Skip to content

Bug cicd deployment workflow fails with 404 on godot checksum download#757

Merged
ikostan merged 9 commits into
mainfrom
bug-cicd-deployment-workflow-fails-with-404-on-godot-checksum-download
Jun 18, 2026
Merged

Bug cicd deployment workflow fails with 404 on godot checksum download#757
ikostan merged 9 commits into
mainfrom
bug-cicd-deployment-workflow-fails-with-404-on-godot-checksum-download

Conversation

@ikostan

@ikostan ikostan commented Jun 18, 2026

Copy link
Copy Markdown
Owner

name: Default Pull Request Template
about: Suggesting changes to SkyLockAssault
title: ''
labels: ''
assignees: ''

Description

What does this PR do? (e.g., "Fixes player jump physics in level 2" or "Adds
new enemy AI script")

Related Issue

Closes #ISSUE_NUMBER (if applicable)

Changes

  • List key changes here (e.g., "Updated Jump.gd to use Godot 4.4's new Tween
    system")
  • Any breaking changes? (e.g., "Deprecated old signal; migrate to new one")

Testing

  • Ran the game in Godot v4.5 editor—describe what you tested (e.g., "Jump
    works on Win10 with 60 FPS")
  • Any new unit tests added? (Link to test scene if yes)
  • Screenshots/GIFs if UI-related: (Attach below)

Checklist

  • Code follows Godot style guide (e.g., snake_case for variables)
  • No console errors in editor/output
  • Ready for review!

Additional Notes

Anything else? (e.g., "Tested on Win10 64-bit; needs Linux validation")

Summary by Sourcery

Add a reusable script and workflow wiring to validate Godot engine assets and checksums during CI/CD and deployment.

New Features:

  • Introduce a verify_godot.sh script to download Godot binaries, fetch checksum manifests from official mirrors, and validate asset integrity.

Bug Fixes:

  • Fix deployment workflow failures by validating Godot download URLs and checksum sources before starting exports.

Enhancements:

  • Refactor the deployment workflow to delegate Godot download and verification to a shared script and parameterize the Godot version via workflow inputs.
  • Extend the CI infrastructure test workflow to exercise the Godot asset verification script with a configurable version.
  • Wire lint/test workflows to pass a specific Godot version into shared CI/CD infrastructure tests.

Summary by CodeRabbit

  • Chores
    • Implemented automated verification and checksum validation for Godot engine binaries throughout the deployment pipeline
    • Unified and standardized Godot version configuration across all CI/CD workflows with a consistent default version (4.6.3-stable)
    • Strengthened build infrastructure reliability by introducing comprehensive artifact validation processes to catch corrupted or incomplete downloads

ikostan added 2 commits June 17, 2026 20:18
Update the 'Download and Verify Godot Binaries' step to derive a TUX_VERSION and download checksum manifests from the TuxFamily mirror instead of GitHub. If SHA256SUMS.txt is missing, fall back to SHA512-SUMS.txt and verify using sha512sum; otherwise verify with sha256sum. Keep downloading Godot executable and export templates from GitHub and preserve the local HTTP server start/wait logic with improved logging and error handling.
Introduce .github/scripts/verify_godot.sh to download Godot release assets, validate URLs, fetch checksum manifests (SHA-256 with SHA-512 fallback) from the TuxFamily mirror, and verify artifact integrity. Update deploy_to_itch.yml to accept a godot_version input, call the new verification script, start a local HTTP server, and pass the input-based asset URLs to the export action (replacing duplicated download/verify logic). Set a default godot_version for browser test workflow calls in lint_test_deploy.yml and lint_test_on_pull.yml. Add a godot_version input and a test step that runs the verifier in test_ci_scripts.yml. These changes centralize verification, remove duplicated logic, and make the pipelines configurable and more maintainable.
@ikostan ikostan self-assigned this Jun 18, 2026
@ikostan ikostan added the bug Something isn't working label Jun 18, 2026
@ikostan ikostan added CI/CD github actions Pull requests that update GitHub Actions code github_actions Pull requests that update GitHub Actions code labels Jun 18, 2026
@sourcery-ai

sourcery-ai Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Reviewer's Guide

Centralizes Godot binary download and checksum verification into a reusable script, wires it into deploy and CI workflows, and propagates a configurable Godot version parameter across pipelines to prevent 404s and ensure cryptographic verification of engine assets.

