Remove secret-bearing PR workflows

[AnthonyRonning]

Summary:

• Remove the Claude Code workflow and its write/id-token permissions plus ANTHROPIC_API_KEY exposure
• Remove the comment-triggered TestFlight workflow that checked out PR head code and used Apple App Store Connect secrets
• Keep signed desktop, Android, and iOS app build workflows restricted to push on master
• Add separate PR-only app build workflows for desktop, Android, and iOS that use read-only permissions, no secrets, no pull_request_target, no issue_comment trigger, and no refs/pull checkout
• Remove stale PR URL conditionals from the signed push-only desktop and Android workflows

Verification:

• git diff --cached --check before amend
• Parsed changed workflow YAML with the repo's yaml package
• Confirmed all pull_request workflows are frontend-tests, rust-tests, desktop-pr-build, android-pr-build, and mobile-pr-build
• Confirmed pull_request workflows do not reference secrets, write permissions, id-token, issue_comment, pull_request_target, refs/pull, Claude tools, signing keys, Apple API keys, or Android signing keys
• Pre-commit hook ran bun build and bun test successfully

Notes:

• PR app builds are intentionally unsigned and should not be used for distribution.
• TestFlight publishing remains available from trusted push/master workflows. A safer ad hoc TestFlight path should be a separate protected workflow_dispatch design that builds only trusted refs and uses a GitHub Environment with required approval.

Summary by CodeRabbit

• Chores

  • CI for Android, desktop, and mobile now runs on pushes to master and uses fixed production API endpoints for builds.
  • Removed the Claude workflow and the TestFlight-on-comment automation.

• New Features

  • Added PR-specific build pipelines to produce macOS, Linux, Android, and iOS debug/review artifacts (various installer/app formats) and artifact retention for review.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Updates CI: switch Android/desktop/mobile workflows to push-only, hardcode production VITE env values, add PR-scoped workflows for Android/desktop/mobile builds (with setup and artifact uploads), and remove obsolete workflow files.

Changes

CI Workflows

Layer / File(s)	Summary
Build trigger updates .github/workflows/android-build.yml, .github/workflows/desktop-build.yml, .github/workflows/mobile-build.yml	Android, desktop, and mobile build workflows now trigger on push to master only (remove pull_request triggers).
Fixed production VITE env vars .github/workflows/android-build.yml, .github/workflows/desktop-build.yml	Replaced conditional VITE_OPEN_SECRET_API_URL and VITE_MAPLE_BILLING_API_URL expressions with constant production URLs.
Android PR build workflow .github/workflows/android-pr-build.yml	Adds a PR-scoped Android build: Java/NDK/Rust/Bun setup, tauri-cli install, per-target cargo config (16KB page size), debug APK build, and artifact upload (5d retention).
Desktop PR build workflow .github/workflows/desktop-pr-build.yml	Adds a PR-scoped desktop workflow with macOS universal and Linux builds, Bun/Rust/frontend setup, unsigned Tauri builds, and artifacts.
Mobile PR build workflow .github/workflows/mobile-pr-build.yml	Adds a PR-scoped iOS build with ONNX runtime caching/build, cargo config generation, Xcode setup, tauri-cli, and simulator iOS build steps.
Workflow removals .github/workflows/claude.yml, .github/workflows/testflight-on-comment.yml	Removes the claude.yml and testflight-on-comment.yml workflows and their job definitions/triggers.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• OpenSecretCloud/Maple#396: Overlaps on .github/workflows/android-build.yml changes and propagation of VITE_* env variables.
• OpenSecretCloud/Maple#78: Direct conflict — #78 adds .github/workflows/claude.yml which this PR deletes.
• OpenSecretCloud/Maple#521: Related Bun install/caching hardening used across new PR-scoped workflows.

Poem

"I hopped through YAML dreams tonight,
Triggers trimmed to push's light,
Claude's lantern gently tucked away,
New PR builds rise to run and play,
🐰 CI carrots gleam in flight."

