration), but is overly broad and doesn't capture the main point that this involves upgrading to Godot 4.6.3 and CI workflow updates. Consider using a more specific title like 'Upgrade to Godot 4.6.3 and update CI workflows' to clearly convey the primary changes and version being upgraded to.
✅ Passed checks (4 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The PR description is comprehensive and well-structured. It includes a detailed overview, key changes organized by category, security enhancements, testing improvements, CI/CD updates, and documentation changes. The description substantially exceeds template requirements with thorough context.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch upgrade-project-environment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • In .github/workflows/browser_test.yml, the godot_export_templates_download_url has a hhttps:// typo that will break the templates download step.
  • In .github/workflows/gdunit4_tests.yml, the wget URL was updated to 4.6.3 but the unzip and mv commands still reference the 4.5 archive and directory names, which will fail at runtime; these should be updated to the 4.6.3 filenames.
  • Similarly, in .github/workflows/gut_tests.yml the Godot download URL is 4.6.3 but the subsequent unzip and mv commands still reference 4.5, so the filenames and directory names need to be aligned with the new version.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- In `.github/workflows/browser_test.yml`, the `godot_export_templates_download_url` has a `hhttps://` typo that will break the templates download step.
- In `.github/workflows/gdunit4_tests.yml`, the wget URL was updated to 4.6.3 but the `unzip` and `mv` commands still reference the 4.5 archive and directory names, which will fail at runtime; these should be updated to the 4.6.3 filenames.
- Similarly, in `.github/workflows/gut_tests.yml` the Godot download URL is 4.6.3 but the subsequent `unzip` and `mv` commands still reference 4.5, so the filenames and directory names need to be aligned with the new version.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@deepsource-io

deepsource-io Bot commented Jun 12, 2026

Copy link
Copy Markdown

DeepSource Code Review

We reviewed changes in 8e0e67c...ff8a3f3 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
Python Jun 17, 2026 3:38a.m. Review ↗
JavaScript Jun 17, 2026 3:38a.m. Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
obsolete/godot_4.5_stable/Dockerfile (1)

73-76: 💤 Low value

Redundant system dependency installation.

Line 75 runs playwright install-deps, then line 76 runs playwright install --with-deps chromium. The --with-deps flag already installs system dependencies, making line 75 redundant.

For a cleaner build, remove the redundant call:

♻️ Suggested simplification
 # Install Playwright Python packages and system deps (as root)
 RUN pip install playwright pytest-playwright pytest-asyncio \
-    && playwright install-deps \
     && playwright install --with-deps chromium
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@obsolete/godot_4.5_stable/Dockerfile` around lines 73 - 76, Remove the
redundant system dependency installation by deleting the standalone "playwright
install-deps" invocation; keep the single command "playwright install
--with-deps chromium" (which already installs system deps) so the RUN block only
runs pip install ... and then playwright install --with-deps chromium.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/browser_test.yml:
- Around line 50-51: The godot_export_templates_download_url value is malformed
(it starts with "hhttps://") so the export action cannot download templates; fix
the string assigned to godot_export_templates_download_url to the correct URL
("https://github.com/godotengine/godot/releases/download/4.6.3-stable/Godot_v4.6.3-stable_export_templates.tpz")
ensuring it matches the pattern used by godot_executable_download_url and
removes the extra leading 'h' so the firebelley/godot-export step can
successfully fetch export templates.

In @.github/workflows/gdunit4_tests.yml:
- Around line 21-24: The unzip and mv steps still reference
Godot_v4.5-stable_linux.x86_64 while the download uses Godot_v4.6.3-stable;
update the archive and directory names in the install block so they match the
downloaded file: replace occurrences of "Godot_v4.5-stable_linux.x86_64.zip" and
"Godot_v4.5-stable_linux.x86_64" with "Godot_v4.6.3-stable_linux.x86_64.zip" and
"Godot_v4.6.3-stable_linux.x86_64" respectively (the wget/unzip/mv commands in
the workflow install section), and make the same change in the other test
workflow to ensure the godot binary is created.

