From 273a01252f4697e149e366473ccbb6a31d68d38b Mon Sep 17 00:00:00 2001
From: yiliang114 <1204183885@qq.com>
Date: Sun, 17 May 2026 23:18:13 +0800
Subject: [PATCH] fix(release): correct OSS credentials lifetime and mirror
 probe fallback

- release.yml: remove `trap EXIT` inside the Configure step; it deleted
  ${RUNNER_TEMP}/.ossutilconfig as soon as the configure shell exited,
  so every subsequent step (publish/sync/verify) lost the credentials.
  Move credential cleanup to a final `if: always()` step at the job tail.
- install-qwen-standalone.sh: drop the predictable PID-based mktemp -d
  fallback in race_mirror_head; if mktemp fails, return "github" instead
  of using /tmp/qwen-mirror.$$ which a local attacker could pre-create
  to bias mirror selection.
---
 .github/workflows/release.yml                   | 7 ++++++-
 scripts/installation/install-qwen-standalone.sh | 9 +++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index cb6ea8013..07f67b0cd 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -434,7 +434,6 @@ jobs:
             exit 1
           fi
 
-          trap 'rm -f "${RUNNER_TEMP}/.ossutilconfig"' EXIT
           ossutil config \
             -e "${ALIYUN_OSS_ENDPOINT}" \
             -i "${ALIYUN_OSS_ACCESS_KEY_ID}" \
@@ -590,6 +589,12 @@ jobs:
           (cd "${hosted_tmp_dir}/versioned" && sha256sum -c SHA256SUMS)
           (cd "${hosted_tmp_dir}/global" && sha256sum -c SHA256SUMS)
 
+      - name: 'Cleanup Aliyun OSS Credentials'
+        if: |-
+          ${{ always() && needs.prepare.outputs.is_dry_run == 'false' }}
+        run: |-
+          rm -f "${RUNNER_TEMP}/.ossutilconfig"
+
       - name: 'Create PR to merge release branch into main'
         if: |-
           ${{ needs.prepare.outputs.is_dry_run == 'false' && needs.prepare.outputs.is_nightly == 'false' && needs.prepare.outputs.is_preview == 'false' }}
diff --git a/scripts/installation/install-qwen-standalone.sh b/scripts/installation/install-qwen-standalone.sh
index e4d881ffb..4a5c810c9 100755
--- a/scripts/installation/install-qwen-standalone.sh
+++ b/scripts/installation/install-qwen-standalone.sh
@@ -682,8 +682,13 @@ race_mirror_head() {
     local gh_url="$2"
     local oss_url="$3"
     local tmpdir
-    tmpdir=$(mktemp -d -t qwen-mirror.XXXXXX 2>/dev/null) || tmpdir="/tmp/qwen-mirror.$$"
-    mkdir -p "${tmpdir}" 2>/dev/null || true
+    if ! tmpdir=$(mktemp -d -t qwen-mirror.XXXXXX 2>/dev/null); then
+        # Refuse to fall back to a predictable PID-based path; a local attacker
+        # could pre-create it to influence mirror selection.
+        echo "mirror probe: mktemp failed" >&2
+        echo "github"
+        return 0
+    fi
     register_temp_dir "${tmpdir}"
 
     (probe_url_available "${oss_url}" "${timeout}" && : > "${tmpdir}/aliyun") &