Flow diagram for verify_godot.sh Godot asset verification and checksum fallback

flowchart TD
  A[Start verify_godot.sh
  input: GODOT_VERSION] --> B[Set STAGING_DIR godot_binaries
  create and cd]
  B --> C[Build EXE_URL and TEMPLATE_URL
  on GitHub Releases]

  C --> D{curl -sI EXE_URL
  and TEMPLATE_URL}
  D -- 404 or failure --> Z1[Exit FATAL
  invalid Godot URLs]
  D -- OK --> E[Download EXE_FILE and TEMPLATE_FILE
  via curl]

  E --> F{Download checksum manifest}
  F -->|TuxFamily SHA256SUMS.txt
  curl OK| G[grep EXE_FILE and TEMPLATE_FILE
  into GODOT_TARGET_SUMS.txt
  set USE_SHA512=false]
  F -->|TuxFamily SHA512-SUMS.txt
  curl OK| H[grep EXE_FILE and TEMPLATE_FILE
  into GODOT_TARGET_SUMS.txt
  set USE_SHA512=true]
  F -->|SourceForge SHA512-SUMS.txt
  curl OK| I[grep EXE_FILE and TEMPLATE_FILE
  into GODOT_TARGET_SUMS.txt
  set USE_SHA512=true]
  F -->|all curl failed| Z2[Exit FATAL
  no checksum manifest]

  G --> J[Validate manifest has 2 lines]
  H --> J
  I --> J
  J -->|lines != 2| Z3[Exit FATAL
  missing signatures]
  J -->|lines == 2| K{USE_SHA512?}

  K -->|true| L[sha512sum --check
  GODOT_TARGET_SUMS.txt]
  K -->|false| M[sha256sum --check
  GODOT_TARGET_SUMS.txt]

  L --> N[Print SUCCESS
  assets authentic]
  M --> N
  N --> O[End]
Loading

File-Level Changes

Change Details Files
Introduce reusable Godot binary verification script with robust checksum manifest lookup and integrity checks.
  • Create verify_godot.sh to download Godot executable and export templates for a given version into a fresh staging directory.
  • Validate target asset URLs upfront with HEAD requests to fail fast on 404 or invalid URLs.
  • Download binaries from GitHub and locate official checksum manifests from TuxFamily or SourceForge mirrors, preferring SHA-256 but falling back to SHA-512 as needed.
  • Extract only the checksums for the targeted assets into a local manifest, assert both entries are present, and verify with sha256sum or sha512sum accordingly.
.github/scripts/verify_godot.sh
Refactor deploy_to_itch workflow to delegate Godot asset handling to the shared verification script and parameterize Godot version.
  • Add a godot_version input with a default value to the deploy_to_itch workflow.
  • Replace inline Godot binary download and SHA256 verification logic with a call to verify_godot.sh passing the configured Godot version.
  • Assume the script creates a godot_binaries directory, cd into it, and serve assets via a local HTTP server for the export step.
  • Switch export action URLs to reference the versioned filenames served from the local HTTP server using the workflow input godot_version.
.github/workflows/deploy_to_itch.yml
Extend CI infrastructure tests to cover Godot asset verification and propagate version input from calling workflows.
  • Add a required godot_version input to the test_ci_scripts reusable workflow.
  • Append a job step that chmods and executes verify_godot.sh with the provided godot_version to validate asset retrieval and verification as part of CI tests.
  • Update lint_test_deploy and lint_test_on_pull workflows to pass a concrete Godot version into the CI scripts workflow for consistent behavior.
.github/workflows/test_ci_scripts.yml
.github/workflows/lint_test_deploy.yml
.github/workflows/lint_test_on_pull.yml

Assessment against linked issues

Issue Objective Addressed Explanation
#755 Fix the CI/CD Deploy to itch.io workflow so that the Godot checksum manifest is fetched from a valid URL (no 404) and the downloaded binaries are cryptographically verified before export.
#755 Make the Godot version used in CI/CD workflows configurable while ensuring the deploy workflow and related CI tests correctly pass and use this version for downloading and verifying Godot assets.