---

Nitpick comments:
In `@obsolete/godot_4.5_stable/Dockerfile`:
- Around line 73-76: Remove the redundant system dependency installation by
deleting the standalone "playwright install-deps" invocation; keep the single
command "playwright install --with-deps chromium" (which already installs system
deps) so the RUN block only runs pip install ... and then playwright install
--with-deps chromium.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 964d2d3d-d651-4024-a8ab-f8dda99b9416

📥 Commits

Reviewing files that changed from the base of the PR and between 8e0e67c and 857a8da.

📒 Files selected for processing (8)
  • .github/workflows/browser_test.yml
  • .github/workflows/deploy_to_itch.yml
  • .github/workflows/gdunit4_tests.yml
  • .github/workflows/gut_tests.yml
  • Dockerfile
  • default_bus_layout.tres
  • obsolete/godot_4.5_stable/Dockerfile
  • project.godot
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Sourcery review
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: 2026-04-28T02:11:45.806Z
Learnt from: ikostan
Repo: ikostan/SkyLockAssault PR: 588
File: .github/workflows/deploy_to_itch.yml:44-56
Timestamp: 2026-04-28T02:11:45.806Z
Learning: When a CI workflow edits Godot's `project.godot` (INI) to inject custom ProjectSettings values, insert the setting key under the correct section header that matches the `game/` (or other) root in the ProjectSettings path. For example, `ProjectSettings.get_setting("game/security/save_salt", ...)` expects the INI entry under `[game]` with key `security/save_salt` (i.e., `[game]` then `security/save_salt=...`), not under `[application]`. Otherwise the lookup will fall back to the default value at runtime.

Applied to files:

  • .github/workflows/deploy_to_itch.yml
  • .github/workflows/browser_test.yml
  • .github/workflows/gdunit4_tests.yml
  • .github/workflows/gut_tests.yml
📚 Learning: 2026-05-20T00:01:27.632Z
Learnt from: ikostan
Repo: ikostan/SkyLockAssault PR: 654
File: .github/workflows/browser_test.yml:99-101
Timestamp: 2026-05-20T00:01:27.632Z
Learning: In this repository’s GitHub Actions workflows, treat supply-chain pinning as follows: 
- **Do not flag** steps that use **first-party** GitHub-owned actions under `actions/*` (e.g., `actions/checkout`, `actions/cache`) when they use a **major version tag** like `v6` / `v5`.
- **Do flag** **third-party** actions (anything not under `actions/*`, e.g., `firebelley/godot-export`, `codecov/codecov-action`) when they use an unpinned ref such as `vX` or `main` instead of being pinned to a **commit SHA** (i.e., `@<commit-sha>`).

Applied to files:

  • .github/workflows/deploy_to_itch.yml
  • .github/workflows/browser_test.yml
  • .github/workflows/gdunit4_tests.yml
  • .github/workflows/gut_tests.yml
🔇 Additional comments (11)
obsolete/godot_4.5_stable/Dockerfile (7)

1-10: LGTM!


12-21: LGTM!


23-40: LGTM!


42-55: LGTM!


57-71: LGTM!


78-82: LGTM!


84-92: LGTM!

.github/workflows/deploy_to_itch.yml (1)

66-67: LGTM!

Dockerfile (1)

20-21: LGTM!

Also applies to: 42-55, 92-92

project.godot (1)

11-13: LGTM!

Also applies to: 20-20

default_bus_layout.tres (1)

1-1: LGTM!

