marketing-shibata50/cmux
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Pin create-dmg version in signed build workflows (#401)

Browse source 
* Pin create-dmg version in release workflows

* Bump pinned create-dmg to 8.0.0
This commit is contained in:
Lawrence Chen 2026-02-25 19:30:10 -08:00 committed by GitHub
parent d7dbde3535
commit c7eec9fbb5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 36 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.github/workflows/ci.yml vendored
View file

@ -16,6 +16,9 @@ jobs:
- name: Validate self-hosted runner guards - name: Validate self-hosted runner guards
run: ./tests/test_ci_self_hosted_guard.sh run: ./tests/test_ci_self_hosted_guard.sh
- name: Validate create-dmg version pinning
run: ./tests/test_ci_create_dmg_pinned.sh
web-typecheck: web-typecheck:
runs-on: ubuntu-latest runs-on: ubuntu-latest
defaults: defaults:

5
.github/workflows/nightly.yml vendored
View file

@ -15,6 +15,9 @@ on:
permissions: permissions:
contents: write contents: write
env:
CREATE_DMG_VERSION: 8.0.0
jobs: jobs:
decide: decide:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -112,7 +115,7 @@ jobs:
run: | run: |
brew update brew update
brew install zig brew install zig
npm install --global create-dmg npm install --global "create-dmg@${CREATE_DMG_VERSION}"
- name: Build GhosttyKit.xcframework - name: Build GhosttyKit.xcframework
run: | run: |

5
.github/workflows/release.yml vendored
View file

@ -9,6 +9,9 @@ on:
permissions: permissions:
contents: write contents: write
env:
CREATE_DMG_VERSION: 8.0.0
jobs: jobs:
build-sign-notarize: build-sign-notarize:
runs-on: self-hosted runs-on: self-hosted
@ -101,7 +104,7 @@ jobs:
run: | run: |
brew update brew update
brew install zig brew install zig
npm install --global create-dmg npm install --global "create-dmg@${CREATE_DMG_VERSION}"
- name: Download Metal Toolchain - name: Download Metal Toolchain
if: steps.guard_release_assets.outputs.skip_all != 'true' if: steps.guard_release_assets.outputs.skip_all != 'true'

25
tests/test_ci_create_dmg_pinned.sh Executable file
View file

@ -0,0 +1,25 @@
#!/usr/bin/env bash
# Regression test for https://github.com/manaflow-ai/cmux/issues/387.
# Ensures release workflows pin create-dmg to an explicit version.
set -euo pipefail
ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
WORKFLOWS=(
"$ROOT_DIR/.github/workflows/release.yml"
"$ROOT_DIR/.github/workflows/nightly.yml"
)
for workflow in "${WORKFLOWS[@]}"; do
if ! grep -Eq 'npm install --global .*create-dmg@' "$workflow"; then
echo "FAIL: $workflow must install create-dmg with an explicit version"
exit 1
fi
if grep -Eq 'npm install --global[[:space:]]+create-dmg([[:space:]]|$)' "$workflow"; then
echo "FAIL: $workflow still has unpinned create-dmg install"
exit 1
fi
done
echo "PASS: create-dmg install is pinned in release workflows"