Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
6e6a4ba
chore: reserve implementation for #170
Wangnov Jul 10, 2026
39ae89d
chore: reserve implementation for #171
Wangnov Jul 10, 2026
ea6c0c9
fix(release): make mirror promotion monotonic
Wangnov Jul 10, 2026
4c1d083
feat(delivery): complete signed manager updates
Wangnov Jul 10, 2026
b8f2e47
fix(release): serialize IHEP mirror promotion
Wangnov Jul 11, 2026
47ee1e7
fix(release): validate immutable publication provenance
Wangnov Jul 11, 2026
dcfdfee
fix(delivery): harden signed update boundaries
Wangnov Jul 11, 2026
a80c6ed
fix(release): protect immutable release tags
Wangnov Jul 11, 2026
ac5337d
chore: integrate release hardening dependency
Wangnov Jul 11, 2026
657e0cb
fix(delivery): close signed update trust boundaries
Wangnov Jul 11, 2026
71fc92a
fix(updater): bound artifact transfer time
Wangnov Jul 11, 2026
ad3bad1
fix(release): authorize release tag creation
Wangnov Jul 11, 2026
352bfce
chore: refresh release tag authorization
Wangnov Jul 11, 2026
48bb0a8
fix(updater): redact transport URLs from failures
Wangnov Jul 11, 2026
592c394
fix(updater): sanitize invalid manifest errors
Wangnov Jul 11, 2026
fe8df9b
test(updater): await handoff hydration
Wangnov Jul 11, 2026
244d14a
fix(release): run publication from trusted main
Wangnov Jul 11, 2026
8ab2bec
fix(updater): require manifest artifact digests
Wangnov Jul 11, 2026
72d4e35
fix(updater): scope durable handoff grace
Wangnov Jul 11, 2026
fb46a50
fix(release): migrate legacy manifest baselines
Wangnov Jul 11, 2026
630d37d
chore: integrate trusted release workflow
Wangnov Jul 11, 2026
7ba57db
fix(release): verify exact draft asset set
Wangnov Jul 11, 2026
871bb60
fix(release): bind canonical release metadata
Wangnov Jul 11, 2026
00cb3f0
fix(release): bind trusted mirror verification
Wangnov Jul 11, 2026
dfb42f3
chore: merge trusted release base updates
Wangnov Jul 11, 2026
86906cc
fix(delivery): close updater review findings
Wangnov Jul 11, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 66 additions & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@ name: CI

# Fast pull-request gate: type-check, unit tests and a cross-platform Rust
# clippy/test pass. The heavy signed/notarized bundle build stays in
# release.yml (tags only) — this never builds or signs the .app.
# the default-branch release.yml (signalled by v* tags) — this never builds or
# signs the .app.
on:
pull_request:
push:
Expand Down Expand Up @@ -65,6 +66,70 @@ jobs:
run: cargo clippy --manifest-path src-tauri/Cargo.toml --workspace --all-targets -- -D warnings
- name: Test (src-tauri)
run: cargo test --manifest-path src-tauri/Cargo.toml --workspace
- name: Assert vendored tauri updater is active
shell: bash
run: |
set -euo pipefail
metadata_file="$(mktemp)"
trap 'rm -f "$metadata_file"' EXIT
cargo metadata --locked --format-version 1 \
--manifest-path src-tauri/Cargo.toml > "$metadata_file"
node --input-type=module - "$metadata_file" "$GITHUB_WORKSPACE" <<'NODE'
import { readFileSync, realpathSync } from "node:fs";
import { resolve } from "node:path";

const metadata = JSON.parse(readFileSync(process.argv[2], "utf8"));
const workspace = realpathSync(process.argv[3]);
const expectedManifest = realpathSync(
resolve(workspace, "vendor/tauri-plugin-updater-2.10.1/Cargo.toml"),
);
const updaterPackages = metadata.packages.filter(
({ name }) => name === "tauri-plugin-updater",
);
if (updaterPackages.length !== 1) {
throw new Error(
`expected exactly one tauri-plugin-updater package, found ${updaterPackages.length}`,
);
}
const [updater] = updaterPackages;
if (updater.version !== "2.10.1") {
throw new Error(`expected tauri-plugin-updater 2.10.1, found ${updater.version}`);
}
if (updater.source !== null) {
throw new Error(`tauri-plugin-updater resolved from registry source ${updater.source}`);
}
if (realpathSync(updater.manifest_path) !== expectedManifest) {
throw new Error(
`tauri-plugin-updater resolved from ${updater.manifest_path}, expected ${expectedManifest}`,
);
}

const app = metadata.packages.find(
({ manifest_path: manifestPath, name }) =>
name === "codex-app-manager" &&
realpathSync(manifestPath) ===
realpathSync(resolve(workspace, "src-tauri/Cargo.toml")),
);
const updaterDeclarations =
app?.dependencies.filter(({ name }) => name === "tauri-plugin-updater") ?? [];
if (
updaterDeclarations.length !== 1 ||
updaterDeclarations[0].req !== "=2.10.1"
) {
throw new Error("codex-app-manager must pin tauri-plugin-updater to =2.10.1");
}
const appNode = metadata.resolve?.nodes.find(({ id }) => id === app?.id);
const updaterEdges =
appNode?.deps.filter(({ name }) => name === "tauri_plugin_updater") ?? [];
if (updaterEdges.length !== 1 || updaterEdges[0].pkg !== updater.id) {
throw new Error("codex-app-manager does not resolve the expected vendored updater");
}
console.log(`verified vendored tauri updater: ${updater.manifest_path}`);
NODE
# The updater is a path-patched dependency, so its response-limit tests
# are not included in the application workspace test command above.
- name: Test vendored tauri updater bounds
run: cargo test --locked --manifest-path vendor/tauri-plugin-updater-2.10.1/Cargo.toml --lib
# Path deps are not workspace members, so their unit/integration tests are
# not covered by the step above. Run each engine crate explicitly so
# mac/win pure-logic regressions fail required CI on every PR.
Expand Down
33 changes: 33 additions & 0 deletions .github/workflows/release-source.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: Release source

# This workflow is only an unprivileged signal. Tag workflows are loaded from
# the tagged commit, so this file must never receive an environment, secrets,
# write permissions, checkout, or artifacts. The credentialed Release workflow
# is triggered with workflow_run and is therefore loaded from the default branch.
on:
push:
tags: ["v*"]

permissions: {}

jobs:
signal:
runs-on: ubuntu-latest
permissions: {}
steps:
- name: Validate release signal shape
shell: bash
env:
RELEASE_TAG: ${{ github.ref_name }}
RELEASE_SOURCE_SHA: ${{ github.sha }}
run: |
set -euo pipefail
if [[ ! "$RELEASE_TAG" =~ ^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[0-9A-Za-z.-]+)?(\+[0-9A-Za-z.-]+)?$ ]]; then
echo "::error::release tag must be a semantic vX.Y.Z tag: $RELEASE_TAG"
exit 1
fi
if [[ ! "$RELEASE_SOURCE_SHA" =~ ^[0-9a-f]{40}$ ]]; then
echo "::error::release source must be a full commit SHA"
exit 1
fi
echo "Unprivileged release signal accepted for $RELEASE_TAG at $RELEASE_SOURCE_SHA"
Loading
Loading