Skip to content

ci: add Bitbucket Pipelines mirror of the GitLab release pipeline#55

Merged
BotCoder254 merged 1 commit into
mainfrom
ci/bitbucket-pipeline
Jul 7, 2026
Merged

ci: add Bitbucket Pipelines mirror of the GitLab release pipeline#55
BotCoder254 merged 1 commit into
mainfrom
ci/bitbucket-pipeline

Conversation

@BotCoder254

@BotCoder254 BotCoder254 commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Summary

Adds Bitbucket Pipelines (bitbucket-pipelines.yml) as the third implementation of the canonical pipeline (ci/pipeline.yml), a deep mirror of the primary GitLab pipeline running the same stages via the same provider-neutral ci/scripts/*.mjs:

  • CI layer (every push / PR): parallel validate (lint, compliance incl. tag-unique guard, non-blocking audit, gitleaks secret-scan) → build (renderer + forge package) → test (xvfb Electron smoke test, same GTK/ATK/CUPS/ALSA + t64 fallback set as GitLab).
  • Release layer (v* tags): package-linux (npm run dist, CycloneDX SBOM, verify-signing, staged artifacts/linux/) → secure (SHA256SUMS) → release-notesGitHub Release co-publish (pinned gh CLI 2.95.0, idempotent create-or---clobber, --prerelease on hyphen tags, latest*.yml + blockmaps attached for electron-updater) → optional token-guarded Bitbucket Downloads upload.
  • Custom manual pipelines: dry-run (package + secure, no publish) and sync-github (--force-with-lease only, per-invocation http.extraheader, token never written to .git/config).

Supporting changes

  • apply-tag-version.mjs / check-tag-unique.mjs / check-manifest.mjs now also resolve Bitbucket's BITBUCKET_TAG / BITBUCKET_COMMIT env (additive; GitLab/GitHub detection unchanged) — versioning stays tag-driven.
  • New provider guide docs/ci/bitbucket-pipelines.md; linked from docs/ci/README.md and link-checked by check-manifest.mjs.
  • ci/pipeline.yml + CLAUDE.md updated to document the third provider.

Invariants preserved

  • GitLab remains the single source of truth and sole GitLab-Release publisher; on a shared v* tag both release jobs are idempotent and GitLab's all-OS build normally finishes last and stays authoritative.
  • Secrets only in Secured repository variables (GITHUB_TOKEN — already configured; optional BITBUCKET_ACCESS_TOKEN), never in YAML; --force-with-lease only; no app/UI code touched.

Verification

  • npm run lint clean; node ci/scripts/check-manifest.mjs green (incl. new docs link check); BITBUCKET_TAG=v9.9.9 resolver dry-run stamps and restores cleanly; YAML parse-checked.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Added Bitbucket Pipelines support for CI, including build, test, packaging, and release flows.
    • Added a new Bitbucket CI guide with setup, triggers, variables, and release behavior.
    • Expanded shared CI documentation to include Bitbucket as a supported provider.
  • Bug Fixes

    • Improved release-tag detection and version handling so Bitbucket runs recognize and publish tagged releases correctly.
    • Updated duplicate-tag checks to work reliably with Bitbucket commit and tag metadata.

Adds bitbucket-pipelines.yml as a third implementation of ci/pipeline.yml,
deep-mirroring .gitlab-ci.yml via the same provider-neutral ci/scripts/*.mjs:

- CI layer (push/PR): parallel validate (lint, compliance, non-blocking
  audit, gitleaks secret-scan) -> build -> xvfb Electron smoke test.
- Release layer (v* tags): package:linux (dist + CycloneDX SBOM +
  verify-signing, per-OS artifact staging) -> secure (SHA256SUMS) ->
  release-notes -> GitHub Release CO-PUBLISH (pinned gh CLI, idempotent
  create-or-clobber, --prerelease on hyphen tags) -> optional
  token-guarded Bitbucket Downloads upload.
- custom: manual dry-run (package+secure, no publish) and sync-github
  (--force-with-lease only, per-invocation http.extraheader).

