ci: add widget build, tvOS TestFlight, and issue_comment trigger

[evgeniyChepelev]

Description

/testflight

Summary by CodeRabbit

• New Features
  • Manually trigger TestFlight builds from PR comments using /testflight command (requires collaborator write/admin permissions)
  • Override build parameters (version, build-number, netbird-ref) directly in the command

[coderabbitai]

Warning

Rate limit exceeded

@evgeniyChepelev has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 16 minutes and 0 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 16 minutes and 0 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5bb8320f-9cca-4b3a-acee-72f38527fb4f

📥 Commits

Reviewing files that changed from the base of the PR and between d86b29a and 86e81ec.

📒 Files selected for processing (2)

• .github/workflows/build.yml
• .github/workflows/testflight.yml

📝 Walkthrough

Walkthrough

Modified .github/workflows/testflight.yml to add issue_comment event trigger, implement conditional build logic for PR comments containing /testflight commands with collaborator permission checks, introduce version derivation from git tags with parameter parsing, and propagate netbird-ref and version outputs to downstream build workflow.

Changes

Cohort / File(s)

Summary

GitHub Actions TestFlight Workflow .github/workflows/testflight.yml

Added issue_comment trigger; expanded gate job to execute for PR comments requiring /testflight command with admin/write collaborator permissions; replaced single "Resolve build ref" step with multi-step flow including pre script for conditional build logic, checkout, version derivation from latest v* git tag (with vX.Y.Z validation), and parameter parsing (version, build-number, netbird-ref overrides); updated concurrency grouping to use PR/issue number; modified notify job to run for pull_request and issue_comment events with dynamic PR number resolution; updated notification message to include version formatting.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• #89: Adds git tag-based version derivation and validation logic to testflight workflow similar to this PR's approach.
• #87: Handles netbird-ref and version parameter propagation between testflight and build-upload workflows.
• #73: Propagates netbird-ref and version inputs into downstream build-upload pipeline.

Suggested reviewers

• pappz
• mlsmaycon

Poem

🐰 A comment with slashes and tags to align,
Version derived, parameters fine,
Collaborators building with flair,
TestFlight deployments through the air! ✈️

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title mentions issue_comment trigger and TestFlight but omits the primary change—adding concurrency grouping logic and parameter parsing support.	Consider revising the title to better reflect the main architectural changes, such as 'ci: add issue_comment trigger with /testflight command parsing' or similar.
Description check	❓ Inconclusive	The PR description provides only command examples without substantive explanation of the changes being made.	Add a detailed description of what changes are being made, why they're needed, and how they work. The /testflight command should be context, not the primary description.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/ci-testflight-improvements

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/testflight.yml:
- Around line 64-66: The current check uses body.includes('/testflight') which
matches mentions inside quotes or code blocks; replace that broad includes check
on context.payload.comment.body (and the matching check near the existing
parser) with a strict line-oriented match that only triggers when a line begins
with the slash command (i.e., test body with a multiline regex equivalent that
looks for a line starting with "/testflight" followed by end-of-line or
whitespace), and update the early-return branch (where core.info('No /testflight
command — skipping') is logged) to use this stricter test so it aligns with the
parser used later (the parser referenced near line 93).
- Around line 92-99: The slash-command parsing currently accepts any
non-whitespace token (variables line, versionMatch, buildMatch, netbirdMatch) —
update the validations so that before calling core.setOutput you verify the
values match strict patterns: require version to match a semantic version like
^\d+\.\d+\.\d+(-[A-Za-z0-9.-]+)?$, require build-number to be digits only ^\d+$,
and require netbird-ref to only contain safe Git ref characters (e.g.
^[A-Za-z0-9._\/-]+$); if any value fails validation, do not call core.setOutput
for that key and fail early (use core.setFailed or throw) with a clear error so
invalid or malicious inputs are rejected immediately.
- Around line 59-90: Add a same-repo guard before enabling /testflight: after
identifying it's a PR comment (and before setting outputs), call
github.rest.pulls.get (or reuse the existing pulls.get) to inspect
pr.data.head.repo.full_name and compare it to
`${context.repo.owner}/${context.repo.repo}` (or
context.payload.repository.full_name); if they differ, log and return. Apply
this check in the issue_comment branch (around the code that obtains the PR and
before core.setOutput('ref', ...)) so fork PRs are blocked from running with
repo secrets.
- Around line 83-88: The code destructures the result of github.rest.pulls.get
into { data: pr } and then incorrectly accesses pr.data.head.sha, which is
undefined; update the core.setOutput call to read the head SHA from pr.head.sha
(i.e., use the already-destructured pr returned from github.rest.pulls.get) so
core.setOutput('ref', pr.head.sha) is used instead.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f2b3e0ee-c77e-4ac7-9efc-9843dcb241d4

📥 Commits

Reviewing files that changed from the base of the PR and between d3ed3b8 and d86b29a.

📒 Files selected for processing (1)

• .github/workflows/testflight.yml

[github-actions]

Build failed (iOS) 0.1.5 (118) for d86b29a

View workflow run

[evgeniyChepelev]

/testflight

[github-actions]

Build failed (iOS) 0.1.5 (119) for f33074d

View workflow run