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Remove secret-bearing PR workflows' directly and accurately describes the main objective of this changeset, which removes Claude, TestFlight, and other workflows that exposed secrets in PR contexts while keeping signed workflows push-only.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch harden/remove-pr-secret-workflows

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying maple with    Cloudflare Pages

Latest commit:	f5164b3
Status:	✅  Deploy successful!
Preview URL:	https://9e958767.maple-ca8.pages.dev
Branch Preview URL:	https://harden-remove-pr-secret-work.maple-ca8.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/android-pr-build.yml:
- Line 14: Replace all tag-based GitHub Action refs with immutable commit SHAs:
find each "uses:" entry that currently references a tag (e.g.,
actions/checkout@v4, actions/setup-java@v4, actions/cache@v3,
reactivecircus/android-emulator-runner@v1,
gradle/wrapper-validation-action@stable, crazy-max/ghaction-docker-meta@v1.5.0,
actions/upload-artifact@v4) and update them to the corresponding full commit SHA
for the release you want to pin; keep the same action versions/functionality but
substitute the tag with the exact commit hash to prevent retargeting and ensure
reproducible builds.

In @.github/workflows/mobile-pr-build.yml:
- Line 14: The workflow uses tag-based action refs (actions/checkout@v4,
oven-sh/setup-bun@v1, dtolnay/rust-toolchain@stable, actions/cache@v4,
maxim-lobanov/setup-xcode@v1) which must be replaced with immutable 40-character
commit SHAs; update each `uses:` entry to the corresponding full commit SHA for
that action (not a tag) so the workflow is pinned, verify the SHA on the action
repository and replace the tag ref with the full SHA string, and run a quick
workflow lint or dry run to confirm no syntax errors.
- Around line 89-94: Add ORT_SKIP_DOWNLOAD=true to the iOS workflow env block to
avoid flaky ONNX Runtime downloads; update the environment variables near
ORT_LIB_LOCATION and IPHONEOS_DEPLOYMENT_TARGET so the build script for the ort
crate sees ORT_SKIP_DOWNLOAD=true when using the prebuilt framework referenced
by ORT_LIB_LOCATION.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 43b8c46d-7c5c-4c6d-a4e8-d38a18ca4279

📥 Commits

Reviewing files that changed from the base of the PR and between 52c8d32 and bebda3e.

📒 Files selected for processing (8)

• .github/workflows/android-build.yml
• .github/workflows/android-pr-build.yml
• .github/workflows/claude.yml
• .github/workflows/desktop-build.yml
• .github/workflows/desktop-pr-build.yml
• .github/workflows/mobile-build.yml
• .github/workflows/mobile-pr-build.yml
• .github/workflows/testflight-on-comment.yml

💤 Files with no reviewable changes (3)

• .github/workflows/mobile-build.yml
• .github/workflows/claude.yml
• .github/workflows/testflight-on-comment.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify non-SHA-pinned actions in this workflow
rg -n '^\s*uses:\s*[^@]+@((v|V)?[0-9][^[:space:]]*|stable)$' .github/workflows/android-pr-build.yml
# Expected: no matches after pinning to full 40-char commit SHAs.

Repository: OpenSecretCloud/Maple

Length of output: 324

---

🏁 Script executed:

cat -n .github/workflows/android-pr-build.yml | head -150 | tail -140

Repository: OpenSecretCloud/Maple

Length of output: 7093

---

Pin GitHub Actions to immutable commit SHAs.

Lines 14, 19, 25, 28, 33, 38, and 135 use tag-based action refs (v4, v4, v3, v1, stable, v1.5.0, v4 respectively). This violates the blanket policy and leaves PR builds open to upstream tag retargeting risk.

🧰 Tools

🪛 zizmor (1.25.2)

[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/android-pr-build.yml at line 14, Replace all tag-based
GitHub Action refs with immutable commit SHAs: find each "uses:" entry that
currently references a tag (e.g., actions/checkout@v4, actions/setup-java@v4,
actions/cache@v3, reactivecircus/android-emulator-runner@v1,
gradle/wrapper-validation-action@stable, crazy-max/ghaction-docker-meta@v1.5.0,
actions/upload-artifact@v4) and update them to the corresponding full commit SHA
for the release you want to pin; keep the same action versions/functionality but
substitute the tag with the exact commit hash to prevent retargeting and ensure
reproducible builds.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify non-SHA-pinned actions in this workflow
rg -n '^\s*uses:\s*[^@]+@((v|V)?[0-9][^[:space:]]*|stable)$' .github/workflows/mobile-pr-build.yml
# Expected: no matches after pinning to full 40-char commit SHAs.