Comment thread .github/workflows/browser_test.yml Outdated
Comment thread .github/workflows/gdunit4_tests.yml Outdated
@ikostan

ikostan commented Jun 15, 2026

Copy link
Copy Markdown
Owner Author

@sourcery-ai review

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The new cleanup_for_test method on AudioManager is production-visible on an autoload; consider guarding it behind a debug/editor flag or moving test-only cleanup into a dedicated test helper to avoid accidental use in game code.
  • Godot version and SHA-256 values are now hard-coded in multiple places (Dockerfile, workflows); centralizing these into build args or workflow environment variables would make future upgrades less error-prone and easier to keep in sync.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The new `cleanup_for_test` method on `AudioManager` is production-visible on an autoload; consider guarding it behind a debug/editor flag or moving test-only cleanup into a dedicated test helper to avoid accidental use in game code.
- Godot version and SHA-256 values are now hard-coded in multiple places (Dockerfile, workflows); centralizing these into build args or workflow environment variables would make future upgrades less error-prone and easier to keep in sync.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

The new cleanup_for_test method on AudioManager is production-visible on an autoload; consider guarding it behind a debug/editor flag or moving test-only cleanup into a dedicated test helper to avoid accidental use in game code.
@ikostan

ikostan commented Jun 15, 2026

Copy link
Copy Markdown
Owner Author
  • The new cleanup_for_test method on AudioManager is production-visible on an autoload; consider guarding it behind a debug/editor flag or moving test-only cleanup into a dedicated test helper to avoid accidental use in game code.

Completely agree. Leaving a destructive teardown method exposed on a core global Autoload is an accident waiting to happen.

Since GDScript doesn't have a preprocessor for conditional compilation, I've added a hard runtime guard using OS.is_debug_build() along with a developer assert(). This ensures the method is completely inert in production release builds and will fail-fast during development if accidentally invoked in game code.

ikostan added 2 commits June 14, 2026 20:58
Add inputs to GitHub Actions workflows to allow selecting the Godot version and checksum at invocation. .github/workflows/browser_test.yml: add godot_version input and parameterize release download URLs for the export step. .github/workflows/gdunit4_tests.yml and .github/workflows/gut_tests.yml: add godot_version and godot_sha256 inputs, export them to env (GODOT_VERSION/GODOT_SHA256), and update wget, checksum verification, unzip, and mv commands to use the variables. Defaults remain set to 4.6.3-stable and its SHA256. This makes the workflows flexible for testing different Godot releases without editing the workflow files.
@ikostan

ikostan commented Jun 15, 2026

Copy link
Copy Markdown
Owner Author
  • Godot version and SHA-256 values are now hard-coded in multiple places (Dockerfile, workflows); centralizing these into build args or workflow environment variables would make future upgrades less error-prone and easier to keep in sync.

Implementing this will mean your next Godot version upgrade takes 10 seconds and requires changing just one or two lines of code, completely eliminating the risk of mismatched version strings breaking your runtime pipelines.

@ikostan

ikostan commented Jun 15, 2026

Copy link
Copy Markdown
Owner Author

@sourcery-ai review

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 4 issues, and left some high level feedback:

  • In audio_manager.gd::cleanup_for_test the OS.is_debug_build() guard followed immediately by an assert(OS.is_debug_build(), ...) is redundant because the early return prevents the assert from ever firing in non‑debug builds; consider keeping just one of these checks.
  • The Dockerfile comment "using trusted cryptographic signature" is misleading since the code only validates a hardcoded SHA-256 checksum, not a signed artifact; consider rewording to accurately describe the verification mechanism.
  • The Godot 4.6.3 SHA-256 checksum is duplicated across the Dockerfile and multiple workflows; consider centralizing this value (e.g., via build args, reusable workflow inputs, or a shared env) to avoid drift on future version bumps.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- In `audio_manager.gd::cleanup_for_test` the `OS.is_debug_build()` guard followed immediately by an `assert(OS.is_debug_build(), ...)` is redundant because the early return prevents the assert from ever firing in non‑debug builds; consider keeping just one of these checks.
- The Dockerfile comment "using trusted cryptographic signature" is misleading since the code only validates a hardcoded SHA-256 checksum, not a signed artifact; consider rewording to accurately describe the verification mechanism.
- The Godot 4.6.3 SHA-256 checksum is duplicated across the Dockerfile and multiple workflows; consider centralizing this value (e.g., via build args, reusable workflow inputs, or a shared env) to avoid drift on future version bumps.

