From 5e3fe2e840a4f39971ed9b68a932f052bde2eb74 Mon Sep 17 00:00:00 2001
From: stack72 <public@paulstack.co.uk>
Date: Tue, 5 May 2026 17:19:35 +0100
Subject: [PATCH] fix(release): install pinned canary Deno via direct download

The previous attempt (#1308) passed `canary-<sha>` to
`denoland/setup-deno@v2`, which fails with "The passed version range
is not valid": setup-deno only accepts `canary` (latest, non-
reproducible) for the canary channel. Pinning to a specific commit
SHA isn't a supported form.

Replace the Setup Deno step with a direct download of the pinned
artifact from `dl.deno.land/canary/<sha>/`, and prepend the install
directory to GITHUB_PATH so subsequent `deno run` / `deno compile`
calls pick it up. This keeps the host Deno reproducible (same SHA
the resource embed uses) without depending on setup-deno's
canary-version syntax.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 60c82875..8d585aca 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -28,27 +28,34 @@ jobs:
         with:
           ref: main
 
-      # CANARY-BRIDGE: pin the host Deno used by `deno compile` to the same
-      # canary SHA that scripts/download_deno.ts embeds as a resource. Without
-      # this, `deno compile` runs under the latest stable v2.x and bakes
-      # `denort-<stable>` into the swamp CLI binary — which is the runtime
+      # CANARY-BRIDGE: install the host Deno used by `deno compile` directly
+      # from the canary SHA pinned in scripts/deno_canary.txt. denoland/setup-deno
+      # only accepts `canary` (latest, non-reproducible) — passing `canary-<sha>`
+      # is parsed as a semver range and fails with "The passed version range is
+      # not valid". We fetch the artifact ourselves to keep the pin reproducible.
+      # Without pinning the host, `deno compile` runs under stable v2.x and
+      # bakes `denort-<stable>` into the swamp CLI binary, which is the runtime
       # that executes workflows (and panics on the tls_wrap.rs unwrap until
       # v2.8.0 ships). See scripts/deno_canary.txt for the back-out checklist.
-      - name: Resolve Deno canary SHA
-        id: canary
+      - name: Install pinned canary Deno
         run: |
           sha=$(grep -v '^[[:space:]]*#' scripts/deno_canary.txt | grep -v '^[[:space:]]*$' | head -n1 | tr -d '[:space:]')
           if [ -z "$sha" ]; then
             echo "scripts/deno_canary.txt has no SHA" >&2
             exit 1
           fi
-          echo "sha=$sha" >> "$GITHUB_OUTPUT"
           echo "Pinned Deno canary: $sha"
 
-      - name: Setup Deno
-        uses: denoland/setup-deno@v2
-        with:
-          deno-version: canary-${{ steps.canary.outputs.sha }}
+          install_dir="$RUNNER_TEMP/deno-canary"
+          mkdir -p "$install_dir"
+          url="https://dl.deno.land/canary/${sha}/deno-x86_64-unknown-linux-gnu.zip"
+          echo "Downloading $url"
+          curl -fsSL "$url" -o "$install_dir/deno.zip"
+          unzip -q "$install_dir/deno.zip" -d "$install_dir"
+          chmod +x "$install_dir/deno"
+
+          echo "$install_dir" >> "$GITHUB_PATH"
+          "$install_dir/deno" --version
 
       - name: Generate version
         id: version