agent-orchestrator/.github
Deepak Modi 6d53e1155c
[codex] Guard latest desktop release (#2463)
* ci: guard latest desktop release

* fix(ci): self-heal a hijacked releases/latest pointer (#2462)

The guard previously only detected a hijacked latest pointer and failed the
run, still requiring a maintainer with delete rights to remove the junk
release by hand.

Add a remediation step that, on scheduled/manual runs, deletes a release
carrying the unambiguous hijack signature -- published, non-prerelease, a
non-semver tag, and zero electron-updater feed assets (latest.yml /
latest-mac.yml / latest-linux.yml) -- along with its tag, so GitHub
re-points latest to the newest real stable release. A real stable release
always has a semver tag and the feed assets, so this can never match one; an
in-progress real release keeps its semver tag, so it is excluded too, and the
step never runs on `release` events to avoid racing an asset upload.

This lets merging the PR resolve #2462 via the Actions token with no manual
admin action, while the verify step stays as the tripwire for anything
outside the auto-remediable signature. Bumps the job permission from
contents:read to contents:write for the delete.

* Revert "fix(ci): self-heal a hijacked releases/latest pointer (#2462)"

This reverts commit 185bc563a9.
2026-07-07 21:34:07 +05:30
..
actions/macos-signing-setup feat: electron-updater feed publishing + macOS signing (#2220) (#2226) 2026-06-27 18:10:20 +05:30
workflows [codex] Guard latest desktop release (#2463) 2026-07-07 21:34:07 +05:30
.gitleaks.toml ci(gitleaks): allowlist historical false-positive commits from rewrite graft (#2169) 2026-06-27 23:07:35 +05:30