Possibly linked issues

  • #[BUG] CI/CD deployment workflow fails with 404 on Godot checksum download: PR replaces the broken checksum URL with a robust verification script, fixing the 404 failure in deploy workflow.
  • #: They both update deploy_to_itch.yml to use Godot 4.6.3-stable binaries/templates; PR also adds verification and CI tests.

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@ikostan, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 9 minutes and 11 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 9360b946-a8c3-4fa2-a788-7e4fb60939e5

📥 Commits

Reviewing files that changed from the base of the PR and between f0c4547 and f91bf6c.

📒 Files selected for processing (4)
  • .github/scripts/verify_godot.sh
  • .github/workflows/deploy_to_itch.yml
  • .github/workflows/test_ci_scripts.yml
  • files/docs/milestones/20/Part_2_Upgrade_project_environment_to_Godot_4_6_3.md
📝 Walkthrough

Walkthrough

A new verify_godot.sh script centralizes Godot binary download and SHA checksum verification, replacing inline curl logic in deploy_to_itch.yml. A godot_version input is added to test_ci_scripts.yml and deploy_to_itch.yml, and both lint_test_deploy.yml and lint_test_on_pull.yml pass 4.6.3-stable as that input.

Changes

Godot Verification Refactor

Layer / File(s) Summary
verify_godot.sh: download and checksum validation
.github/scripts/verify_godot.sh
New script that takes a Godot version argument, validates GitHub Release URLs via HEAD requests, downloads the Linux executable zip and export templates into godot_binaries/, fetches SHA256SUMS.txt (falling back to SHA512-SUMS.txt), and verifies both artifacts with the matching sha*sum --check command with fail-fast error handling.
Workflow inputs and script invocation wiring
.github/workflows/test_ci_scripts.yml, .github/workflows/deploy_to_itch.yml, .github/workflows/lint_test_deploy.yml, .github/workflows/lint_test_on_pull.yml
Adds godot_version workflow_call input to test_ci_scripts.yml and deploy_to_itch.yml; replaces the inline curl/checksum block in deploy_to_itch.yml with a call to verify_godot.sh; updates the Export step to use inputs.godot_version; adds a chmod+x + invocation step in test_ci_scripts.yml; and threads godot_version: 4.6.3-stable from both caller workflows.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

Possibly related PRs

  • ikostan/SkyLockAssault#754: Pins the same Godot 4.6.3-stable artifact URLs that this PR centralizes into verify_godot.sh and exposes via godot_version inputs.
  • ikostan/SkyLockAssault#756: Switches deploy_to_itch.yml to SHA256SUMS.txt for checksum verification, which is the same file this PR's verify_godot.sh fetches (with a SHA512-SUMS.txt fallback).

Suggested labels

deployment, itch.io

🐇 A bunny hops through workflows with glee,
Scripts now verify what the engine should be!
SHA-256 checks, or 512 as backup spare,
godot_version passed with elegant flair.
No more inline curl — the script takes the wheel,
✅ Artifacts confirmed, it's a very clean deal!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning PR description is mostly empty except for template structure; the Sourcery summary provides useful context about changes, but the author left all content sections blank. Fill in the Description section with what the PR does, explain the Related Issue if applicable, and provide meaningful entries under Changes and Testing sections rather than just checking boxes.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main bug being fixed: CI/CD deployment failures due to 404 errors when downloading Godot checksums.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch bug-cicd-deployment-workflow-fails-with-404-on-godot-checksum-download

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue, and left some high level feedback:

  • The godot_executable_download_url and godot_export_templates_download_url strings in deploy_to_itch.yml are malformed (mixing quoted segments and expressions), and should be rewritten as single quoted strings using ${{ inputs.godot_version }} interpolation, e.g. "http://localhost:8000/Godot_v${{ inputs.godot_version }}_linux.x86_64.zip".
  • In test_ci_scripts.yml and other workflows, workflow_call inputs specify both a default and required: true for godot_version; consider dropping required: true if a default is provided to avoid confusion about whether callers must override it.
  • The verify_godot.sh script always reuses the godot_binaries directory without cleanup; consider removing or cleaning this directory at the start of the script to avoid stale artifacts affecting subsequent runs.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The `godot_executable_download_url` and `godot_export_templates_download_url` strings in `deploy_to_itch.yml` are malformed (mixing quoted segments and expressions), and should be rewritten as single quoted strings using `${{ inputs.godot_version }}` interpolation, e.g. `"http://localhost:8000/Godot_v${{ inputs.godot_version }}_linux.x86_64.zip"`.
- In `test_ci_scripts.yml` and other workflows, `workflow_call` inputs specify both a `default` and `required: true` for `godot_version`; consider dropping `required: true` if a default is provided to avoid confusion about whether callers must override it.
- The `verify_godot.sh` script always reuses the `godot_binaries` directory without cleanup; consider removing or cleaning this directory at the start of the script to avoid stale artifacts affecting subsequent runs.