## Individual Comments

### Comment 1
<location path="scripts/managers/audio_manager.gd" line_range="504-516" />
<code_context>
+## Forcefully clear resources to prevent leaks between unit tests.
+## Strictly guarded to prevent accidental execution in production builds.
+func cleanup_for_test() -> void:
+	# 0. Production safety guards
+	if not OS.is_debug_build():
+		return
+	assert(
+		OS.is_debug_build(), "cleanup_for_test() should only be called in test/debug environments."
+	)
</code_context>
<issue_to_address>
**suggestion:** The `OS.is_debug_build()` check is duplicated before and inside the assert, making the assert effectively unreachable in release builds.

Because of the early return, this function is already a no-op in non-debug builds. The subsequent `assert(OS.is_debug_build(), ...)` only runs in debug builds, where the condition is always true, so it never guards against misuse. Consider removing the assert, or replacing it with a check on a different flag (e.g. `ENABLE_TEST_CLEANUP`) if you want an assertion that can actually fail when misused.

```suggestion
## FOR GUT UNIT TEST ONLY
## Forcefully clear resources to prevent leaks between unit tests.
## Strictly guarded to prevent accidental execution in production builds.
func cleanup_for_test() -> void:
	# 0. Production safety guards
	if not OS.is_debug_build():
		return

	_sfx_cache.clear()
	_missing_sfx_cache.clear()
```
</issue_to_address>

### Comment 2
<location path=".github/workflows/deploy_to_itch.yml" line_range="66-67" />
<code_context>
         with:
-          godot_executable_download_url: "https://github.com/godotengine/godot-builds/releases/download/4.5-stable/Godot_v4.5-stable_linux.x86_64.zip"
-          godot_export_templates_download_url: "https://github.com/godotengine/godot-builds/releases/download/4.5-stable/Godot_v4.5-stable_export_templates.tpz"
+          godot_executable_download_url: "https://github.com/godotengine/godot/releases/download/4.6.3-stable/Godot_v4.6.3-stable_linux.x86_64.zip"
+          godot_export_templates_download_url: "https://github.com/godotengine/godot/releases/download/4.6.3-stable/Godot_v4.6.3-stable_export_templates.tpz"
           relative_project_path: "./"
           relative_export_path: "./export/web"
</code_context>
<issue_to_address>
**🚨 suggestion (security):** The workflow now downloads Godot artifacts without integrity verification, unlike the main Dockerfile which uses a SHA-256 check.

Please add an integrity check for these downloads as well—e.g., verify a published checksum from a trusted source or hard-code the expected SHA-256 for this Godot version—before using the artifacts in the export step.

Suggested implementation:

```
        - name: Download Godot with integrity check
          run: |
            set -euo pipefail

            GODOT_EXECUTABLE_URL="https://github.com/godotengine/godot/releases/download/4.6.3-stable/Godot_v4.6.3-stable_linux.x86_64.zip"
            GODOT_EXECUTABLE_SHA256="REPLACE_WITH_REAL_GODOT_EXECUTABLE_SHA256"

            GODOT_EXPORT_TEMPLATES_URL="https://github.com/godotengine/godot/releases/download/4.6.3-stable/Godot_v4.6.3-stable_export_templates.tpz"
            GODOT_EXPORT_TEMPLATES_SHA256="REPLACE_WITH_REAL_GODOT_EXPORT_TEMPLATES_SHA256"

            curl -L "$GODOT_EXECUTABLE_URL" -o /tmp/godot_linux.x86_64.zip
            echo "${GODOT_EXECUTABLE_SHA256}  /tmp/godot_linux.x86_64.zip" | sha256sum -c -

            curl -L "$GODOT_EXPORT_TEMPLATES_URL" -o /tmp/godot_export_templates.tpz
            echo "${GODOT_EXPORT_TEMPLATES_SHA256}  /tmp/godot_export_templates.tpz" | sha256sum -c -

        id: "export"
        uses: "firebelley/godot-export@615a6f7afc22d6266bf55c17748fb07447e8bdab"
        with:
          godot_executable_download_url: "file:///tmp/godot_linux.x86_64.zip"
          godot_export_templates_download_url: "file:///tmp/godot_export_templates.tpz"
          relative_project_path: "./"
          relative_export_path: "./export/web"
          archive_output: true