Repository: OpenSecretCloud/Maple

Length of output: 264

---

🏁 Script executed:

head -75 .github/workflows/mobile-pr-build.yml | tail -65 | cat -n | head -30

Repository: OpenSecretCloud/Maple

Length of output: 1122

---

🏁 Script executed:

head -75 .github/workflows/mobile-pr-build.yml | cat -n

Repository: OpenSecretCloud/Maple

Length of output: 2857

---

Use immutable SHA pins for all uses: actions.

Lines 14, 19, 24, 29, 43, and 72 are tag-based refs and violate the blanket pinning policy. Replace each with a full 40-character commit SHA.

• Line 14: actions/checkout@v4 → pin to SHA
• Line 19: oven-sh/setup-bun@v1 → pin to SHA
• Line 24: dtolnay/rust-toolchain@stable → pin to SHA
• Line 29: actions/cache@v4 → pin to SHA
• Line 43: actions/cache@v4 → pin to SHA
• Line 72: maxim-lobanov/setup-xcode@v1 → pin to SHA

🧰 Tools

🪛 zizmor (1.25.2)

[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/mobile-pr-build.yml at line 14, The workflow uses
tag-based action refs (actions/checkout@v4, oven-sh/setup-bun@v1,
dtolnay/rust-toolchain@stable, actions/cache@v4, maxim-lobanov/setup-xcode@v1)
which must be replaced with immutable 40-character commit SHAs; update each
`uses:` entry to the corresponding full commit SHA for that action (not a tag)
so the workflow is pinned, verify the SHA on the action repository and replace
the tag ref with the full SHA string, and run a quick workflow lint or dry run
to confirm no syntax errors.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/android-pr-build.yml:
- Line 128: The CI step invoking the Tauri CLI uses an invalid invocation of the
--apk flag: change the command string that runs "cargo tauri android build
--debug --apk true" to remove the trailing "true" so it becomes a boolean flag
("--apk") — update the workflow job command that calls "cargo tauri android
build" accordingly to use "--apk" without an argument.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b99c8226-d817-4182-aca0-bd6d38f8b901

📥 Commits

Reviewing files that changed from the base of the PR and between bebda3e and c9b676c.

📒 Files selected for processing (8)

• .github/workflows/android-build.yml
• .github/workflows/android-pr-build.yml
• .github/workflows/claude.yml
• .github/workflows/desktop-build.yml
• .github/workflows/desktop-pr-build.yml
• .github/workflows/mobile-build.yml
• .github/workflows/mobile-pr-build.yml
• .github/workflows/testflight-on-comment.yml

💤 Files with no reviewable changes (3)

• .github/workflows/claude.yml
• .github/workflows/mobile-build.yml
• .github/workflows/testflight-on-comment.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Tauri CLI v2.9.2 android build command --apk flag syntax

💡 Result:

In the Tauri CLI for Android, the --apk flag is used to instruct the build command to generate APK files instead of or in addition to the default Android App Bundles (AABs) [1][2][3]. The syntax for the command is: npm run tauri android build -- --apk Or, if using cargo directly: cargo tauri android build --apk Key details regarding the --apk flag: 1. Flag Purpose: By default, the Tauri build command focuses on generating AABs, which are the recommended format for distribution via the Google Play Store [3]. Adding the --apk flag tells the CLI to compile APKs, which are useful for direct testing or distribution outside of the Play Store [3]. 2. Positional Arguments: When running via npm, yarn, pnpm, or bun, you must include the double-dash (--) separator before the --apk flag to ensure it is passed correctly to the underlying Tauri CLI rather than interpreted by the package manager [4][3]. 3. Debug vs. Release: By default, tauri android build produces a release build [2]. If you need to build a debug version (e.g., for testing purposes), you should combine the --apk flag with the --debug flag [5][6]: npm run tauri android build -- --apk --debug For advanced scenarios, such as generating individual APKs per target architecture rather than a single universal APK, you can also use the --split-per-abi flag [1][3]: npm run tauri android build -- --apk --split-per-abi

