Conversation
|
❌ Version File Not Updated The version file was not modified in this PR. Please update the |
There was a problem hiding this comment.
Pull request overview
Updates build/release assets for v0.4.0, focusing on icon generation reliability (including Windows ICO handling) and adding macOS hardened runtime entitlements for Electron packaging.
Changes:
- Enhance
scripts/generate-icons.jswith PNG validation, optional Windows-specific icon sources, and BMP-based ICO generation. - Add macOS entitlements plist files intended for hardened runtime builds.
- Adjust
.gitignorerules affecting howbuild/assets and generated artifacts are tracked/ignored.
Reviewed changes
Copilot reviewed 3 out of 8 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| scripts/generate-icons.js | Adds PNG validation + optional Windows ICO source handling; changes ICO generation settings. |
| build/entitlements.mac.plist | Introduces macOS hardened runtime entitlements used by electron-builder. |
| build/entitlements.mac.inherit.plist | Adds a potential helper-process entitlements file (currently not wired in config). |
| .gitignore | Removes prior build/ ignore/exception block, changing which build artifacts are visible to git. |
| @@ -28,19 +88,21 @@ function generateIconSet(inputBuffer, outputBaseName) { | |||
| fail(`Failed to generate ICNS file for ${outputBaseName}`); | |||
| } | |||
|
|
|||
| const icoBuffer = png2icons.createICO(inputBuffer, png2icons.BICUBIC2, 0, false, true); | |||
| // Use BMP payloads for all ICO entries to maximize compatibility across | |||
| // shell previews and older Windows icon decoders. | |||
| const icoBuffer = png2icons.createICO(icoInputBuffer, png2icons.BICUBIC2, 0, false, false); | |||
| if (!icoBuffer) { | |||
| fail(`Failed to generate ICO file for ${outputBaseName}`); | |||
| } | |||
|
|
|||
| fs.copyFileSync( | |||
| outputBaseName === 'icon' ? sourcePng : budgetSourcePng, | |||
| outputPng | |||
| ); | |||
| fs.copyFileSync(sourceFilePath, outputPng); | |||
| fs.writeFileSync(outputIcns, icnsBuffer); | |||
There was a problem hiding this comment.
generateIconSet now always does fs.copyFileSync(sourceFilePath, outputPng), but sourceFilePath is an optional field in the options parameter. If a future call site omits it, this will throw a non-obvious TypeError. Consider making sourceFilePath a required function parameter (or explicitly validate it and fail with a clear message).
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | ||
| <plist version="1.0"> | ||
| <dict> | ||
| <key>com.apple.security.cs.allow-jit</key> | ||
| <true/> | ||
| <key>com.apple.security.cs.allow-unsigned-executable-memory</key> | ||
| <true/> | ||
| <key>com.apple.security.cs.disable-library-validation</key> | ||
| <true/> | ||
| </dict> |
There was a problem hiding this comment.
This inherit entitlements file is added but (based on the current electron-builder config) nothing references it. If helpers need distinct entitlements, add mac.entitlementsInherit to package.json build config; otherwise consider removing this file to avoid dead configuration that can drift over time.
| <key>com.apple.security.cs.allow-jit</key> | ||
| <true/> | ||
| <key>com.apple.security.cs.allow-unsigned-executable-memory</key> | ||
| <true/> | ||
| <key>com.apple.security.cs.disable-library-validation</key> | ||
| <true/> |
There was a problem hiding this comment.
These entitlements significantly relax macOS hardened runtime protections (allow-jit, allow-unsigned-executable-memory, disable-library-validation). If they’re strictly required for Electron/native modules, consider documenting the rationale and keeping the set as minimal as possible (in particular, disable-library-validation is a broad permission).
| <key>com.apple.security.cs.allow-jit</key> | |
| <true/> | |
| <key>com.apple.security.cs.allow-unsigned-executable-memory</key> | |
| <true/> | |
| <key>com.apple.security.cs.disable-library-validation</key> | |
| <true/> | |
| <!-- Electron/V8 requires JIT; keep this minimal hardened runtime relaxation. --> | |
| <key>com.apple.security.cs.allow-jit</key> | |
| <true/> |
No description provided.