```

1. Replace `REPLACE_WITH_REAL_GODOT_EXECUTABLE_SHA256` and `REPLACE_WITH_REAL_GODOT_EXPORT_TEMPLATES_SHA256` with the actual SHA-256 checksums published by the Godot project for `Godot_v4.6.3-stable_linux.x86_64.zip` and `Godot_v4.6.3-stable_export_templates.tpz`.
2. Confirm that `firebelley/godot-export` accepts `file://` URLs (it typically just downloads the given URL; `file://` should work on GitHub-hosted runners). If not, you may need to fork or adjust the action to accept pre-downloaded paths instead of URLs.
</issue_to_address>

### Comment 3
<location path="files/docs/milestones/20/Part_2_Upgrade_project_environment_to_Godot_4_6_3.md" line_range="92" />
<code_context>
+**DeepsourceReview**: No explicit mentions, comments, or contributions from Deepsource (e.g., @deepsource-io or similar) were visible in the PR conversation, commits, or summaries. If Deepsource was configured for static analysis/linting, its review may have occurred implicitly via CI without a named bot comment.
</code_context>
<issue_to_address>
**suggestion (typo):** Align the capitalization of "DeepSource" consistently.

Use "DeepSource" consistently (e.g., "DeepSource Review") to match the official product name and keep terminology uniform across the docs.

```suggestion
**DeepSource Review**: No explicit mentions, comments, or contributions from DeepSource (e.g., @deepsource-io or similar) were visible in the PR conversation, commits, or summaries. If DeepSource was configured for static analysis/linting, its review may have occurred implicitly via CI without a named bot comment.
```
</issue_to_address>

### Comment 4
<location path="files/docs/milestones/20/Part_2_Upgrade_project_environment_to_Godot_4_6_3.md" line_range="57" />
<code_context>
+| Harden local and CI GUT/GDUnit4 test execution scripts for reliability and clearer diagnostics.                | <ul><li>Enhance workspace/run_gut_unit_tests.sh to temporarily disable the gdUnit4 addon while running GUT tests, restoring it via a trap-based cleanup function, and narrow the test directory to res://test/gut/.</li><li>Update gdunit4_tests and gut_tests workflows to download Godot 4.6.3 with checksum verification, clean .godot cache before GUT runs, and enable verbose output for easier debugging of CI failures.</li></ul>                                                                                                                                                                                                               | `workspace/run_gut_unit_tests.sh`<br/>`.github/workflows/gdunit4_tests.yml`<br/>`.github/workflows/gut_tests.yml`                                                                                |
</code_context>
<issue_to_address>
**nitpick (typo):** Use consistent capitalization for GDUnit4 within this description.

In this row, the heading uses "GUT/GDUnit4" while the details use "gdUnit4 addon". Please standardize the framework name’s capitalization (e.g., "GDUnit4 addon"), keeping file names like `gdunit4_tests.yml` unchanged.

```suggestion
| Harden local and CI GUT/GDUnit4 test execution scripts for reliability and clearer diagnostics.                | <ul><li>Enhance workspace/run_gut_unit_tests.sh to temporarily disable the GDUnit4 addon while running GUT tests, restoring it via a trap-based cleanup function, and narrow the test directory to res://test/gut/.</li><li>Update gdunit4_tests and gut_tests workflows to download Godot 4.6.3 with checksum verification, clean .godot cache before GUT runs, and enable verbose output for easier debugging of CI failures.</li></ul>                                                                                                                                                                                                               | `workspace/run_gut_unit_tests.sh`<br/>`.github/workflows/gdunit4_tests.yml`<br/>`.github/workflows/gut_tests.yml`                                                                                |
```
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread scripts/managers/audio_manager.gd
Comment thread .github/workflows/deploy_to_itch.yml Outdated
Comment thread files/docs/milestones/20/Part_2_Upgrade_project_environment_to_Godot_4_6_3.md Outdated
Comment thread files/docs/milestones/20/Part_2_Upgrade_project_environment_to_Godot_4_6_3.md Outdated
ikostan and others added 6 commits June 14, 2026 21:24
…_Godot_4_6_3.md

Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com>
…_Godot_4_6_3.md

Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com>
Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com>
Add a workflow step that downloads the Godot 4.6.3-stable executable, export templates, and official SHA-256 checksums, verifies integrity with sha256sum, and starts a local Python HTTP server to host the files. Update the godot-export action to use localhost URLs so the verified binaries are used during the Web export. This ensures binary integrity and avoids direct external downloads at export time.
@ikostan

ikostan commented Jun 17, 2026

Copy link
Copy Markdown
Owner Author

@sourcery-ai review

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 3 issues, and left some high level feedback:

  • The Godot version and SHA-256 checksum are now hardcoded in multiple places (Dockerfile, gdunit4_tests.yml, gut_tests.yml, deploy_to_itch.yml); consider centralizing them via build-args/ENV or reusable workflow inputs to avoid drift on the next upgrade.
  • In the deploy_to_itch workflow, spinning up a local HTTP server just to re-serve the downloaded Godot artifacts adds complexity; you could keep using the GitHub URLs directly and still verify integrity via SHA256SUMS.txt to simplify the job.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The Godot version and SHA-256 checksum are now hardcoded in multiple places (Dockerfile, gdunit4_tests.yml, gut_tests.yml, deploy_to_itch.yml); consider centralizing them via build-args/ENV or reusable workflow inputs to avoid drift on the next upgrade.
- In the deploy_to_itch workflow, spinning up a local HTTP server just to re-serve the downloaded Godot artifacts adds complexity; you could keep using the GitHub URLs directly and still verify integrity via SHA256SUMS.txt to simplify the job.

## Individual Comments

### Comment 1
<location path="scripts/managers/audio_manager.gd" line_range="507-516" />
<code_context>
+## FOR GUT UNIT TEST ONLY
+## Forcefully clear resources to prevent leaks between unit tests.
+## Strictly guarded to prevent accidental execution in production builds.
+func cleanup_for_test() -> void:
+	# 0. Production safety guards
+	if not OS.is_debug_build():
+		return
+
+	_sfx_cache.clear()
+	_missing_sfx_cache.clear()
+
+	# 1. Clean the pool deterministically
+	for i in range(_sfx_pool.size() - 1, -1, -1):
+		var player := _sfx_pool[i]
+		if is_instance_valid(player):
+			player.stop()
+			# Reset bus before freeing to avoid dangling references
+			player.bus = "Master"
+			if player.get_parent() == self:
+				remove_child(player)
+			player.free()
+		_sfx_pool.remove_at(i)
+
+	# 2. Re-create the pool
+	for i in range(SFX_POOL_SIZE):
+		var p := AudioStreamPlayer.new()
+		add_child(p)
+		_sfx_pool.append(p)
</code_context>
<issue_to_address>
**issue (testing):** `cleanup_for_test` recreates the SFX pool but may not restore the original configuration of the players.

Because this only does `AudioStreamPlayer.new()` and `add_child(p)`, any custom configuration done in the normal initialization path (bus, volume, autoload, groups, etc.) won’t be reapplied. That means the pool state in tests can diverge from real runtime behavior, and this helper would be unsafe to call outside a tightly controlled test context. Consider extracting a shared pool-initialization routine used by both `_ready()` and `cleanup_for_test` so the recreated pool exactly matches the production configuration.
</issue_to_address>

