Skip to content

Comments

[BRE-1367] Update macos workflows to use macos-15-intel runners#928

Merged
brandonbiete merged 1 commit intomainfrom
BRE-1367-Update-to-macOS-15-Intel-Runner
Nov 21, 2025
Merged

[BRE-1367] Update macos workflows to use macos-15-intel runners#928
brandonbiete merged 1 commit intomainfrom
BRE-1367-Update-to-macOS-15-Intel-Runner

Conversation

@brandonbiete
Copy link
Contributor

🎟️ Tracking

https://bitwarden.atlassian.net/browse/BRE-1367

📔 Objective

Update macos workflows to use macos-15-intel runners

📸 Screenshots

⏰ Reminders before review

  • Contributor guidelines followed
  • All formatters and local linters executed and passed
  • Written new unit and / or integration tests where applicable
  • Used internationalization (i18n) for all UI strings
  • CI builds passed
  • Communicated to DevOps any deployment requirements
  • Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

  • 👍 (:+1:) or similar for great changes
  • 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
  • ❓ (:question:) for questions
  • 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
  • 🎨 (:art:) for suggestions / improvements
  • ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
  • 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
  • ⛏ (:pick:) for minor or nitpick changes

@brandonbiete brandonbiete requested a review from a team as a code owner November 21, 2025 14:50
@claude
Copy link

claude bot commented Nov 21, 2025

Claude finished @brandonbiete's task —— View job


Code Review Summary

This PR updates macOS workflow runners from macos-13 to macos-15-intel for both CLI and GUI build jobs. The changes are minimal, focused, and already verified by successful CI runs and human approval.


Findings

None - this is a clean infrastructure update.


Analysis

PR Metadata Quality

The PR follows Bitwarden conventions with clear title, linked Jira ticket (BRE-1367), and proper objective statement. No improvements needed.

Technical Review

Change Context
This PR follows commit 2883ff6 which reverted a previous runner upgrade to restore stability. Now the team is attempting a more targeted upgrade using macos-15-intel runners specifically (rather than generic macos-15 which may default to ARM).

Correctness

  • Line 123 (.github/workflows/build.yml:123): runs-on: macos-15-intel for macos-cli job
  • Line 430 (.github/workflows/build.yml:430): runs-on: macos-15-intel for macos-gui job

Both changes are syntactically correct and consistent with GitHub Actions runner label conventions.

Compatibility Verification
The workflow includes Intel-specific keytar binaries (darwin-x64) that match the Intel runner architecture:

  • macos-cli job (line 151): Downloads keytar-v$keytarVersion-napi-v3-darwin-x64.tar
  • Build commands target x64 architecture appropriately

CI Validation
✅ All checks passed, confirming the runners are available and functional
✅ Human reviewer (BTreston) verified build artifacts execute without errors
✅ Version tests passed for both CLI and GUI builds

Security Considerations

Checkmarx Findings (not blocking)
Two high-severity CVEs reported for Electron 39.1.0 (CVE-2025-12725, CVE-2025-12726). These are pre-existing dependency issues unrelated to the runner change. Checkmarx recommends upgrading to Electron 39.2.0, but this should be tracked separately from the infrastructure update.


Recommendation

✅ Approve - This is a straightforward infrastructure update with:

  • Proper scope (runner version only)
  • Successful validation (CI + manual testing)
  • No code behavior changes
  • Clear rollback history if issues arise

The Electron vulnerabilities should be addressed in a separate security update PR.


@codecov
Copy link

codecov bot commented Nov 21, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 6.87%. Comparing base (99655a0) to head (233ea8d).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@          Coverage Diff          @@
##            main    #928   +/-   ##
=====================================
  Coverage   6.87%   6.87%           
=====================================
  Files         67      67           
  Lines       2791    2791           
  Branches     481     481           
=====================================
  Hits         192     192           
  Misses      2585    2585           
  Partials      14      14           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions
Copy link
Contributor

Logo
Checkmarx One – Scan Summary & Detailsc3855804-a1ee-4b34-b94f-81d9e89874f1

New Issues (2)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
HIGH CVE-2025-12725 Npm-electron-39.1.0
detailsRecommended version: 39.2.0
Description: Out of bounds read in WebGPU in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker to perform an Out-of-Bounds memory write...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: vfUK0bf8V8GGru7RVX4rHMCcJv9DrJJOhCrqtnx5h1E%3D
Vulnerable Package
HIGH CVE-2025-12726 Npm-electron-39.1.0
detailsRecommended version: 39.2.0
Description: Inappropriate implementation in Views in Google Chrome on Windows prior to 142.0.7444.137 allowed a remote attacker who had compromised the rendere...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: FiRYzG7wXIHZjKIzcFPF14fdPXSBSQlhGxd1fqNuGqw%3D
Vulnerable Package

Copy link
Contributor

@BTreston BTreston left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Build artifact does not error when run. Looks good, thanks!

@brandonbiete brandonbiete merged commit 0d3bbc1 into main Nov 21, 2025
34 of 36 checks passed
@brandonbiete brandonbiete deleted the BRE-1367-Update-to-macOS-15-Intel-Runner branch November 21, 2025 19:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants