marketing-shibata50/cmux
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #269 from manaflow-ai/feat-release-immutable-guards

Browse source 
release: enforce immutable signed assets per tag
This commit is contained in:
Lawrence Chen 2026-02-21 04:14:27 -08:00 committed by GitHub
commit 6a0b708ea1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 96 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

31
.github/workflows/release.yml vendored
View file

@ -193,6 +193,36 @@ jobs:
fi
./scripts/sparkle_generate_appcast.sh cmux-macos.dmg "$GITHUB_REF_NAME" appcast.xml
- name: Guard immutable release assets
uses: actions/github-script@v7
with:
script: |
const tag = context.ref.replace('refs/tags/', '');
const requiredAssets = ['cmux-macos.dmg', 'appcast.xml'];
try {
const release = await github.rest.repos.getReleaseByTag({
owner: context.repo.owner,
repo: context.repo.repo,
tag,
});
const assetNames = new Set((release.data.assets || []).map((asset) => asset.name));
const conflicts = requiredAssets.filter((asset) => assetNames.has(asset));
if (conflicts.length > 0) {
core.setFailed(
`Release ${tag} already contains immutable assets (${conflicts.join(', ')}). ` +
'Refusing to overwrite signed artifacts for an existing tag.'
);
return;
}
core.notice(`Release ${tag} exists but does not contain conflicting assets.`);
} catch (error) {
if (error.status === 404) {
core.notice(`Release ${tag} does not exist yet; safe to publish assets.`);
return;
}
throw error;
}
- name: Upload release asset
uses: softprops/action-gh-release@v2
with:
@ -200,6 +230,7 @@ jobs:
cmux-macos.dmg
appcast.xml
generate_release_notes: true
overwrite_files: false
- name: Cleanup keychain
if: always()

69
scripts/build-sign-upload.sh
View file

@ -2,10 +2,50 @@
set -euo pipefail
# Build, sign, notarize, create DMG, generate appcast, and upload to GitHub release.
# Usage: ./scripts/build-sign-upload.sh <tag>
# Usage: ./scripts/build-sign-upload.sh <tag> [--allow-overwrite]
# Requires: source ~/.secrets/cmuxterm.env && export SPARKLE_PRIVATE_KEY
TAG="${1:?Usage: $0 <tag>}"
usage() {
cat <<'EOF'
Usage: ./scripts/build-sign-upload.sh <tag> [--allow-overwrite]
Options:
--allow-overwrite Permit replacing existing release assets for the same tag.
Use only for emergency rerolls.
EOF
}
ALLOW_OVERWRITE="false"
POSITIONAL=()
while [[ $# -gt 0 ]]; do
case "$1" in
--allow-overwrite)
ALLOW_OVERWRITE="true"
shift
;;
-h|--help)
usage
exit 0
;;
-*)
echo "Unknown option: $1" >&2
usage >&2
exit 1
;;
*)
POSITIONAL+=("$1")
shift
;;
esac
done
set -- "${POSITIONAL[@]}"
if [[ $# -ne 1 ]]; then
usage >&2
exit 1
fi
TAG="$1"
SIGN_HASH="A050CC7E193C8221BDBA204E731B046CDCCC1B30"
ENTITLEMENTS="cmux.entitlements"
APP_PATH="build/Build/Products/Release/cmux.app"
@ -81,8 +121,29 @@ echo "Generating appcast..."
# --- Create GitHub release (if needed) and upload ---
if gh release view "$TAG" >/dev/null 2>&1; then
echo "Uploading to existing release $TAG..."
gh release upload "$TAG" cmux-macos.dmg appcast.xml --clobber
echo "Release $TAG already exists"
EXISTING_ASSETS="$(gh release view "$TAG" --json assets --jq '.assets[].name' || true)"
HAS_CONFLICTING_ASSET="false"
for asset in cmux-macos.dmg appcast.xml; do
if printf '%s\n' "$EXISTING_ASSETS" | grep -Fxq "$asset"; then
HAS_CONFLICTING_ASSET="true"
break
fi
done
if [[ "$HAS_CONFLICTING_ASSET" == "true" && "$ALLOW_OVERWRITE" != "true" ]]; then
echo "ERROR: Refusing to overwrite signed release assets for existing tag $TAG." >&2
echo "Use a new tag, or rerun with --allow-overwrite for an emergency reroll." >&2
exit 1
fi
if [[ "$ALLOW_OVERWRITE" == "true" ]]; then
echo "Uploading with overwrite enabled for existing release $TAG..."
gh release upload "$TAG" cmux-macos.dmg appcast.xml --clobber
else
echo "Uploading to existing release $TAG..."
gh release upload "$TAG" cmux-macos.dmg appcast.xml
fi
else
echo "Creating release $TAG and uploading..."
gh release create "$TAG" cmux-macos.dmg appcast.xml --title "$TAG" --notes "See CHANGELOG.md for details"