Skip to content

Harden zsign CI verification by asserting help output instead of exit code#5

Merged
aoyn1xw merged 3 commits intomainfrom
copilot/validate-zsign-help-output
Apr 16, 2026
Merged

Harden zsign CI verification by asserting help output instead of exit code#5
aoyn1xw merged 3 commits intomainfrom
copilot/validate-zsign-help-output

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 16, 2026
edited
Loading

The workflow fails at Verify zsign help because zsign -h prints valid help text but exits with code 255, which GitHub Actions treats as failure. This change makes verification output-based so CI validates functionality without depending on zsign’s non-standard help exit status.

  • Workflow change: zsign verification

    • Updated .github/workflows/build-and-push.yml to check zsign -h output for known help markers (Usage: zsign or codesign alternative) rather than requiring a zero exit code from zsign itself.
    • Keeps failure behavior strict: the step still fails if expected help output is missing.

  • Behavioral impact

    • Prevents false-negative CI failures on the zsign check.
    • Preserves the intent of the step: confirm zsign is present and responding correctly.
- name: Verify zsign help
  run: docker run --rm swift-devcontainer:test-${{ github.sha }} bash -c "zsign -h 2>&1 | grep -Eq 'Usage: zsign|codesign alternative'"
Original prompt

The CI/CD pipeline fails at the "Verify zsign help" step because zsign -h exits with code 255, even though it successfully displays the help menu.

Currently, the verification step only runs:

- name: Verify zsign help
  run: docker run --rm swift-devcontainer:test-${{ github.sha }} zsign -h

Since the exit code is non-zero, GitHub Actions treats this as a failure and the workflow times out or fails.

Solution: Instead of just running zsign -h and relying on exit codes, validate that zsign is working by checking for expected output in the help menu. This confirms the tool is installed and functional.

The help output contains distinctive text like "Usage: zsign" or "codesign alternative" that we can grep for to validate the tool is working correctly.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Okay so my ci/di fails becaus after it calls zsign ti checks if it installs it dose not know what to do afterwards and timeouts can try to plan it out

Run docker run --rm swift-devcontainer:test-e382eb342051d3f0f01067b427f62ed5b09c9836 zsign -h
zsign (v1.0.4) is a codesign alternative for iOS12+ on macOS, Linux and Windows.
Visit https://github.com/zhlynn/zsign for more information.

Usage: zsign [-options] [-k privkey.pem] [-m dev.prov] [-o output.ipa] file|folder
options:
-k, --pkey Path to private key or p12 file. (PEM or DER format)
-m, --prov Path to mobile provisioning profile.
-c, --cert Path to certificate file. (PEM or DER format)
-a, --adhoc Perform ad-hoc signature only.
-d, --debug Generate debug output files. (.zsign_debug folder)
-f, --force Force sign without cache when signing folder.
-o, --output Path to output ipa file.
-p, --password Password for private key or p12 file.
-b, --bundle_id New bundle id to change.
-n, --bundle_name New bundle name to change.
-r, --bundle_version New bundle version to change.
-e, --entitlements New entitlements to change.
-z, --zip_level Compressed level when output the ipa file. (0-9)
-l, --dylib Path to inject dylib file. Use -l multiple time to inject multiple dylib files at once.
-D, --rm_dylib Name of dylib to remove. Use -D multiple times to remove multiple dylibs at once.
-w, --weak Inject dylib as LC_LOAD_WEAK_DYLIB.
-i, --install Install ipa file using ideviceinstaller command for test.
-t, --temp_folder Path to temporary folder for intermediate files.
-2, --sha256_only Serialize a single code directory that uses SHA256.
-C, --check Check certificate validity and OCSP revocation status.
-q, --quiet Quiet operation.
-x, --metadata Extract metadata and icon to the specified directory.
-R, --rm_provision Remove mobileprovision file after signing.
-S, --enable_docs Enable UISupportsDocumentBrowser and UIFileSharingEnabled.
-M, --min_version Set MinimumOSVersion in Info.plist.
-E, --rm_extensions Remove all app extensions (PlugIns/Extensions).
-W, --rm_watch Remove watch app from the bundle.
-U, --rm_uisd Remove UISupportedDevices from Info.plist.
-v, --version Shows version.
-h, --help Shows help (this message).
Error: Process completed with exit code 255.

Assistant: I can see the issue. The zsign command completed successfully (it just printed the help message with exit code 255 because no actual signing parameters were provided), but your CI/CD pipeline doesn't have a follow-up action after verifying the installation. It's checking that zsign is available but then timing out because there's no defined next step.

Let me examine your repository to understand the current CI/CD configuration:

Assistant: Let me check the workflow file to understand the current CI/CD setup:

Assistant: Now I see the issue. Your CI/CD workflow is running verification steps, and line 53 runs zsign -h to verify it's installed. The problem is that zsign -h exits with exit code 255, which causes the step to fail because GitHub Actions treats any non-zero exit code as failure.

The zsign -h command actually works and displays help, but the tool itself returns a non-zero exit code. Here's the plan to fix this:

Solution Options:

Option 1: Allow non-zero exit codes (Simplest)

Modify line 52-53 to ignore the exit code:

- name: Verify zsign help
  run: docker run --rm swift-devcontainer:test-${{ github.sha }} zsign -h || true

The || true makes the step pass regardless of exit code.

Option 2: Check if zsign binary exists (More robust)

Replace the help verification with a simpler existence check:

- name: Verify zsign is installed
  run: docker run --rm swift-devcontainer:test-${{ github.sha }} which zsign

This will pass if zsign is in the PATH and fail cleanly if it's not.

Option 3: Use exit code checking (Most explicit)

- name: Verify zsign help
  run: docker run --rm swift-devcontainer:test-${{ github.sha }} bash -c "zsign -h || true"

My Recommendation:

Use Option 1 (|| true) ...

This pull request was created from Copilot chat.

Copilot AI changed the title [WIP] Fix CI/CD pipeline failure on zsign help verification Harden zsign CI verification by asserting help output instead of exit code Apr 16, 2026
Copilot AI requested a review from aoyn1xw April 16, 2026 08:43
@aoyn1xw aoyn1xw marked this pull request as ready for review April 16, 2026 08:44
Copilot AI review requested due to automatic review settings April 16, 2026 08:44
@aoyn1xw aoyn1xw merged commit 089d092 into main Apr 16, 2026
5 checks passed
@aoyn1xw aoyn1xw deleted the copilot/validate-zsign-help-output branch April 16, 2026 08:45
Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adjusts CI tool verification to avoid false failures caused by zsign -h returning a non-zero exit code despite printing valid help output.

Changes:

  • Updates the “Verify zsign help” workflow step to assert expected help text via grep, rather than depending on zsign’s exit status.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@aoyn1xw aoyn1xw Awaiting requested review from aoyn1xw

Assignees

Copilot code review Copilot

@aoyn1xw aoyn1xw

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aoyn1xw