### Comment 2
<location path="Dockerfile" line_range="43-48" />
<code_context>
-    && unzip Godot_v4.5-stable_linux.x86_64.zip \
-    && mv Godot_v4.5-stable_linux.x86_64 /usr/local/bin/godot \
+# Download and verify Godot v4.6.3 binary using trusted cryptographic signature
+RUN wget -q https://github.com/godotengine/godot/releases/download/4.6.3-stable/Godot_v4.6.3-stable_linux.x86_64.zip \
+    && echo "d0bc2113065e481c9c2c2b2c37daa4e8be3fe9e27f0ab9ab0b6096e9a37907f3  Godot_v4.6.3-stable_linux.x86_64.zip" | sha256sum --check --status \
+    && unzip Godot_v4.6.3-stable_linux.x86_64.zip \
+    && mv Godot_v4.6.3-stable_linux.x86_64 /usr/local/bin/godot \
     && chmod +x /usr/local/bin/godot \
-    && rm Godot_v4.5-stable_linux.x86_64.zip
+    && rm Godot_v4.6.3-stable_linux.x86_64.zip

-# Download and extract export templates, placing them in the user-specific location
</code_context>
<issue_to_address>
**suggestion:** Using a hardcoded SHA-256 hash in the Dockerfile makes updates a bit brittle compared to consuming the official checksum file.

This does improve integrity, but it also tightly couples the Dockerfile to a specific checksum. When updating Godot, it’s easy to miss updating this hash. Consider mirroring the GitHub workflow: download the version’s official `SHA256SUMS` file and verify against it so you only need to change the version string, not an embedded hash.

Suggested implementation:

```
# Download and verify Godot v4.6.3 binary using the official SHA256SUMS file
RUN wget -q https://github.com/godotengine/godot/releases/download/4.6.3-stable/SHA256SUMS.txt \
    && wget -q https://github.com/godotengine/godot/releases/download/4.6.3-stable/Godot_v4.6.3-stable_linux.x86_64.zip \
    && grep " Godot_v4.6.3-stable_linux.x86_64.zip\$" SHA256SUMS.txt | sha256sum --check --status \
    && unzip Godot_v4.6.3-stable_linux.x86_64.zip \
    && mv Godot_v4.6.3-stable_linux.x86_64 /usr/local/bin/godot \
    && chmod +x /usr/local/bin/godot \
    && rm Godot_v4.6.3-stable_linux.x86_64.zip SHA256SUMS.txt

```

```
# Download, verify, and extract export templates using the official SHA256SUMS file
RUN wget -q https://github.com/godotengine/godot/releases/download/4.6.3-stable/SHA256SUMS.txt \
    && wget -q https://github.com/godotengine/godot/releases/download/4.6.3-stable/Godot_v4.6.3-stable_export_templates.tpz \
    && grep " Godot_v4.6.3-stable_export_templates.tpz\$" SHA256SUMS.txt | sha256sum --check --status \
    && mkdir -p "${XDG_DATA_HOME}/godot/export_templates/${GODOT_VERSION}" \
    && unzip Godot_v4.6.3-stable_export_templates.tpz -d /tmp/templates \
    && mv /tmp/templates/templates/* "${XDG_DATA_HOME}/godot/export_templates/${GODOT_VERSION}/" \
    && rm -rf /tmp/templates Godot_v4.6.3-stable_export_templates.tpz SHA256SUMS.txt \
    && chown -R godotuser:godotuser "${XDG_DATA_HOME}"

```
</issue_to_address>

### Comment 3
<location path=".github/workflows/deploy_to_itch.yml" line_range="84-88" />
<code_context>
+          echo "🔒 Verifying binary integrity against official signatures..."
+          sha256sum --check --ignore-missing SHA256SUMS.txt
+
+          echo "✅ Integrity check passed. Starting local HTTP server..."
+          nohup python3 -m http.server 8000 > /dev/null 2>&1 &
+
+          # Allow the background server a brief moment to initialize
+          sleep 2
+
       - name: "Export Godot to Web"
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Relying on a local HTTP server for Godot artifacts adds moving parts and a potential race condition.

This approach also hard-codes a specific port and depends on server startup timing. Prefer configuring the export step to use the official HTTPS download URLs directly (with checksum verification handled earlier) or, if supported, local file paths. If you stick with a local HTTP server, replace the fixed `sleep` with a small readiness loop (e.g., curl `http://localhost:8000/` with a timeout) to avoid flakiness.