## Individual Comments

### Comment 1
<location path=".github/workflows/deploy_to_itch.yml" line_range="98-99" />
<code_context>
         with:
-          godot_executable_download_url: "http://localhost:8000/Godot_v${{ env.GODOT_VERSION }}_linux.x86_64.zip"
-          godot_export_templates_download_url: "http://localhost:8000/Godot_v${{ env.GODOT_VERSION }}_export_templates.tpz"
+          godot_executable_download_url: "http://localhost:8000/Godot_v"${{ inputs.godot_version }}"_linux.x86_64.zip"
+          godot_export_templates_download_url: "http://localhost:8000/Godot_v"${{ inputs.godot_version }}"_export_templates.tpz"
           relative_project_path: "./"
           relative_export_path: "./export/web"
</code_context>
<issue_to_address>
**issue (bug_risk):** The string interpolation for the Godot URLs is malformed and will likely break YAML parsing or expression evaluation.

Because the quotes are split around `${{ inputs.godot_version }}`, YAML will treat this as multiple tokens and the URL won’t be formed correctly. Keep the whole URL in a single quoted string with the expression embedded, for example:

```yaml
godot_executable_download_url: "http://localhost:8000/Godot_v${{ inputs.godot_version }}_linux.x86_64.zip"
godot_export_templates_download_url: "http://localhost:8000/Godot_v${{ inputs.godot_version }}_export_templates.tpz"
```
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread .github/workflows/deploy_to_itch.yml Outdated
@ikostan ikostan moved this to In Progress in Sky Lock Assault Project Jun 18, 2026
@deepsource-io

deepsource-io Bot commented Jun 18, 2026

Copy link
Copy Markdown

DeepSource Code Review

We reviewed changes in de9ca33...f91bf6c on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
Python Jun 18, 2026 4:28a.m. Review ↗
JavaScript Jun 18, 2026 4:28a.m. Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

@ikostan

ikostan commented Jun 18, 2026

Copy link
Copy Markdown
Owner Author
  • The godot_executable_download_url and godot_export_templates_download_url strings in deploy_to_itch.yml are malformed (mixing quoted segments and expressions), and should be rewritten as single quoted strings using ${{ inputs.godot_version }} interpolation, e.g. "http://localhost:8000/Godot_v${{ inputs.godot_version }}_linux.x86_64.zip".

Addressed.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/scripts/verify_godot.sh:
- Around line 50-57: The `--ignore-missing` flag in both the sha512sum and
sha256sum checksum verification commands allows verification to succeed even if
the target executable or export templates are not listed in the downloaded
manifest, compromising integrity validation. Remove the `--ignore-missing` flag
from both checksum commands. Before performing the verification, filter each
manifest file (SHA512-SUMS.txt or SHA256SUMS.txt depending on the USE_SHA512
condition) to extract only the entries for the target filenames and verify that
both expected artifact entries exist in the manifest, exiting with an error if
either entry is missing.

In @.github/workflows/test_ci_scripts.yml:
- Around line 7-11: The godot_version input in the workflow_call inputs has
conflicting configuration: it has both a default value set to "4.6.3-stable" and
required set to true. When required is true, callers must always provide a
value, making the default unreachable. Change the required property from true to
false for the godot_version input to allow callers to optionally use the default
value.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: fca8eb13-bca5-4ee6-aa69-1aac4dbe5d43

📥 Commits

Reviewing files that changed from the base of the PR and between de9ca33 and f0c4547.

📒 Files selected for processing (5)
  • .github/scripts/verify_godot.sh
  • .github/workflows/deploy_to_itch.yml
  • .github/workflows/lint_test_deploy.yml
  • .github/workflows/lint_test_on_pull.yml
  • .github/workflows/test_ci_scripts.yml
📜 Review details
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: 2026-04-28T02:11:45.806Z
Learnt from: ikostan
Repo: ikostan/SkyLockAssault PR: 588
File: .github/workflows/deploy_to_itch.yml:44-56
Timestamp: 2026-04-28T02:11:45.806Z
Learning: When a CI workflow edits Godot's `project.godot` (INI) to inject custom ProjectSettings values, insert the setting key under the correct section header that matches the `game/` (or other) root in the ProjectSettings path. For example, `ProjectSettings.get_setting("game/security/save_salt", ...)` expects the INI entry under `[game]` with key `security/save_salt` (i.e., `[game]` then `security/save_salt=...`), not under `[application]`. Otherwise the lookup will fall back to the default value at runtime.

Applied to files:

  • .github/workflows/lint_test_on_pull.yml
  • .github/workflows/test_ci_scripts.yml
  • .github/workflows/deploy_to_itch.yml
  • .github/workflows/lint_test_deploy.yml
📚 Learning: 2026-05-20T00:01:27.632Z
Learnt from: ikostan
Repo: ikostan/SkyLockAssault PR: 654
File: .github/workflows/browser_test.yml:99-101
Timestamp: 2026-05-20T00:01:27.632Z
Learning: In this repository’s GitHub Actions workflows, treat supply-chain pinning as follows: 
- **Do not flag** steps that use **first-party** GitHub-owned actions under `actions/*` (e.g., `actions/checkout`, `actions/cache`) when they use a **major version tag** like `v6` / `v5`.
- **Do flag** **third-party** actions (anything not under `actions/*`, e.g., `firebelley/godot-export`, `codecov/codecov-action`) when they use an unpinned ref such as `vX` or `main` instead of being pinned to a **commit SHA** (i.e., `@<commit-sha>`).

Applied to files:

  • .github/workflows/lint_test_on_pull.yml
  • .github/workflows/test_ci_scripts.yml
  • .github/workflows/deploy_to_itch.yml
  • .github/workflows/lint_test_deploy.yml
🪛 actionlint (1.7.12)
.github/workflows/test_ci_scripts.yml

[error] 10-10: input "godot_version" of workflow_call event has the default value "4.6.3-stable", but it is also required. if an input is marked as required, its default value will never be used

(events)

🪛 GitHub Check: YAML Lint / build (3.x)
.github/workflows/deploy_to_itch.yml

[failure] 71-71:
71:1 [trailing-spaces] trailing spaces


[failure] 98-98:
98:73 syntax error: expected , but found '' (syntax)

🪛 Shellcheck (0.11.0)
.github/scripts/verify_godot.sh

[style] 18-18: See if you can use ${variable//search/replace} instead.

(SC2001)

🪛 zizmor (1.25.2)
.github/workflows/test_ci_scripts.yml

[error] 39-39: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🔇 Additional comments (4)
.github/workflows/test_ci_scripts.yml (1)

36-39: LGTM!

.github/workflows/lint_test_deploy.yml (1)

55-56: LGTM!

.github/workflows/lint_test_on_pull.yml (1)

54-55: LGTM!

.github/workflows/deploy_to_itch.yml (1)

98-99: Code is already correctly formatted—no fix needed.

The actual lines 99-100 in .github/workflows/deploy_to_itch.yml already contain properly formatted YAML with the interpolation inside a single quoted string:

godot_executable_download_url: "http://localhost:8000/Godot_v${{ inputs.godot_version }}_linux.x86_64.zip"
godot_export_templates_download_url: "http://localhost:8000/Godot_v${{ inputs.godot_version }}_export_templates.tpz"

The malformed syntax shown in this review does not exist in the repository.

			> Likely an incorrect or invalid review comment.

Comment thread .github/scripts/verify_godot.sh Outdated
Comment thread .github/workflows/test_ci_scripts.yml
The verify_godot.sh script always reuses the godot_binaries directory without cleanup; consider removing or cleaning this directory at the start of the script to avoid stale artifacts affecting subsequent runs.
@ikostan

ikostan commented Jun 18, 2026

Copy link
Copy Markdown
Owner Author
  • The verify_godot.sh script always reuses the godot_binaries directory without cleanup; consider removing or cleaning this directory at the start of the script to avoid stale artifacts affecting subsequent runs.

