ci: parallelize ipa and sim-zip builds, trivy before build

[gmegidish]

No description provided.

[coderabbitai]

Warning

Rate limit exceeded

@gmegidish has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 51 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 1 minutes and 51 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 26553404-83f5-46bf-ac54-6de14aa73a99

📥 Commits

Reviewing files that changed from the base of the PR and between 4409507 and 8fc01d9.

📒 Files selected for processing (1)

• .github/workflows/build.yml

Walkthrough

The GitHub Actions workflow .github/workflows/build.yml was refactored to replace the single build job with separate lint, trivy, build-ipa, and build-sim jobs. trivy now runs trivy fs --severity HIGH,CRITICAL .. build-ipa and build-sim were made dependent on both lint and trivy. Git submodule checkout was removed from lint and added back to build-ipa and build-sim. Simulator zip creation and upload moved to build-sim; device IPA creation moved to build-ipa. The release job now depends on build-ipa and build-sim.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No description was provided by the author, making it impossible to evaluate whether it relates to the changeset.	Add a description explaining the purpose and rationale for parallelizing the build jobs and separating Trivy scanning.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main changes: parallelizing IPA and sim-zip builds, and running Trivy security scanning before the build jobs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/verify-gate

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/build.yml (1)

35-39: Consider using the official Trivy action for better maintainability.

Manual binary download lacks checksum verification (supply chain risk) and requires manual version updates. The official aquasecurity/trivy-action handles this automatically.

♻️ Proposed refactor using official action

-    - name: Install trivy
-      env:
-        TRIVY_VERSION: 0.69.3
-      run: |
-        curl -sfL https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_macOS-ARM64.tar.gz | tar xz -C /usr/local/bin trivy
-
-    - name: Run trivy
-      run: trivy fs --severity HIGH,CRITICAL .
+    - name: Run trivy
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        severity: 'HIGH,CRITICAL'
+        exit-code: '1'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build.yml around lines 35 - 39, The workflow currently
downloads Trivy manually in the "Install trivy" step using env TRIVY_VERSION and
curl, which lacks checksum verification; replace that step with the official
GitHub Action (aquasecurity/trivy-action) so versioning and integrity are
handled automatically: remove the curl/tar commands in the "Install trivy" step
and swap them for the action invocation (using the action's version/input to pin
TRIVY_VERSION or use the action's provided version inputs) and ensure any
previously-set TRIVY_VERSION env is passed as the action input to maintain the
pinned version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build.yml:
- Around line 41-42: The Trivy step uses the command `trivy fs --severity
HIGH,CRITICAL .` which will not fail the job on findings; update the `trivy fs`
invocation to include `--exit-code 1` so the step exits non-zero when HIGH or
CRITICAL issues are found (e.g., change the `trivy fs` command used in the
workflow to add `--exit-code 1`).

---

Nitpick comments:
In @.github/workflows/build.yml:
- Around line 35-39: The workflow currently downloads Trivy manually in the
"Install trivy" step using env TRIVY_VERSION and curl, which lacks checksum
verification; replace that step with the official GitHub Action
(aquasecurity/trivy-action) so versioning and integrity are handled
automatically: remove the curl/tar commands in the "Install trivy" step and swap
them for the action invocation (using the action's version/input to pin
TRIVY_VERSION or use the action's provided version inputs) and ensure any
previously-set TRIVY_VERSION env is passed as the action input to maintain the
pinned version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 114dc8ef-965f-4ee4-812d-aa1686fbea1d

📥 Commits

Reviewing files that changed from the base of the PR and between 4735bdd and 52d1f0f.

📒 Files selected for processing (1)

• .github/workflows/build.yml