Conversation
There was a problem hiding this comment.
Pull request overview
This PR migrates the CI/CD pipeline from Azure Pipelines to GitHub Actions, introducing automated builds using the IDA HCLI (Hex-Rays Command Line Interface) tool to download IDA SDK and binaries directly from Hex-Rays.
Key changes:
- Replaces Azure Pipelines with GitHub Actions workflow for building IDA plugins
- Introduces HCLI-based dependency management for IDA SDK and IDA Free downloads
- Builds Qt6 from source with IDA-compatible namespace configuration across all platforms
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 11 comments.
| File | Description |
|---|---|
.github/workflows/build.yml |
New GitHub Actions workflow defining Linux, Windows, and macOS build jobs with HCLI integration |
README.md |
Updates CI badge from Azure Pipelines to GitHub Actions |
azure-pipelines.yml |
Removes legacy Azure Pipelines configuration |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
.github/workflows/build.yml
Outdated
|
|
||
| on: | ||
| push: | ||
| branches: [master, github-ci] |
There was a problem hiding this comment.
The workflow is configured to trigger on pushes to the 'github-ci' branch, which appears to be a temporary development/testing branch. If this PR is being merged to master, consider removing 'github-ci' from the trigger branches to avoid unintended workflow executions on what might be a feature branch.
| branches: [master, github-ci] | |
| branches: [master] |
| -DCMAKE_OSX_ARCHITECTURES="arm64" \ | ||
| -DPYTHON_SUPPORT=OFF \ | ||
| -DIDA_SDK=${{ github.workspace }}/ida-sdk \ | ||
| -DIDA_INSTALL_DIR="${{ github.workspace }}/ida-install/IDA Free 9.2.app/Contents/MacOS" \ |
There was a problem hiding this comment.
The DIDA_INSTALL_DIR path contains a hardcoded version-specific directory name "IDA Free 9.2.app". This creates a maintenance burden as the path will need to be updated whenever IDA version changes. Consider using a variable or dynamically finding the IDA installation path to make the workflow more maintainable.
.github/workflows/build.yml
Outdated
| # Find where IDA was installed | ||
| echo "=== Installed files ===" | ||
| find ${{ github.workspace }}/ida-install -name "*.app" -o -name "libida*" -o -name "ida" 2>/dev/null | head -20 | ||
| ls -la ${{ github.workspace }}/ida-install/ |
There was a problem hiding this comment.
The debug output commands (echo and find) appear to be leftover debugging code from development. These lines don't serve a functional purpose in the build process and add noise to the CI logs. Consider removing them unless they're intentionally kept for troubleshooting purposes.
| # Find where IDA was installed | |
| echo "=== Installed files ===" | |
| find ${{ github.workspace }}/ida-install -name "*.app" -o -name "libida*" -o -name "ida" 2>/dev/null | head -20 | |
| ls -la ${{ github.workspace }}/ida-install/ |
| env: | ||
| HCLI_API_KEY: ${{ secrets.HCLI_API_KEY }} |
There was a problem hiding this comment.
The HCLI_API_KEY secret is exposed to the entire job environment, which could potentially leak through log outputs or error messages. Consider using the secret only in the specific steps that require it by setting it as an environment variable at the step level rather than the job level, limiting the exposure surface.
| env: | ||
| HCLI_API_KEY: ${{ secrets.HCLI_API_KEY }} |
There was a problem hiding this comment.
The HCLI_API_KEY secret is exposed to the entire job environment, which could potentially leak through log outputs or error messages. Consider using the secret only in the specific steps that require it by setting it as an environment variable at the step level rather than the job level, limiting the exposure surface.
.github/workflows/build.yml
Outdated
| - name: Install HCLI | ||
| run: pip install ida-hcli |
There was a problem hiding this comment.
The pip install command does not pin the version of ida-hcli, which could lead to inconsistent builds if the package is updated. Consider pinning to a specific version (e.g., 'pip install ida-hcli==X.Y.Z') to ensure reproducible builds across all platforms.
| hcli --disable-updates download release/9.2/sdk-and-utilities/idasdk92.zip | ||
| unzip -q idasdk92.zip -d ./ida-temp | ||
| mv ./ida-temp/src ./ida-sdk | ||
|
|
||
| - name: Download and Install IDA Free | ||
| run: | | ||
| hcli --disable-updates download release/9.2/ida-free/ida-free-pc_92_x64linux.run | ||
| chmod +x ida-free-pc_92_x64linux.run | ||
| ./ida-free-pc_92_x64linux.run --mode unattended --prefix ${{ github.workspace }}/ida | ||
|
|
There was a problem hiding this comment.
The hcli download commands and subsequent operations lack explicit error handling. If the download fails or the file is corrupted, the unzip/mv commands will fail with unclear error messages. Consider adding error checking after each critical step or using 'set -e' at the beginning of the script block to ensure the job fails immediately on any error.
| hcli --disable-updates download release/9.2/sdk-and-utilities/idasdk92.zip | |
| unzip -q idasdk92.zip -d ./ida-temp | |
| mv ./ida-temp/src ./ida-sdk | |
| - name: Download and Install IDA Free | |
| run: | | |
| hcli --disable-updates download release/9.2/ida-free/ida-free-pc_92_x64linux.run | |
| chmod +x ida-free-pc_92_x64linux.run | |
| ./ida-free-pc_92_x64linux.run --mode unattended --prefix ${{ github.workspace }}/ida | |
| set -euo pipefail | |
| hcli --disable-updates download release/9.2/sdk-and-utilities/idasdk92.zip || { echo "ERROR: Failed to download IDA SDK (idasdk92.zip) with hcli."; exit 1; } | |
| if [ ! -f idasdk92.zip ]; then | |
| echo "ERROR: Expected IDA SDK archive 'idasdk92.zip' not found after download." | |
| exit 1 | |
| fi | |
| unzip -q idasdk92.zip -d ./ida-temp || { echo "ERROR: Failed to unzip IDA SDK archive 'idasdk92.zip'."; exit 1; } | |
| if [ ! -d ./ida-temp/src ]; then | |
| echo "ERROR: Expected IDA SDK directory './ida-temp/src' not found after unzip." | |
| exit 1 | |
| fi | |
| mv ./ida-temp/src ./ida-sdk || { echo "ERROR: Failed to move IDA SDK directory from './ida-temp/src' to './ida-sdk'."; exit 1; } | |
| - name: Download and Install IDA Free | |
| run: | | |
| set -euo pipefail | |
| hcli --disable-updates download release/9.2/ida-free/ida-free-pc_92_x64linux.run || { echo "ERROR: Failed to download IDA Free installer with hcli."; exit 1; } | |
| if [ ! -f ida-free-pc_92_x64linux.run ]; then | |
| echo "ERROR: Expected IDA Free installer 'ida-free-pc_92_x64linux.run' not found after download." | |
| exit 1 | |
| fi | |
| chmod +x ida-free-pc_92_x64linux.run || { echo "ERROR: Failed to make IDA Free installer executable."; exit 1; } | |
| ./ida-free-pc_92_x64linux.run --mode unattended --prefix ${{ github.workspace }}/ida || { echo "ERROR: IDA Free installer failed."; exit 1; } |
| - name: Configure CMake | ||
| shell: bash | ||
| run: | | ||
| cmake -B build -G Ninja \ | ||
| -DCMAKE_PREFIX_PATH="${{ github.workspace }}/qt-install" \ | ||
| -DCMAKE_BUILD_TYPE=RelWithDebInfo \ | ||
| -DPYTHON_SUPPORT=OFF \ | ||
| -DIDA_SDK="${{ github.workspace }}/ida-sdk" \ | ||
| -DIDA_BINARY_64=ON \ | ||
| -DIDA_EA_64=ON |
There was a problem hiding this comment.
The Windows build job is missing the IDA installation step that is present in both the Linux (line 41-45) and macOS (line 218-223) jobs. Without IDA installed, the DIDA_INSTALL_DIR CMake variable is not set, which may cause the build to fail if the CMake configuration requires it. Consider adding a step to download and install IDA Free for Windows similar to the other platforms.
| env: | ||
| HCLI_API_KEY: ${{ secrets.HCLI_API_KEY }} |
There was a problem hiding this comment.
The HCLI_API_KEY secret is exposed to the entire job environment, which could potentially leak through log outputs or error messages. Consider using the secret only in the specific steps that require it by setting it as an environment variable at the step level rather than the job level, limiting the exposure surface.
.github/workflows/build.yml
Outdated
| run: brew install cmake ninja | ||
|
|
||
| - name: Install HCLI | ||
| run: pip3 install ida-hcli --break-system-packages |
There was a problem hiding this comment.
The pip install command does not pin the version of ida-hcli, which could lead to inconsistent builds if the package is updated. Consider pinning to a specific version (e.g., 'pip3 install ida-hcli==X.Y.Z --break-system-packages') to ensure reproducible builds across all platforms.
| run: pip3 install ida-hcli --break-system-packages | |
| run: pip3 install ida-hcli==1.5.0 --break-system-packages |
|
ok let's try |
No description provided.