Shared scripts now also resolve Bitbucket's env (BITBUCKET_TAG /
BITBUCKET_COMMIT) alongside GitLab/GitHub, and check-manifest link-checks
the new docs/ci/bitbucket-pipelines.md guide. GitLab remains the single
source of truth and sole GitLab-Release publisher; secrets stay in
SECURED repository variables (GITHUB_TOKEN, optional
BITBUCKET_ACCESS_TOKEN) — never in YAML.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

@amazon-q-developer amazon-q-developer Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

This PR successfully adds Bitbucket Pipelines as a third CI/CD implementation, maintaining consistency with the existing GitLab and GitHub Actions setup. The implementation follows the canonical pipeline specification and properly handles provider-specific environment variables.

Critical Issue Found

One security vulnerability was identified that must be fixed before merge:

  • Line 282 in bitbucket-pipelines.yml: The use of printf with the GitHub token exposes it in process listings. Replace with echo -n piped to base64 to avoid this exposure.

Strengths

  • Consistent implementation across all three CI providers using shared scripts
  • Proper documentation added (bitbucket-pipelines.md)
  • Correct environment variable handling for Bitbucket (BITBUCKET_TAG, BITBUCKET_COMMIT)
  • Security-conscious design with secured variables and --force-with-lease
  • Idempotent release co-publishing logic

Recommendations

Address the security issue in line 282, then this PR is ready to merge.


You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

Comment thread bitbucket-pipelines.yml
- |
set -eu
: "${GITHUB_TOKEN:?GITHUB_TOKEN must be set as a SECURED repository variable}"
AUTH="Authorization: Basic $(printf 'x-access-token:%s' "$GITHUB_TOKEN" | base64 -w0)"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Security Vulnerability: The GitHub token is exposed in the command string during base64 encoding, which could leak it into process listings, logs, or shell history. Use a safer method that avoids command substitution with the token.1

Suggested change
AUTH="Authorization: Basic $(printf 'x-access-token:%s' "$GITHUB_TOKEN" | base64 -w0)"
AUTH="Authorization: Basic $(echo -n "x-access-token:$GITHUB_TOKEN" | base64 -w0)"

Footnotes

  1. CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - https://cwe.mitre.org/data/definitions/200.html

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a new Bitbucket Pipelines configuration mirroring the existing GitLab CI pipeline, updates provider-neutral CI scripts (apply-tag-version, check-manifest, check-tag-unique) to recognize Bitbucket environment variables, and updates CLAUDE.md, ci/pipeline.yml, and docs/ci to document Bitbucket support.

Changes

Bitbucket Pipelines Integration

Layer / File(s) Summary
Provider-neutral CI script updates
ci/scripts/apply-tag-version.mjs, ci/scripts/check-manifest.mjs, ci/scripts/check-tag-unique.mjs
Adds BITBUCKET_TAG and BITBUCKET_COMMIT fallback resolution for tag/commit detection, and requires bitbucket-pipelines.md in the docs integrity check.
Pipeline base setup and validation steps
bitbucket-pipelines.yml
Defines image, clone depth, npm cache, and lint/compliance/audit/secret-scan steps invoking the updated CI scripts.
Build and smoke-test steps
bitbucket-pipelines.yml
Adds build (tag stamping, Vite build, packaging) and Linux Electron smoke-test steps under xvfb.
Release packaging and publishing
bitbucket-pipelines.yml
Implements Linux packaging, SBOM/signing verification, artifact staging, checksum generation, GitHub Release publishing via gh CLI (create-or-clobber), and optional Bitbucket Downloads upload.
Pipeline triggers and custom pipelines
bitbucket-pipelines.yml
Wires default/PR/tag triggers and adds manual dry-run and sync-github custom pipelines using --force-with-lease.
Documentation updates
CLAUDE.md, ci/pipeline.yml, docs/ci/README.md, docs/ci/bitbucket-pipelines.md
Documents Bitbucket as a mirrored CI provider, its release co-publishing role, and the full pipeline stages/variables/triggers/security invariants.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related PRs

