Bug cicd deployment workflow fails with 404 on godot checksum download#757
Conversation
Update the 'Download and Verify Godot Binaries' step to derive a TUX_VERSION and download checksum manifests from the TuxFamily mirror instead of GitHub. If SHA256SUMS.txt is missing, fall back to SHA512-SUMS.txt and verify using sha512sum; otherwise verify with sha256sum. Keep downloading Godot executable and export templates from GitHub and preserve the local HTTP server start/wait logic with improved logging and error handling.
Introduce .github/scripts/verify_godot.sh to download Godot release assets, validate URLs, fetch checksum manifests (SHA-256 with SHA-512 fallback) from the TuxFamily mirror, and verify artifact integrity. Update deploy_to_itch.yml to accept a godot_version input, call the new verification script, start a local HTTP server, and pass the input-based asset URLs to the export action (replacing duplicated download/verify logic). Set a default godot_version for browser test workflow calls in lint_test_deploy.yml and lint_test_on_pull.yml. Add a godot_version input and a test step that runs the verifier in test_ci_scripts.yml. These changes centralize verification, remove duplicated logic, and make the pipelines configurable and more maintainable.
Reviewer's GuideCentralizes Godot binary download and checksum verification into a reusable script, wires it into deploy and CI workflows, and propagates a configurable Godot version parameter across pipelines to prevent 404s and ensure cryptographic verification of engine assets. Flow diagram for verify_godot.sh Godot asset verification and checksum fallbackflowchart TD
A[Start verify_godot.sh
input: GODOT_VERSION] --> B[Set STAGING_DIR godot_binaries
create and cd]
B --> C[Build EXE_URL and TEMPLATE_URL
on GitHub Releases]
C --> D{curl -sI EXE_URL
and TEMPLATE_URL}
D -- 404 or failure --> Z1[Exit FATAL
invalid Godot URLs]
D -- OK --> E[Download EXE_FILE and TEMPLATE_FILE
via curl]
E --> F{Download checksum manifest}
F -->|TuxFamily SHA256SUMS.txt
curl OK| G[grep EXE_FILE and TEMPLATE_FILE
into GODOT_TARGET_SUMS.txt
set USE_SHA512=false]
F -->|TuxFamily SHA512-SUMS.txt
curl OK| H[grep EXE_FILE and TEMPLATE_FILE
into GODOT_TARGET_SUMS.txt
set USE_SHA512=true]
F -->|SourceForge SHA512-SUMS.txt
curl OK| I[grep EXE_FILE and TEMPLATE_FILE
into GODOT_TARGET_SUMS.txt
set USE_SHA512=true]
F -->|all curl failed| Z2[Exit FATAL
no checksum manifest]
G --> J[Validate manifest has 2 lines]
H --> J
I --> J
J -->|lines != 2| Z3[Exit FATAL
missing signatures]
J -->|lines == 2| K{USE_SHA512?}
K -->|true| L[sha512sum --check
GODOT_TARGET_SUMS.txt]
K -->|false| M[sha256sum --check
GODOT_TARGET_SUMS.txt]
L --> N[Print SUCCESS
assets authentic]
M --> N
N --> O[End]
File-Level Changes
Assessment against linked issues
Possibly linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
|
Warning Review limit reached
More reviews will be available in 9 minutes and 11 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more credits in the billing tab to continue. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
📝 WalkthroughWalkthroughA new ChangesGodot Verification Refactor
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related issues
Possibly related PRs
Suggested labels
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- The
godot_executable_download_urlandgodot_export_templates_download_urlstrings indeploy_to_itch.ymlare malformed (mixing quoted segments and expressions), and should be rewritten as single quoted strings using${{ inputs.godot_version }}interpolation, e.g."http://localhost:8000/Godot_v${{ inputs.godot_version }}_linux.x86_64.zip". - In
test_ci_scripts.ymland other workflows,workflow_callinputs specify both adefaultandrequired: trueforgodot_version; consider droppingrequired: trueif a default is provided to avoid confusion about whether callers must override it. - The
verify_godot.shscript always reuses thegodot_binariesdirectory without cleanup; consider removing or cleaning this directory at the start of the script to avoid stale artifacts affecting subsequent runs.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The `godot_executable_download_url` and `godot_export_templates_download_url` strings in `deploy_to_itch.yml` are malformed (mixing quoted segments and expressions), and should be rewritten as single quoted strings using `${{ inputs.godot_version }}` interpolation, e.g. `"http://localhost:8000/Godot_v${{ inputs.godot_version }}_linux.x86_64.zip"`.