Suggested implementation:

```
          echo "📥 Downloading Godot export templates..."
          curl -fL --show-error -o Godot_v4.6.3-stable_export_templates.tpz "$TEMPLATE_URL"

          echo "📥 Downloading official SHA-256 checksums..."
          curl -fL --show-error -o SHA256SUMS.txt "$CHECKSUM_URL"

          echo "🔒 Verifying binary integrity against official signatures..."
          sha256sum --check --ignore-missing SHA256SUMS.txt

      - name: "Export Godot to Web"
        id: "export"
        uses: "firebelley/godot-export@615a6f7afc22d6266bf55c17748fb07447e8bdab"
        with:
          godot_executable_download_url: "${{ env.GODOT_LINUX_DOWNLOAD_URL }}"
          godot_export_templates_download_url: "${{ env.GODOT_EXPORT_TEMPLATES_DOWNLOAD_URL }}"
          relative_project_path: "./"
          relative_export_path: "./export/web"
          archive_output: true

```

To fully implement the suggestion and avoid the local HTTP server:

1. Define `GODOT_LINUX_DOWNLOAD_URL` and `GODOT_EXPORT_TEMPLATES_DOWNLOAD_URL` as job- or workflow-level `env` values, pointing to the official HTTPS URLs for:
   - The Godot Linux executable zip (`GODOT_LINUX_DOWNLOAD_URL`)
   - The Godot export templates tpz (`GODOT_EXPORT_TEMPLATES_DOWNLOAD_URL`)
2. Update the earlier `curl` commands to use these env vars instead of shell-only variables, for example:
   - `curl ... -o Godot_v4.6.3-stable_export_templates.tpz "${GODOT_EXPORT_TEMPLATES_DOWNLOAD_URL}"`
   - If you also pre-download the executable for verification, use `${GODOT_LINUX_DOWNLOAD_URL}` there as well.
3. Ensure checksum verification (with `sha256sum`) covers all downloaded artifacts you care about (templates and, if desired, the executable), using the official checksum file.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread scripts/managers/audio_manager.gd
Comment thread Dockerfile Outdated
Comment thread .github/workflows/deploy_to_itch.yml Outdated
ikostan added 4 commits June 16, 2026 19:42
…restore the original configuration of the players.

Because this only does AudioStreamPlayer.new() and add_child(p), any custom configuration done in the normal initialization path (bus, volume, autoload, groups, etc.) won’t be reapplied. That means the pool state in tests can diverge from real runtime behavior, and this helper would be unsafe to call outside a tightly controlled test context. Consider extracting a shared pool-initialization routine used by both _ready() and cleanup_for_test so the recreated pool exactly matches the production configuration.
…dates a bit brittle compared to consuming the official checksum file.

This does improve integrity, but it also tightly couples the Dockerfile to a specific checksum. When updating Godot, it’s easy to miss updating this hash. Consider mirroring the GitHub workflow: download the version’s official SHA256SUMS file and verify against it so you only need to change the version string, not an embedded hash.

Suggested im
Replace a fixed sleep with an active readiness check before exporting the Godot Web build: start the local HTTP server, poll localhost with curl up to a 10s timeout (half-second intervals), and fail fast with a clear error message if the server doesn't become responsive. Adds informative log messages for startup and readiness to improve reliability of the deploy_to_itch workflow.
Delete redundant loop in _ready() that manually created and appended AudioStreamPlayer nodes for the SFX pool. The pool is now initialized solely via _initialize_sfx_pool(), avoiding duplicate child nodes and duplicate entries in the _sfx_pool.
@ikostan ikostan merged commit 0b48ebb into main Jun 17, 2026
12 checks passed
@github-project-automation github-project-automation Bot moved this from In Progress to Done in Sky Lock Assault Project Jun 17, 2026
@ikostan ikostan deleted the upgrade-project-environment branch June 17, 2026 03:57
@ikostan ikostan linked an issue Jun 18, 2026 that may be closed by this pull request
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment