agent-orchestrator/.github/workflows
Deepak Modi 6d53e1155c
[codex] Guard latest desktop release (#2463)
* ci: guard latest desktop release

* fix(ci): self-heal a hijacked releases/latest pointer (#2462)

The guard previously only detected a hijacked latest pointer and failed the
run, still requiring a maintainer with delete rights to remove the junk
release by hand.

Add a remediation step that, on scheduled/manual runs, deletes a release
carrying the unambiguous hijack signature -- published, non-prerelease, a
non-semver tag, and zero electron-updater feed assets (latest.yml /
latest-mac.yml / latest-linux.yml) -- along with its tag, so GitHub
re-points latest to the newest real stable release. A real stable release
always has a semver tag and the feed assets, so this can never match one; an
in-progress real release keeps its semver tag, so it is excluded too, and the
step never runs on `release` events to avoid racing an asset upload.

This lets merging the PR resolve #2462 via the Actions token with no manual
admin action, while the verify step stays as the tripwire for anything
outside the auto-remediable signature. Bumps the job permission from
contents:read to contents:write for the delete.

* Revert "fix(ci): self-heal a hijacked releases/latest pointer (#2462)"

This reverts commit 185bc563a9.
2026-07-07 21:34:07 +05:30
..
cli-e2e.yml
desktop-testing.yml
frontend-nightly.yml
frontend-release.yml
frontend.yml
gitleaks.yml
go.yml
prettier.yml
react-doctor.yml
release-latest-guard.yml
testing-build.yml