- In `test_ci_scripts.yml` and other workflows, `workflow_call` inputs specify both a `default` and `required: true` for `godot_version`; consider dropping `required: true` if a default is provided to avoid confusion about whether callers must override it.
- The `verify_godot.sh` script always reuses the `godot_binaries` directory without cleanup; consider removing or cleaning this directory at the start of the script to avoid stale artifacts affecting subsequent runs.
## Individual Comments
### Comment 1
<location path=".github/workflows/deploy_to_itch.yml" line_range="98-99" />
<code_context>
with:
- godot_executable_download_url: "http://localhost:8000/Godot_v${{ env.GODOT_VERSION }}_linux.x86_64.zip"
- godot_export_templates_download_url: "http://localhost:8000/Godot_v${{ env.GODOT_VERSION }}_export_templates.tpz"
+ godot_executable_download_url: "http://localhost:8000/Godot_v"${{ inputs.godot_version }}"_linux.x86_64.zip"
+ godot_export_templates_download_url: "http://localhost:8000/Godot_v"${{ inputs.godot_version }}"_export_templates.tpz"
relative_project_path: "./"
relative_export_path: "./export/web"
</code_context>
<issue_to_address>
**issue (bug_risk):** The string interpolation for the Godot URLs is malformed and will likely break YAML parsing or expression evaluation.
Because the quotes are split around `${{ inputs.godot_version }}`, YAML will treat this as multiple tokens and the URL won’t be formed correctly. Keep the whole URL in a single quoted string with the expression embedded, for example:
```yaml
godot_executable_download_url: "http://localhost:8000/Godot_v${{ inputs.godot_version }}_linux.x86_64.zip"
godot_export_templates_download_url: "http://localhost:8000/Godot_v${{ inputs.godot_version }}_export_templates.tpz"
```
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
|
|
Overall Grade |
Security Reliability Complexity Hygiene |
Code Review Summary
| Analyzer | Status | Updated (UTC) | Details |
|---|---|---|---|
| Python | Jun 18, 2026 4:28a.m. | Review ↗ | |
| JavaScript | Jun 18, 2026 4:28a.m. | Review ↗ |
Important
AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.
Addressed. |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/scripts/verify_godot.sh:
- Around line 50-57: The `--ignore-missing` flag in both the sha512sum and
sha256sum checksum verification commands allows verification to succeed even if
the target executable or export templates are not listed in the downloaded
manifest, compromising integrity validation. Remove the `--ignore-missing` flag
from both checksum commands. Before performing the verification, filter each
manifest file (SHA512-SUMS.txt or SHA256SUMS.txt depending on the USE_SHA512
condition) to extract only the entries for the target filenames and verify that
both expected artifact entries exist in the manifest, exiting with an error if
either entry is missing.
In @.github/workflows/test_ci_scripts.yml:
- Around line 7-11: The godot_version input in the workflow_call inputs has
conflicting configuration: it has both a default value set to "4.6.3-stable" and
required set to true. When required is true, callers must always provide a
value, making the default unreachable. Change the required property from true to
false for the godot_version input to allow callers to optionally use the default
value.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: fca8eb13-bca5-4ee6-aa69-1aac4dbe5d43
📒 Files selected for processing (5)
.github/scripts/verify_godot.sh.github/workflows/deploy_to_itch.yml.github/workflows/lint_test_deploy.yml.github/workflows/lint_test_on_pull.yml.github/workflows/test_ci_scripts.yml
📜 Review details
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: 2026-04-28T02:11:45.806Z
Learnt from: ikostan
Repo: ikostan/SkyLockAssault PR: 588
File: .github/workflows/deploy_to_itch.yml:44-56
Timestamp: 2026-04-28T02:11:45.806Z
Learning: When a CI workflow edits Godot's `project.godot` (INI) to inject custom ProjectSettings values, insert the setting key under the correct section header that matches the `game/` (or other) root in the ProjectSettings path. For example, `ProjectSettings.get_setting("game/security/save_salt", ...)` expects the INI entry under `[game]` with key `security/save_salt` (i.e., `[game]` then `security/save_salt=...`), not under `[application]`. Otherwise the lookup will fall back to the default value at runtime.
Applied to files:
.github/workflows/lint_test_on_pull.yml.github/workflows/test_ci_scripts.yml.github/workflows/deploy_to_itch.yml.github/workflows/lint_test_deploy.yml
📚 Learning: 2026-05-20T00:01:27.632Z
Learnt from: ikostan
Repo: ikostan/SkyLockAssault PR: 654
File: .github/workflows/browser_test.yml:99-101
Timestamp: 2026-05-20T00:01:27.632Z
Learning: In this repository’s GitHub Actions workflows, treat supply-chain pinning as follows:
- **Do not flag** steps that use **first-party** GitHub-owned actions under `actions/*` (e.g., `actions/checkout`, `actions/cache`) when they use a **major version tag** like `v6` / `v5`.
- **Do flag** **third-party** actions (anything not under `actions/*`, e.g., `firebelley/godot-export`, `codecov/codecov-action`) when they use an unpinned ref such as `vX` or `main` instead of being pinned to a **commit SHA** (i.e., `@<commit-sha>`).
Applied to files:
.github/workflows/lint_test_on_pull.yml.github/workflows/test_ci_scripts.yml.github/workflows/deploy_to_itch.yml.github/workflows/lint_test_deploy.yml
🪛 actionlint (1.7.12)
.github/workflows/test_ci_scripts.yml
[error] 10-10: input "godot_version" of workflow_call event has the default value "4.6.3-stable", but it is also required. if an input is marked as required, its default value will never be used
(events)
🪛 GitHub Check: YAML Lint / build (3.x)
.github/workflows/deploy_to_itch.yml
[failure] 71-71:
71:1 [trailing-spaces] trailing spaces
[failure] 98-98:
98:73 syntax error: expected , but found '' (syntax)
🪛 Shellcheck (0.11.0)
.github/scripts/verify_godot.sh
[style] 18-18: See if you can use ${variable//search/replace} instead.
(SC2001)
🪛 zizmor (1.25.2)
.github/workflows/test_ci_scripts.yml
[error] 39-39: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
🔇 Additional comments (4)
.github/workflows/test_ci_scripts.yml (1)
36-39: LGTM!.github/workflows/lint_test_deploy.yml (1)
55-56: LGTM!.github/workflows/lint_test_on_pull.yml (1)
54-55: LGTM!.github/workflows/deploy_to_itch.yml (1)
98-99: Code is already correctly formatted—no fix needed.The actual lines 99-100 in
.github/workflows/deploy_to_itch.ymlalready contain properly formatted YAML with the interpolation inside a single quoted string:godot_executable_download_url: "http://localhost:8000/Godot_v${{ inputs.godot_version }}_linux.x86_64.zip" godot_export_templates_download_url: "http://localhost:8000/Godot_v${{ inputs.godot_version }}_export_templates.tpz"The malformed syntax shown in this review does not exist in the repository.
> Likely an incorrect or invalid review comment.
The verify_godot.sh script always reuses the godot_binaries directory without cleanup; consider removing or cleaning this directory at the start of the script to avoid stale artifacts affecting subsequent runs.
Here is exactly why that feedback is accurate and why you should implement it: 1. The Script Comment Lies to ItselfIn the script, the comment explicitly states:
2. Huge Local Storage FootprintBecause you are running this script locally to test paths before pushing changes, switching the 3. Preventing Local HTTP Server ContaminationIn your workflow, a background Python HTTP server is launched directly inside the The FixTo make the script true to its word and safe for endless local runs, update the directory initialization block inside # Setup a clean, local workspace folder for binaries
STAGING_DIR="godot_binaries"
rm -rf "$STAGING_DIR"
mkdir -p "$STAGING_DIR"
cd "$STAGING_DIR"
Adding |
Addressed. |
Using the --ignore-missing flag creates a dangerous false-positive vulnerability. Here is why: sha256sum --check --ignore-missing tells the OS: "Only verify files that you can actually find listed inside this manifest file; if a file isn't listed, just skip it without failing." If the mirror infrastructure ever serves an empty, corrupted, or truncated SHA256SUMS.txt file that completely lacks entries for your specific version, the check will find zero matches, report zero failures, and pass with a successful exit code 0. Your workflow would then blindly run unverified binaries. The Fix: CodeRabbit's strategy is excellent. We should explicitly extract only our target filenames from the official manifest using grep, count the extracted entries to ensure both binaries are strictly present, and then run a standard, strict sha256sum --check with no bypass flags allowed.
