From 345d2219afbcd69c7480df565ca03e866a2b3df4 Mon Sep 17 00:00:00 2001 From: stack72 Date: Tue, 5 May 2026 16:55:38 +0100 Subject: [PATCH] fix(release): pin host Deno to bundled canary so denort matches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `deno compile` bakes the host deno's matching `denort-` into the compiled binary as the runtime that executes `main.ts` — i.e. the swamp CLI itself, including the workflow runner that does TLS uploads. The release job was running `deno compile` under stable v2.x (currently 2.7.14), which embeds `denort-2.7.14` containing the unfixed ext/node/ops/tls_wrap.rs unwrap (denoland/deno#33713). The fact that scripts/download_deno.ts also embeds the patched canary as a resource at resources/deno/deno doesn't help: that copy is extracted to ~/.swamp/deno for spawned children, not used by the CLI process where the panic fires. Resolve the pinned SHA from scripts/deno_canary.txt (the existing single source of truth) and pass it to denoland/setup-deno, so `denort` is fetched from dl.deno.land/canary// instead of release/v2.7.14/. The bridge is grep-able via `CANARY-BRIDGE` and the back-out checklist now lists the workflow change to undo when v2.8.0 ships. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/release.yml | 19 ++++++++++++++++++- scripts/deno_canary.txt | 11 +++++++---- 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7e4c7958..60c82875 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,10 +28,27 @@ jobs: with: ref: main + # CANARY-BRIDGE: pin the host Deno used by `deno compile` to the same + # canary SHA that scripts/download_deno.ts embeds as a resource. Without + # this, `deno compile` runs under the latest stable v2.x and bakes + # `denort-` into the swamp CLI binary — which is the runtime + # that executes workflows (and panics on the tls_wrap.rs unwrap until + # v2.8.0 ships). See scripts/deno_canary.txt for the back-out checklist. + - name: Resolve Deno canary SHA + id: canary + run: | + sha=$(grep -v '^[[:space:]]*#' scripts/deno_canary.txt | grep -v '^[[:space:]]*$' | head -n1 | tr -d '[:space:]') + if [ -z "$sha" ]; then + echo "scripts/deno_canary.txt has no SHA" >&2 + exit 1 + fi + echo "sha=$sha" >> "$GITHUB_OUTPUT" + echo "Pinned Deno canary: $sha" + - name: Setup Deno uses: denoland/setup-deno@v2 with: - deno-version: v2.x + deno-version: canary-${{ steps.canary.outputs.sha }} - name: Generate version id: version diff --git a/scripts/deno_canary.txt b/scripts/deno_canary.txt index 20711e37..ffc37929 100644 --- a/scripts/deno_canary.txt +++ b/scripts/deno_canary.txt @@ -18,10 +18,13 @@ # 1. Delete this file (scripts/deno_canary.txt). # 2. In scripts/download_deno.ts, delete the two `CANARY-BRIDGE` # blocks (the helpers near the top and the branch in main()). -# 3. Delete scripts/download_deno_test.ts (or its canary cases). -# 4. `grep -rn CANARY-BRIDGE` should return zero matches. -# 5. Bump the system Deno used by CI / contributors to v2.8.0. -# 6. Rebuild and republish swamp via the normal release flow. +# 3. In .github/workflows/release.yml, delete the "Resolve Deno canary +# SHA" step (marked CANARY-BRIDGE) and change the Setup Deno step's +# `deno-version` back to `v2.x` (or the desired stable line). +# 4. Delete scripts/download_deno_test.ts (or its canary cases). +# 5. `grep -rn CANARY-BRIDGE` should return zero matches. +# 6. Bump the system Deno used by CI / contributors to v2.8.0. +# 7. Rebuild and republish swamp via the normal release flow. # # Pinned commit (verified to include the tls_wrap fix df8d21c2): 19bd3d8b99d92f15d20692aca02ac059bbc9ada7