Here is exactly why that feedback is accurate and why you should implement it:

1. The Script Comment Lies to Itself

In the script, the comment explicitly states: # Setup a clean, local workspace folder for binaries. However, the command used right below it is mkdir -p "$STAGING_DIR".

  • mkdir -p only ensures that the directory exists; it does not empty or clear out any files that were already inside it from a previous run.

2. Huge Local Storage Footprint

Because you are running this script locally to test paths before pushing changes, switching the GODOT_VERSION argument (e.g., testing 4.6.3-stable then testing 4.5-stable) will leave the massive 1.2 GB export templates zip file from the previous version completely untouched inside that folder. Over time, this will quietly eat up gigabytes of your local disk space.

3. Preventing Local HTTP Server Contamination

In your workflow, a background Python HTTP server is launched directly inside the godot_binaries directory. If old binaries are never deleted, the local server will serve both the stale files and the new files side-by-side. If a downstream configuration error or typo happens, the pipeline might accidentally fetch a cached, mismatched version instead of failing explicitly.


The Fix

To make the script true to its word and safe for endless local runs, update the directory initialization block inside verify_godot.sh to explicitly wipe the folder before recreating it:

# Setup a clean, local workspace folder for binaries
STAGING_DIR="godot_binaries"
rm -rf "$STAGING_DIR"
mkdir -p "$STAGING_DIR"
cd "$STAGING_DIR"

Adding rm -rf "$STAGING_DIR" guarantees that every single execution starts with a completely blank slate, ensuring no leftover artifacts can ever pollute your environment or mask a download failure.

@ikostan

ikostan commented Jun 18, 2026

Copy link
Copy Markdown
Owner Author
  • In test_ci_scripts.yml and other workflows, workflow_call inputs specify both a default and required: true for godot_version; consider dropping required: true if a default is provided to avoid confusion about whether callers must override it.

Addressed.

ikostan added 2 commits June 17, 2026 20:52
Using the --ignore-missing flag creates a dangerous false-positive vulnerability.

Here is why:

sha256sum --check --ignore-missing tells the OS: "Only verify files that you can actually find listed inside this manifest file; if a file isn't listed, just skip it without failing."

If the mirror infrastructure ever serves an empty, corrupted, or truncated SHA256SUMS.txt file that completely lacks entries for your specific version, the check will find zero matches, report zero failures, and pass with a successful exit code 0. Your workflow would then blindly run unverified binaries.

The Fix: CodeRabbit's strategy is excellent. We should explicitly extract only our target filenames from the official manifest using grep, count the extracted entries to ensure both binaries are strictly present, and then run a standard, strict sha256sum --check with no bypass flags allowed.
Refactor verify_godot.sh to make manifest retrieval and checksum validation more robust. Binaries are fetched from GitHub and the script now attempts to download SHA256SUMS first, falling back to SHA512 and a SourceForge mirror if needed; it isolates only the target entries into a local manifest and enforces that both assets are present. Added clearer status messages, manifest/download flags, and stricter fatal errors when manifests or signatures are missing.
@ikostan

ikostan commented Jun 18, 2026

Copy link
Copy Markdown
Owner Author

@sourcery-ai review

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue, and left some high level feedback:

  • In deploy_to_itch.yml, the Download and Verify Godot Binaries step calls verify_godot.sh (which already cds into godot_binaries), and then the workflow does cd godot_binaries again, which will fail because you are already inside that directory—either remove the extra cd in the workflow or drop the cd from the script to keep the working directory behavior consistent.
  • The Godot version default (4.6.3-stable) is now hard-coded in multiple places (workflow input defaults and inside verify_godot.sh), which makes future upgrades error-prone; consider centralizing this into a single workflow input/env variable and passing it through to the script instead of duplicating the default.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- In `deploy_to_itch.yml`, the `Download and Verify Godot Binaries` step calls `verify_godot.sh` (which already `cd`s into `godot_binaries`), and then the workflow does `cd godot_binaries` again, which will fail because you are already inside that directory—either remove the extra `cd` in the workflow or drop the `cd` from the script to keep the working directory behavior consistent.
- The Godot version default (`4.6.3-stable`) is now hard-coded in multiple places (workflow input defaults and inside `verify_godot.sh`), which makes future upgrades error-prone; consider centralizing this into a single workflow input/env variable and passing it through to the script instead of duplicating the default.