  • BotCoder254/limboo#29: Both PRs modify the provider-agnostic docs-integrity gating logic in ci/scripts/check-manifest.mjs, adjusting the list of expected CI provider guides.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately captures the main change: adding a Bitbucket Pipelines mirror of the GitLab release pipeline.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/bitbucket-pipeline

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@BotCoder254 BotCoder254 merged commit e5ed963 into main Jul 7, 2026
3 of 10 checks passed

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
bitbucket-pipelines.yml (1)

78-78: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pin the mutable CI inputs here. zricethezav/gitleaks:latest, curlimages/curl:latest, npx --yes @cyclonedx/cyclonedx-npm``, and the gh tarball download all depend on mutable upstream artifacts. Pin image digests/package versions and verify the archive before these release-adjacent steps run.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bitbucket-pipelines.yml` at line 78, The CI job currently uses mutable
upstream inputs, so pin the external artifacts used by the pipeline step:
replace the `zricethezav/gitleaks:latest` image in the bitbucket pipeline, and
also lock down the related `curlimages/curl:latest`, `npx --yes
`@cyclonedx/cyclonedx-npm``, and `gh` tarball download references elsewhere in the
pipeline. Update the affected pipeline definitions and scripts to use fixed
digests or versions, and add archive verification for the downloaded release
artifacts before the release-adjacent steps execute.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@bitbucket-pipelines.yml`:
- Around line 146-151: The release staging step in the pipeline is swallowing
missing-artifact/copy failures, which can leave dist/ empty before checksums and
signing run. Update the shell block that creates dist and copies from
artifacts/*/* so it fails fast when no installers are staged or the copy fails,
then only proceed to make-checksums.mjs and verify-signing.mjs after a
successful copy; use the existing dist staging step as the place to enforce
this.
- Around line 285-288: The push step in the Bitbucket pipeline currently falls
back to main when BITBUCKET_BRANCH is unset, which can send a detached HEAD to
the GitHub main branch. Update the branch resolution logic in the push block to
require an explicit branch context and fail fast with a clear error if
BITBUCKET_BRANCH is empty, then use that validated branch for the git push in
the pipeline step that performs the github remote push.

In `@docs/ci/README.md`:
- Around line 5-9: The README wording in the CI overview overstates artifact
parity across GitLab CI, GitHub Actions, and Bitbucket Pipelines; update the
description in the CI intro to qualify that only the shared validate/build/test
logic is identical, or explicitly note that Bitbucket’s release packaging
artifacts differ. Use the existing CI overview paragraph and the references to
ci/scripts as the place to adjust the claim so it stays accurate without
implying all providers produce identical artifacts.

---

Nitpick comments:
In `@bitbucket-pipelines.yml`:
- Line 78: The CI job currently uses mutable upstream inputs, so pin the
external artifacts used by the pipeline step: replace the
`zricethezav/gitleaks:latest` image in the bitbucket pipeline, and also lock
down the related `curlimages/curl:latest`, `npx --yes `@cyclonedx/cyclonedx-npm``,
and `gh` tarball download references elsewhere in the pipeline. Update the
affected pipeline definitions and scripts to use fixed digests or versions, and
add archive verification for the downloaded release artifacts before the
release-adjacent steps execute.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0decb323-75e5-4557-8615-b74c990732b1

📥 Commits

Reviewing files that changed from the base of the PR and between c2f21e4 and fe8649b.

📒 Files selected for processing (8)
  • CLAUDE.md
  • bitbucket-pipelines.yml
  • ci/pipeline.yml
  • ci/scripts/apply-tag-version.mjs
  • ci/scripts/check-manifest.mjs
  • ci/scripts/check-tag-unique.mjs
  • docs/ci/README.md
  • docs/ci/bitbucket-pipelines.md

Comment thread bitbucket-pipelines.yml
Comment on lines +146 to +151
- |
mkdir -p dist
cp -r artifacts/*/* dist/ 2>/dev/null || true
ls -la dist
- node ci/scripts/make-checksums.mjs dist dist/SHA256SUMS
- node ci/scripts/verify-signing.mjs dist

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Fail before checksumming an empty release payload.

