Fix critical release workflow issues identified in review

Addresses 3 critical issues from 4-dev team review: 1. CRITICAL: Fix non-deterministic checksum generation (Dev 2 & 3) - Add explicit sorting to checksums.txt generation - Prevents #671 checksum mismatches between builds - Location: scripts/build-release.sh:348 2. CRITICAL: Fix upload/validation race condition (Dev 1) - Change validation trigger from 'release: created' to 'workflow_run' - Prevents validation from running while assets still uploading - Prevents valid releases from being incorrectly deleted - Location: .github/workflows/validate-release-assets.yml:4-8 3. CRITICAL: Fix GitHub token exposure in logs (Dev 1) - Replace curl commands with gh CLI - Prevents token leakage in workflow logs - Location: .github/workflows/validate-release-assets.yml:44, 63 All three issues were blocking issues that could cause release failures. Remaining high/medium priority issues to be addressed in follow-up PRs.
2026-04-30 04:20:20 +00:00 · 2025-11-11 11:32:44 +00:00 · 2025-11-11 11:32:44 +00:00 · d5e67d8e6b
commit d5e67d8e6b
parent 137554009a
2 changed files with 12 additions and 9 deletions
--- a/.github/workflows/validate-release-assets.yml
+++ b/.github/workflows/validate-release-assets.yml
@ -1,8 +1,11 @@
 name: Validate Release Assets

 on:
+  workflow_run:
+    workflows: ["Release"]
+    types: [completed]
  release:
-    types: [created, edited]
+    types: [edited]  # Still validate on manual edits

 jobs:
  validate:
@ -37,10 +40,9 @@ jobs:
          mkdir -p release
          cd release

-          # Get list of all assets for this release
-          ASSETS=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-            "https://api.github.com/repos/${{ github.repository }}/releases/${{ github.event.release.id }}/assets" \
-            | jq -r '.[].browser_download_url')
+          # Get list of all assets for this release (using gh CLI to avoid token exposure)
+          ASSETS=$(gh api "repos/${{ github.repository }}/releases/${{ github.event.release.id }}/assets" \
+            --jq '.[].browser_download_url')

          if [ -z "$ASSETS" ]; then
            echo "::error::No assets found in release"
@ -57,9 +59,9 @@ jobs:
            if [ -n "$url" ]; then
              filename=$(basename "$url")
              echo "Downloading $filename..."
-              curl -L -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-                -H "Accept: application/octet-stream" \
-                -o "$filename" "$url"
+              # Use gh CLI to download (avoids token exposure in logs)
+              gh release download "${{ github.event.release.tag_name }}" \
+                --pattern "$filename" --dir . --clobber

              if [ $? -eq 0 ]; then
                echo "✓ Downloaded $filename ($(du -h "$filename" | cut -f1))"