ci(release): add exact-head candidate artifacts#4532
Conversation
Factor the seven-target release build and 34-file asset assembly into a read-only reusable workflow shared by public releases and a manual non-publishing candidate path. Manual CI now validates the requested SHA and runs the full Linux, macOS, Windows, npm, mobile, workflow, Actions, and docs gates instead of light placeholders. Add checksum/inventory contracts, archive fixtures, packaged-wrapper smoke against assembled assets, and an explicit publication stop line in the release runbook. Signed-off-by: Hunter B <hmbown@gmail.com>
Restore the Unix executable contract after GitHub artifact transport normalizes files to 0644. Normalize archive metadata as well so identical inputs do not create packaging-only checksum drift, while retaining the separate public-asset immutability guard. Signed-off-by: Hunter B <hmbown@gmail.com>
Fail before build work and again immediately before upload whenever a tag already owns GitHub Release assets. Disable the release action overwrite path and document that recovery requires a deliberate maintainer decision instead of silently replacing public bytes. Signed-off-by: Hunter B <hmbown@gmail.com>
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
|
Claude finished @Hmbown's task in 3m 16s —— View job Review complete
SummaryThis is a careful, well-scoped CI/release change. The safety boundary (read-only Correctness
Minor/nit — dead code function intermediateArtifactPath(inputDirectory, name) {
if (name === BUNDLE_CHECKSUM_MANIFEST || BUNDLE_ASSET_NAMES.includes(name)) {
return path.join(inputDirectory, "codewhale-bundles", name);
}
return path.join(inputDirectory, name, name);
}Test coverage — good. Security — no command injection found: Provider/model routing (EPIC #2608 invariant) — not applicable; nothing in this diff touches model/provider selection. No blocking issues found. |
Checkout the resolved candidate SHA in a dedicated read-only web job and require public facts, docs, tests, lint, type checking, and the production build before constructing any release artifacts.\n\nKeep the candidate workflow non-publishing and bind artifact creation to the web gate result. Signed-off-by: Hunter B <hmbown@gmail.com>
|
Claude finished @Hmbown's task in 4m 4s —— View job Review complete
SummaryThis push (commit Correctness — sound. Minor bug — broken regex escape helper assert.match(candidate, new RegExp(`run: ${command.replace(/[.*+?^${}()|[\\]\\]/g, "\\$&")}`));The character class is malformed: Reuse/simplification — Tests — the new assertions in Security — no change to the read-only permissions boundary; the new job only reads and builds, no secrets or write scopes introduced. No blocking issues. |
Resolve each remote Action used by candidate artifact construction or public publication to the current audited commit, retaining the release version as an update hint.\n\nAdd a contract test that rejects mutable remote refs in all three release workflows and clean up the affected shell blocks so configured actionlint remains green. Signed-off-by: Hunter B <hmbown@gmail.com>
|
Claude finished @Hmbown's task in 2m 40s —— View job Review complete — commit
|
Repair the command escaping helper so future metacharacters cannot weaken the workflow contract, and remove the redundant installer path branch. Signed-off-by: Hunter B <hmbown@gmail.com>
|
Claude finished @Hmbown's task in 43s —— View job Review complete — commit
|
|
Supply-chain receipt for 9729924: I re-resolved all 14 unique action/ref pairs live against their upstream Git repositories after the final push. Every pinned 40-character SHA matched the documented tag or branch, including peeled annotated tags for sccache v0.0.10, rust-cache v2, and action-gh-release v3. The release workflow contract, asset assembly/reproducibility suite, and release immutability suite also passed locally (11/11). No publication action was taken. |
What changed
workflow_dispatchpath that forces the complete CI profileSafety boundary
The candidate workflow has read-only repository permissions and uploads short-lived Actions artifacts only. It cannot create a tag or GitHub Release, publish crates or npm, push containers or Homebrew changes, or deploy the website. Public
v0.9.1tagging and publication remain explicitly approval-gated.Validation
actionlintshellcheckcargo fmt --all -- --checkgit diff --check./scripts/release/check-versions.sh./scripts/release/check-ohos-deps.shgitleaksThe workflow has not been dispatched. Its first exact-head run belongs after this implementation and every other v0.9.1 source change reach final
main.Fixes #4531