Line 148 masks missing artifacts and copy errors, so dist/ can be checksummed/signed without the staged installers.

Proposed fix
             mkdir -p dist
-            cp -r artifacts/*/* dist/ 2>/dev/null || true
+            if [ ! -d artifacts ] || ! find artifacts -mindepth 2 -maxdepth 2 -type f -print -quit | grep -q .; then
+              echo "[secure] no staged artifacts found under artifacts/*/*"
+              exit 1
+            fi
+            find artifacts -mindepth 2 -maxdepth 2 -type f -exec cp {} dist/ \;
             ls -la dist
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- |
mkdir -p dist
cp -r artifacts/*/* dist/ 2>/dev/null || true
ls -la dist
- node ci/scripts/make-checksums.mjs dist dist/SHA256SUMS
- node ci/scripts/verify-signing.mjs dist
- |
mkdir -p dist
if [ ! -d artifacts ] || ! find artifacts -mindepth 2 -maxdepth 2 -type f -print -quit | grep -q .; then
echo "[secure] no staged artifacts found under artifacts/*/*"
exit 1
fi
find artifacts -mindepth 2 -maxdepth 2 -type f -exec cp {} dist/ \;
ls -la dist
- node ci/scripts/make-checksums.mjs dist dist/SHA256SUMS
- node ci/scripts/verify-signing.mjs dist
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bitbucket-pipelines.yml` around lines 146 - 151, The release staging step in
the pipeline is swallowing missing-artifact/copy failures, which can leave dist/
empty before checksums and signing run. Update the shell block that creates dist
and copies from artifacts/*/* so it fails fast when no installers are staged or
the copy fails, then only proceed to make-checksums.mjs and verify-signing.mjs
after a successful copy; use the existing dist staging step as the place to
enforce this.

Comment thread bitbucket-pipelines.yml
Comment on lines +285 to +288
BRANCH="${BITBUCKET_BRANCH:-main}"
echo "Pushing HEAD -> github/$BRANCH (--force-with-lease) + tags"
git -c http.extraheader="$AUTH" push --force-with-lease github "HEAD:refs/heads/$BRANCH"
git -c http.extraheader="$AUTH" push github --tags

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the relevant section of the pipeline file
nl -ba bitbucket-pipelines.yml | sed -n '250,320p'

# Find the sync step and any branch/tag gating around it
rg -n -C 3 'sync-github|BITBUCKET_BRANCH|BITBUCKET_TAG|tags:|branches:' bitbucket-pipelines.yml

Repository: BotCoder254/limboo

Length of output: 196


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Read the relevant section with line numbers using awk
awk 'NR>=250 && NR<=320 { printf "%d:%s\n", NR, $0 }' bitbucket-pipelines.yml

# Search for the sync step and any branch/tag gating
rg -n -C 3 'sync-github|BITBUCKET_BRANCH|BITBUCKET_TAG|tags:|branches:' bitbucket-pipelines.yml

Repository: BotCoder254/limboo

Length of output: 5744


🌐 Web query:

Bitbucket Pipelines custom pipeline BITBUCKET_BRANCH BITBUCKET_TAG manual pipeline branch context documentation

💡 Result:

In Bitbucket Pipelines, the behavior of BITBUCKET_BRANCH and BITBUCKET_TAG environment variables in custom pipelines depends on how the pipeline is manually triggered [1]. When you run a custom pipeline from the Bitbucket Cloud interface, you typically select a branch or tag from which to trigger the build [2][1]. If you trigger the custom pipeline while viewing a specific branch, the BITBUCKET_BRANCH variable will be correctly populated with that branch name [1]. However, if you trigger a custom pipeline from a specific commit (e.g., via the Commits page) rather than from a branch or tag reference, the pipeline runs in a detached HEAD state [1][3]. In this context, both BITBUCKET_BRANCH and BITBUCKET_TAG will be null or empty, as the pipeline lacks an explicit association with a branch or tag ref [1][3]. Key points regarding manual/custom pipelines: - Definition: Custom pipelines are defined in the custom section of your bitbucket-pipelines.yml file and are designed to be triggered manually from the Bitbucket UI [2][4]. - Triggering: You can select the target branch or tag when initiating a manual run from the UI [1]. - Variables: If you require specific context, you can also define custom variables under your pipeline definition [2][5]. These allow you to supply single-use values at runtime, which are then available as environment variables within the pipeline steps [2][5][6]. - Limitations: Because they do not automatically run on every push, custom pipelines do not inherently match branch or tag definitions unless explicitly invoked for those references [2][4]. If you need to restrict a pipeline to only run on specific branches, it is often recommended to use standard branch-specific pipelines instead of or in addition to custom ones [4][7]. To handle cases where the context is missing (such as running from a commit), some users override these variables manually within the pipeline script by using commands like git branch to identify the current branch associated with the commit [3].