Citations:

• 1: https://github.com/tauri-apps/tauri/blob/a03219ca/crates/tauri-cli/src/mobile/android/build.rs
• 2: https://v2.tauri.app/reference/cli/
• 3: https://v2.tauri.app/distribute/google-play
• 4: https://dev.to/hiyoyok/building-a-universal-binary-with-tauri-v2-its-easier-than-you-think-1b53
• 5: Build release on android not working tauri-apps/tauri#6528
• 6: [bug] Android built apk with Tauri is not installing on the device tauri-apps/tauri#11453

---

Remove the trailing true from the --apk flag.

The --apk flag in Tauri CLI is a boolean flag that does not accept arguments. The command should be cargo tauri android build --debug --apk without the trailing true, which will cause the build to fail or behave unexpectedly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/android-pr-build.yml at line 128, The CI step invoking the
Tauri CLI uses an invalid invocation of the --apk flag: change the command
string that runs "cargo tauri android build --debug --apk true" to remove the
trailing "true" so it becomes a boolean flag ("--apk") — update the workflow job
command that calls "cargo tauri android build" accordingly to use "--apk"
without an argument.

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 8 additional findings in Devin Review.

[devin-ai-integration]

🔴 --apk true passes unexpected positional argument to Tauri CLI, causing Android PR build to fail

At android-pr-build.yml:128, the command cargo tauri android build --debug --apk true uses --apk true instead of just --apk. In the Tauri CLI (clap v4), --apk is a boolean flag with SetTrue action — it doesn't consume a value. The true token is therefore not consumed by --apk and is instead treated as a separate positional argument. Every other invocation in the codebase (android-build.yml:200, release.yml:332, justfile:60) uses cargo tauri android build without any true value. Depending on whether the CLI accepts trailing args, this will either cause a clap "unexpected argument" error or pass true to Gradle as a task name (which doesn't exist), making the Android PR build fail on every run.

Suggested change

	cargo tauri android build --debug --apk true
	cargo tauri android build --debug --apk

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/desktop-pr-build.yml (1)

17-17: ⚡ Quick win

Pin all uses: actions to full commit SHAs.

Using tag-based refs weakens supply-chain integrity. Consider pinning these 8 actions to their full 40-character commit SHAs:

🔧 Example change pattern

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@<40-char-commit-sha> # v4

-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@<40-char-commit-sha> # v4

Applies to lines: 17, 22, 27, 45, 56, 61, 66, 106

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/desktop-pr-build.yml at line 17, Replace all tag-based
action refs with full 40-character commit SHAs: for each uses: line (e.g.,
actions/checkout@v4 and the other seven uses entries referenced in the comment),
find the corresponding action repository and the commit SHA you want to pin,
then change the ref from the short tag (like `@v4`, `@v3`, etc.) to the full commit
SHA (e.g., `@0123456789abcdef0123456789abcdef01234567`); update each uses: entry
consistently and verify the workflow still runs with the pinned SHAs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/desktop-pr-build.yml:
- Line 17: Replace all tag-based action refs with full 40-character commit SHAs:
for each uses: line (e.g., actions/checkout@v4 and the other seven uses entries
referenced in the comment), find the corresponding action repository and the
commit SHA you want to pin, then change the ref from the short tag (like `@v4`,
`@v3`, etc.) to the full commit SHA (e.g.,
`@0123456789abcdef0123456789abcdef01234567`); update each uses: entry consistently
and verify the workflow still runs with the pinned SHAs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 282d934a-7326-4acb-9508-6f84f2655d21

📥 Commits

Reviewing files that changed from the base of the PR and between c9b676c and 3a71189.

📒 Files selected for processing (8)

• .github/workflows/android-build.yml
• .github/workflows/android-pr-build.yml
• .github/workflows/claude.yml
• .github/workflows/desktop-build.yml
• .github/workflows/desktop-pr-build.yml
• .github/workflows/mobile-build.yml
• .github/workflows/mobile-pr-build.yml
• .github/workflows/testflight-on-comment.yml

💤 Files with no reviewable changes (3)

• .github/workflows/claude.yml
• .github/workflows/testflight-on-comment.yml
• .github/workflows/mobile-build.yml

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/desktop-pr-build.yml (1)

17-17: ⚡ Quick win

Consider pinning all uses: actions to immutable commit SHAs for improved supply-chain security.

