Python release-tool

[phoerious]

Work-in-progress PR for rewriting out release-tool in Python and merging the Bash and PS1 versions.

Type of change

• ✅ New feature (change that adds functionality)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.35%. Comparing base (6f59444) to head (419de58).

Additional details and impacted files

@@           Coverage Diff            @@
##           develop   #10114   +/-   ##
========================================
  Coverage    64.35%   64.35%           
========================================
  Files          378      378           
  Lines        39719    39719           
========================================
  Hits         25561    25561           
  Misses       14158    14158           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[droidmonkey]

@phoerious this is ready for prime time. I tested all functions except for merge on windows. Made several improvements and fixes. Will test merge soon.

[Copilot]

Pull Request Overview

This PR introduces a comprehensive Python rewrite of the KeePassXC release tool, replacing the existing Bash and PowerShell versions with a unified Python implementation. The new tool consolidates functionality for checking, merging, building, signing, and internationalization tasks while adding improved cross-platform support.

• Python-based unified release tool replacing separate Bash and PowerShell scripts
• Enhanced Windows build system with integrated code signing capabilities
• Updated Transifex configuration for modern API endpoints

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
release-tool.py	New comprehensive Python release tool with all functionality from previous scripts
release-tool.ps1	Removed PowerShell version (replaced by Python tool)
release-tool	Removed Bash version (replaced by Python tool)
share/linux/appimage-apprun.sh	New AppImage launcher script for Linux distributions
src/CMakeLists.txt	Updated Windows packaging to use new post-install script
cmake/WindowsPostInstall.cmake.in	New Windows post-install script template for signing and portable zip creation
cmake/MakePortableZip.cmake	Removed old portable zip creation script
.tx/config	Updated Transifex configuration for new API endpoints

[Copilot]

Missing comma operator between tuple elements. Should be keys[0][0], keys[0][2] instead of keys[0][0]. keys[0][2].

Suggested change

	logger.info('Using secret key %s %s.', keys[0][0]. keys[0][2])
	logger.info('Using secret key %s %s.', keys[0][0], keys[0][2])

[phoerious]

wtf

[Copilot]

Incorrect string formatting with mismatched quotes. Should be 'Creating \"%s\" tag...' or use a different quote style to avoid the %s% pattern.

Suggested change

	logger.info('Creating "%s%" tag...', tag_name)
	logger.info('Creating "%s" tag...', tag_name)

[Copilot]

Logic error in _yes_no_prompt function. When default_no=False (meaning default is 'yes'), the function should return yes_no != 'n' to return True unless user explicitly says 'n'.

Suggested change

	return yes_no == 'n'
	return yes_no != 'n'

[droidmonkey]

Agree, this is a logic error

[Copilot]

Using shell=True with user-controlled input (identity parameter) poses a command injection risk. The signtool_args list should be executed directly without shell=True.

Suggested change

	_run(signtool_args, cwd=src_dir, capture_output=False, shell=True)
	_run(signtool_args, cwd=src_dir, capture_output=False)

[droidmonkey]

This is run locally, no risk for command injection unless you do it to yourself 😅

[phoerious]

shell should still be set to false. I don't see why this needs to be run in a shell wrapper.

[droidmonkey]

Because it literally didn't work otherwise. The sign tool will invoke a pin prompt and that will fail to show with an error if not done in a shell

[phoerious]

Ok, perhaps add a comment then.

[phoerious]

Why not use _run(...).stdout here?

[droidmonkey]

I wrote this before I understood all the functions in this file, good point

[phoerious]

Same here. I would also separate the cmd call and the actual shell command like this:

_run(['cmd', '/c', f'"{vs_cmd}" -arch={arch} -no_logo && set']), text=True)

Also, maybe escaping spaces vs_cmd.replace(' ', r'\ ') is safer than quotes?

You should probably also call _find_vs_dev_cmd from here directly. There's only a single usage of both these functions, so no need to take vs_cmd as a parameter.

[droidmonkey]

I tried so many ways to get all this to work.... out of 100 possible permutations only 2 work because windows command prompt is trash

[phoerious]

v will never be None. This will just error out if there's no =.

Maybe a better solution than Copilot's would be not to use expansion at all:

Suggested change

	for line in out.stdout.splitlines():
	k, v = line.split('=', 1)
	if v is not None:
	env[k] = v
	for line in out.stdout.splitlines():
	if len(kv := line.split('=', 1)) == 2:
	env[kv[0]] = kv[1]

[droidmonkey]

In my testing it didn't error out, only k had a value

[phoerious]

For 'abc=' yes (but then it'll be '', not None). For 'abc' you will get a ValueError.

[phoerious]

Merge (see above)