## Individual Comments

### Comment 1
<location path=".github/workflows/deploy_to_itch.yml" line_range="11-10" />
<code_context>
         description: "The version to inject (e.g., v0.6.1)"
         type: string
         required: true
+      godot_version:
+        description: "The Godot version string passed from the calling pipeline"
+        type: string
+        default: "4.6.3-stable"
+        required: true
     secrets:
       ITCHIO_API_KEY:
</code_context>
<issue_to_address>
**suggestion:** Avoid redundant godot_version defaults and potential version source-of-truth drift

`godot_version` is both `required: true` and has a `default`, which is redundant in GitHub Actions and may confuse callers. In addition, `verify_godot.sh` defines its own default (`4.6.3-stable`). To avoid version drift, either remove the workflow `default` and require an explicit input, or remove the script’s internal default and always pass the version from the workflow, so there’s a single source of truth.

Suggested implementation:

```
      godot_version:
        description: "The Godot version string passed from the calling pipeline"
        type: string
        required: true

```

To fully implement the “single source of truth” for the version, you should also:
1. Update `verify_godot.sh` to remove its internal default of `4.6.3-stable` and instead require a version argument (e.g., fail with a clear error if none is provided).
2. Ensure this workflow passes the `godot_version` input into `verify_godot.sh` (for example, `./verify_godot.sh "${{ inputs.godot_version }}"` or via an env var) wherever that call is defined in the workflow.
3. If this workflow is called as a reusable workflow, update the calling workflows to always provide `godot_version` explicitly.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread .github/workflows/deploy_to_itch.yml
suggestion: Avoid redundant godot_version defaults and potential version source-of-truth drift

godot_version is both required: true and has a default, which is redundant in GitHub Actions and may confuse callers. In addition, verify_godot.sh defines its own default (4.6.3-stable). To avoid version drift, either remove the workflow default and require an explicit input, or remove the script’s internal default and always pass the version from the workflow, so there’s a single source of truth.
@ikostan

ikostan commented Jun 18, 2026

Copy link
Copy Markdown
Owner Author
  • The Godot version default (4.6.3-stable) is now hard-coded in multiple places (workflow input defaults and inside verify_godot.sh), which makes future upgrades error-prone; consider centralizing this into a single workflow input/env variable and passing it through to the script instead of duplicating the default.

Addressed

@ikostan

ikostan commented Jun 18, 2026

Copy link
Copy Markdown
Owner Author
  • In deploy_to_itch.yml, the Download and Verify Godot Binaries step calls verify_godot.sh (which already cds into godot_binaries), and then the workflow does cd godot_binaries again, which will fail because you are already inside that directory—either remove the extra cd in the workflow or drop the cd from the script to keep the working directory behavior consistent.

This is actually a common misconception with shell scripts, but the statement is incorrect due to process isolation.

When verify_godot.sh runs, it executes inside a subshell process. Any directory changes (cd) made within that script only affect the script's own environment and do not bubble up to the parent shell. When the script exits, the GitHub Actions runner step shell is still resting at the root repository workspace.

Therefore, the explicit cd Godot binaries inside the workflow file is completely mandatory so that the background Python HTTP server launches in the correct folder context to serve the freshly verified assets.

@ikostan ikostan merged commit 29a6c9d into main Jun 18, 2026
13 checks passed
@github-project-automation github-project-automation Bot moved this from In Progress to Done in Sky Lock Assault Project Jun 18, 2026
@ikostan ikostan deleted the bug-cicd-deployment-workflow-fails-with-404-on-godot-checksum-download branch June 18, 2026 04:46
@ikostan ikostan linked an issue Jun 18, 2026 that may be closed by this pull request
@coderabbitai coderabbitai Bot mentioned this pull request Jun 18, 2026
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working CI/CD github actions Pull requests that update GitHub Actions code github_actions Pull requests that update GitHub Actions code testing

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

[BUG] CI/CD deployment workflow fails with 404 on Godot checksum download [SUBTASK] Update deploy_to_itch.yml for Godot 4.6.3

1 participant