Tag-based refs (@v4, @v1, @stable) can unexpectedly change if tags are moved or deleted. While the codebase currently uses tags throughout, pinning to specific commit SHAs (@<40-char-sha>) is a security best practice that reduces risk of malicious action updates or repository compromise.

Suggested patch pattern

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@<40-char-commit-sha>

-      - uses: oven-sh/setup-bun@v1
+      - uses: oven-sh/setup-bun@<40-char-commit-sha>

-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@<40-char-commit-sha>

-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@<40-char-commit-sha>

Also applies to: 22-22, 27-27, 45-45, 56-56, 61-61, 66-66, 106-106

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/desktop-pr-build.yml at line 17, Replace tag-based GitHub
Action refs with immutable commit SHAs for every "uses:" entry (e.g., change
"uses: actions/checkout@v4" to "uses: actions/checkout@<40-char-sha>") to pin
the workflow to a specific commit; update each action referenced in the file
(all "uses:" lines including the ones mentioned) by looking up the corresponding
action repository, finding the latest desired commit SHA, and substituting the
tag ref with that 40-character SHA while keeping existing inputs and
configuration unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/android-pr-build.yml:
- Around line 54-60: The Install Tauri CLI step currently only checks for the
presence of cargo-tauri and can leave an incorrect version installed; change
that step so the pipeline enforces the exact version 2.9.2 by invoking cargo
install tauri-cli --version "2.9.2" --locked --force (or equivalently detect the
installed cargo-tauri version and reinstall if it differs), ensuring the Install
Tauri CLI step always results in the required tauri-cli version rather than
skipping installation when a different preinstalled binary exists.

---

Nitpick comments:
In @.github/workflows/desktop-pr-build.yml:
- Line 17: Replace tag-based GitHub Action refs with immutable commit SHAs for
every "uses:" entry (e.g., change "uses: actions/checkout@v4" to "uses:
actions/checkout@<40-char-sha>") to pin the workflow to a specific commit;
update each action referenced in the file (all "uses:" lines including the ones
mentioned) by looking up the corresponding action repository, finding the latest
desired commit SHA, and substituting the tag ref with that 40-character SHA
while keeping existing inputs and configuration unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4df4c0aa-7cd3-43ad-8c08-666789da20ec

📥 Commits

Reviewing files that changed from the base of the PR and between 3a71189 and f5164b3.

📒 Files selected for processing (8)

• .github/workflows/android-build.yml
• .github/workflows/android-pr-build.yml
• .github/workflows/claude.yml
• .github/workflows/desktop-build.yml
• .github/workflows/desktop-pr-build.yml
• .github/workflows/mobile-build.yml
• .github/workflows/mobile-pr-build.yml
• .github/workflows/testflight-on-comment.yml

💤 Files with no reviewable changes (3)

• .github/workflows/claude.yml
• .github/workflows/mobile-build.yml
• .github/workflows/testflight-on-comment.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/android-pr-build.yml | head -80

Repository: OpenSecretCloud/Maple

Length of output: 2948

---

🏁 Script executed:

grep -r "tauri-cli\|tauri-cli\|2\.9\." . --include="*.yml" --include="*.yaml" --include="*.json" --include="*.ts" --include="*.js"

Repository: OpenSecretCloud/Maple

Length of output: 2057

---

🏁 Script executed:

grep -A 10 "Install Tauri CLI" .github/workflows/android-build.yml

Repository: OpenSecretCloud/Maple

Length of output: 394

---

🏁 Script executed:

grep -A 10 "Install Tauri CLI" .github/workflows/android-build.yml | head -15

Repository: OpenSecretCloud/Maple

Length of output: 394

---

🏁 Script executed:

grep -B 5 -A 15 "Install Tauri CLI" .github/workflows/android-build.yml

Repository: OpenSecretCloud/Maple

Length of output: 770

---

🏁 Script executed:

cat -n .github/workflows/android-build.yml | grep -A 15 "Install Tauri CLI"