Refactor verify_godot.sh to make manifest retrieval and checksum validation more robust. Binaries are fetched from GitHub and the script now attempts to download SHA256SUMS first, falling back to SHA512 and a SourceForge mirror if needed; it isolates only the target entries into a local manifest and enforces that both assets are present. Added clearer status messages, manifest/download flags, and stricter fatal errors when manifests or signatures are missing.
|
@sourcery-ai review |
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- In
deploy_to_itch.yml, theDownload and Verify Godot Binariesstep callsverify_godot.sh(which alreadycds intogodot_binaries), and then the workflow doescd godot_binariesagain, which will fail because you are already inside that directory—either remove the extracdin the workflow or drop thecdfrom the script to keep the working directory behavior consistent. - The Godot version default (
4.6.3-stable) is now hard-coded in multiple places (workflow input defaults and insideverify_godot.sh), which makes future upgrades error-prone; consider centralizing this into a single workflow input/env variable and passing it through to the script instead of duplicating the default.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In `deploy_to_itch.yml`, the `Download and Verify Godot Binaries` step calls `verify_godot.sh` (which already `cd`s into `godot_binaries`), and then the workflow does `cd godot_binaries` again, which will fail because you are already inside that directory—either remove the extra `cd` in the workflow or drop the `cd` from the script to keep the working directory behavior consistent.
- The Godot version default (`4.6.3-stable`) is now hard-coded in multiple places (workflow input defaults and inside `verify_godot.sh`), which makes future upgrades error-prone; consider centralizing this into a single workflow input/env variable and passing it through to the script instead of duplicating the default.
## Individual Comments
### Comment 1
<location path=".github/workflows/deploy_to_itch.yml" line_range="11-10" />
<code_context>
description: "The version to inject (e.g., v0.6.1)"
type: string
required: true
+ godot_version:
+ description: "The Godot version string passed from the calling pipeline"
+ type: string
+ default: "4.6.3-stable"
+ required: true
secrets:
ITCHIO_API_KEY:
</code_context>
<issue_to_address>
**suggestion:** Avoid redundant godot_version defaults and potential version source-of-truth drift
`godot_version` is both `required: true` and has a `default`, which is redundant in GitHub Actions and may confuse callers. In addition, `verify_godot.sh` defines its own default (`4.6.3-stable`). To avoid version drift, either remove the workflow `default` and require an explicit input, or remove the script’s internal default and always pass the version from the workflow, so there’s a single source of truth.
Suggested implementation:
```
godot_version:
description: "The Godot version string passed from the calling pipeline"
type: string
required: true
```
To fully implement the “single source of truth” for the version, you should also:
1. Update `verify_godot.sh` to remove its internal default of `4.6.3-stable` and instead require a version argument (e.g., fail with a clear error if none is provided).
2. Ensure this workflow passes the `godot_version` input into `verify_godot.sh` (for example, `./verify_godot.sh "${{ inputs.godot_version }}"` or via an env var) wherever that call is defined in the workflow.
3. If this workflow is called as a reusable workflow, update the calling workflows to always provide `godot_version` explicitly.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
suggestion: Avoid redundant godot_version defaults and potential version source-of-truth drift godot_version is both required: true and has a default, which is redundant in GitHub Actions and may confuse callers. In addition, verify_godot.sh defines its own default (4.6.3-stable). To avoid version drift, either remove the workflow default and require an explicit input, or remove the script’s internal default and always pass the version from the workflow, so there’s a single source of truth.
Addressed |
This is actually a common misconception with shell scripts, but the statement is incorrect due to process isolation. When verify_godot.sh runs, it executes inside a subshell process. Any directory changes (cd) made within that script only affect the script's own environment and do not bubble up to the parent shell. When the script exits, the GitHub Actions runner step shell is still resting at the root repository workspace. Therefore, the explicit cd Godot binaries inside the workflow file is completely mandatory so that the background Python HTTP server launches in the correct folder context to serve the freshly verified assets. |
name: Default Pull Request Template
about: Suggesting changes to SkyLockAssault
title: ''
labels: ''
assignees: ''
Description
What does this PR do? (e.g., "Fixes player jump physics in level 2" or "Adds
new enemy AI script")
Related Issue
Closes #ISSUE_NUMBER (if applicable)
Changes
system")
Testing
works on Win10 with 60 FPS")
Checklist
Additional Notes
Anything else? (e.g., "Tested on Win10 64-bit; needs Linux validation")
Summary by Sourcery
Add a reusable script and workflow wiring to validate Godot engine assets and checksums during CI/CD and deployment.
New Features:
Bug Fixes:
Enhancements:
Summary by CodeRabbit