From b604a63322c6f76432e0b6f49b5494f661d0ace8 Mon Sep 17 00:00:00 2001 From: rcourtman Date: Tue, 11 Nov 2025 11:32:44 +0000 Subject: [PATCH] Fix critical release workflow issues identified in review Addresses 3 critical issues from 4-dev team review: 1. CRITICAL: Fix non-deterministic checksum generation (Dev 2 & 3) - Add explicit sorting to checksums.txt generation - Prevents #671 checksum mismatches between builds - Location: scripts/build-release.sh:348 2. CRITICAL: Fix upload/validation race condition (Dev 1) - Change validation trigger from 'release: created' to 'workflow_run' - Prevents validation from running while assets still uploading - Prevents valid releases from being incorrectly deleted - Location: .github/workflows/validate-release-assets.yml:4-8 3. CRITICAL: Fix GitHub token exposure in logs (Dev 1) - Replace curl commands with gh CLI - Prevents token leakage in workflow logs - Location: .github/workflows/validate-release-assets.yml:44, 63 All three issues were blocking issues that could cause release failures. Remaining high/medium priority issues to be addressed in follow-up PRs. --- .github/workflows/validate-release-assets.yml | 18 ++++++++++-------- scripts/build-release.sh | 3 ++- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/validate-release-assets.yml b/.github/workflows/validate-release-assets.yml index 3dd9d4a..a160372 100644 --- a/.github/workflows/validate-release-assets.yml +++ b/.github/workflows/validate-release-assets.yml @@ -1,8 +1,11 @@ name: Validate Release Assets on: + workflow_run: + workflows: ["Release"] + types: [completed] release: - types: [created, edited] + types: [edited] # Still validate on manual edits jobs: validate: @@ -37,10 +40,9 @@ jobs: mkdir -p release cd release - # Get list of all assets for this release - ASSETS=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ - "https://api.github.com/repos/${{ github.repository }}/releases/${{ github.event.release.id }}/assets" \ - | jq -r '.[].browser_download_url') + # Get list of all assets for this release (using gh CLI to avoid token exposure) + ASSETS=$(gh api "repos/${{ github.repository }}/releases/${{ github.event.release.id }}/assets" \ + --jq '.[].browser_download_url') if [ -z "$ASSETS" ]; then echo "::error::No assets found in release" @@ -57,9 +59,9 @@ jobs: if [ -n "$url" ]; then filename=$(basename "$url") echo "Downloading $filename..." - curl -L -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ - -H "Accept: application/octet-stream" \ - -o "$filename" "$url" + # Use gh CLI to download (avoids token exposure in logs) + gh release download "${{ github.event.release.tag_name }}" \ + --pattern "$filename" --dir . --clobber if [ $? -eq 0 ]; then echo "✓ Downloaded $filename ($(du -h "$filename" | cut -f1))" diff --git a/scripts/build-release.sh b/scripts/build-release.sh index 7f7bbbf..d893697 100755 --- a/scripts/build-release.sh +++ b/scripts/build-release.sh @@ -344,7 +344,8 @@ else done # Also generate combined checksums.txt for convenience - sha256sum "${checksum_files[@]}" > checksums.txt + # Sort checksums by filename for deterministic output (prevents #671 checksum mismatches) + sha256sum "${checksum_files[@]}" | sort -k 2 > checksums.txt if [ -n "${SIGNING_KEY_ID:-}" ]; then if command -v gpg >/dev/null 2>&1; then echo "Signing checksums with GPG key ${SIGNING_KEY_ID}..."