Repository: OpenSecretCloud/Maple

Length of output: 738

---

🏁 Script executed:

cat -n .github/workflows/android-build.yml | head -130 | tail -50

Repository: OpenSecretCloud/Maple

Length of output: 2523

---

🏁 Script executed:

cat -n .github/workflows/android-pr-build.yml | head -100

Repository: OpenSecretCloud/Maple

Length of output: 3817

---

🌐 Web query:

cargo install --force flag behavior tauri-cli version

💡 Result:

The --force (-f) flag for cargo install instructs Cargo to overwrite existing binaries [1][2][3]. When used with tauri-cli (e.g., cargo install tauri-cli --force), it forces a clean re-installation of the package, overwriting any previous version or conflicting binary of the same name [2][3]. Key behaviors of the --force flag in this context include: 1. Overwriting: It explicitly allows Cargo to replace existing binaries in your installation root [1][2]. Without this flag, Cargo typically refuses to overwrite binaries to prevent accidental loss [2][3]. 2. Rebuilding: It is frequently used when a system state has changed—such as an update to the rustc compiler or when you want to ensure a fresh build of a specific version—to force Cargo to rebuild the crate from source [2][3]. 3. Metadata Update: Using --force ensures that the installed package metadata is correctly updated to reflect the new installation [1]. Regarding tauri-cli specifically, it is a standard Rust crate distributed via crates.io [4]. While users sometimes encounter build issues (e.g., dependency conflicts) that lead to suggestions like using --locked to respect lockfiles [5], the --force flag is a general Cargo command feature and acts on the tauri-cli package just as it would on any other binary installed via cargo install [2]. Note: The Tauri CLI also has its own internal commands (e.g., tauri init --force) which serve different purposes, such as overwriting project-specific files, and should not be confused with the cargo install --force flag used for initial setup [6][7].

Citations:

• 1: Add --force flag to cargo install rust-lang/cargo#2405
• 2: https://doc.rust-lang.org/cargo/commands/cargo-install.html
• 3: https://manpages.ubuntu.com/manpages/jammy/man1/cargo-install.1.html
• 4: https://crates.io/crates/tauri-cli
• 5: [bug] cargo install tauri-cli fails due to log 0.4.21 update tauri-apps/tauri#9026
• 6: https://tauri.app/reference/cli
• 7: https://v2.tauri.app/reference/cli/

---

Enforce the Tauri CLI version instead of only checking presence.

The conditional check only verifies whether cargo-tauri exists, not that it matches the required version 2.9.2. If a runner image includes a preinstalled cargo-tauri of a different version, the build silently uses that version instead. This breaks reproducibility, especially since the subsequent step explicitly works around a "Tauri 2.9.x bug" (line 64), indicating version-specific dependencies. Use cargo install tauri-cli --version "2.9.2" --locked --force to ensure the exact version is always installed.

💡 Minimal fix

       - name: Install Tauri CLI
         run: |
-          if ! command -v cargo-tauri &> /dev/null; then
-            cargo install tauri-cli --version "2.9.2" --locked
-          else
-            echo "Tauri CLI already installed"
-          fi
+          cargo install tauri-cli --version "2.9.2" --locked --force
         env:
           CARGO_CFG_TARGET_OS: linux

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Install Tauri CLI
	run: |
	if ! command -v cargo-tauri &> /dev/null; then
	cargo install tauri-cli --version "2.9.2" --locked
	else
	echo "Tauri CLI already installed"
	fi
	- name: Install Tauri CLI
	run: |
	cargo install tauri-cli --version "2.9.2" --locked --force

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/android-pr-build.yml around lines 54 - 60, The Install
Tauri CLI step currently only checks for the presence of cargo-tauri and can
leave an incorrect version installed; change that step so the pipeline enforces
the exact version 2.9.2 by invoking cargo install tauri-cli --version "2.9.2"
--locked --force (or equivalently detect the installed cargo-tauri version and
reinstall if it differs), ensuring the Install Tauri CLI step always results in
the required tauri-cli version rather than skipping installation when a
different preinstalled binary exists.