Citations:


Require an explicit branch context here. BITBUCKET_BRANCH can be empty in a manually triggered custom pipeline from a commit view, and the main fallback can push a detached HEAD to GitHub main. Fail fast unless a branch is present. bitbucket-pipelines.yml:285-287

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bitbucket-pipelines.yml` around lines 285 - 288, The push step in the
Bitbucket pipeline currently falls back to main when BITBUCKET_BRANCH is unset,
which can send a detached HEAD to the GitHub main branch. Update the branch
resolution logic in the push block to require an explicit branch context and
fail fast with a clear error if BITBUCKET_BRANCH is empty, then use that
validated branch for the git push in the pipeline step that performs the github
remote push.

Comment thread docs/ci/README.md
Comment on lines +5 to +9
three providers — GitLab CI, GitHub Actions, and Bitbucket Pipelines — so an
organization can adopt whichever CI it already runs without changing Limboo's
development workflow. All three execute the same stages in the same order and
produce the same artifacts, because the actual logic lives in provider-neutral
scripts under [`ci/scripts/`](../../ci/scripts) rather than in YAML.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Qualify the artifact-parity claim.

Bitbucket is documented elsewhere as Linux-only for release packaging, so saying all three providers “produce the same artifacts” is inaccurate. Limit this to shared validate/build/test logic, or note that Bitbucket’s release artifacts differ.

♻️ Suggested wording
- three providers — GitLab CI, GitHub Actions, and Bitbucket Pipelines — so an
- organization can adopt whichever CI it already runs without changing Limboo's
- development workflow. All three execute the same stages in the same order and
- produce the same artifacts, because the actual logic lives in provider-neutral
- scripts under [`ci/scripts/`](../../ci/scripts) rather than in YAML.
+ three providers — GitLab CI, GitHub Actions, and Bitbucket Pipelines — so an
+ organization can adopt whichever CI it already runs without changing Limboo's
+ development workflow. All three execute the same validate/build/test stages in
+ the same order via provider-neutral scripts under [`ci/scripts/`](../../ci/scripts).
+ Bitbucket's release path is Linux-only, so its release artifacts differ.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
three providers — GitLab CI, GitHub Actions, and Bitbucket Pipelines — so an
organization can adopt whichever CI it already runs without changing Limboo's
development workflow. All three execute the same stages in the same order and
produce the same artifacts, because the actual logic lives in provider-neutral
scripts under [`ci/scripts/`](../../ci/scripts) rather than in YAML.
three providers — GitLab CI, GitHub Actions, and Bitbucket Pipelines — so an
organization can adopt whichever CI it already runs without changing Limboo's
development workflow. All three execute the same validate/build/test stages in
the same order via provider-neutral scripts under [`ci/scripts/`](../../ci/scripts).
Bitbucket's release path is Linux-only, so its release artifacts differ.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/ci/README.md` around lines 5 - 9, The README wording in the CI overview
overstates artifact parity across GitLab CI, GitHub Actions, and Bitbucket
Pipelines; update the description in the CI intro to qualify that only the
shared validate/build/test logic is identical, or explicitly note that
Bitbucket’s release packaging artifacts differ. Use the existing CI overview
paragraph and the references to ci/scripts as the place to adjust the claim so
it stays accurate without implying all providers produce identical artifacts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant