fix(release): replace hermit with native tool setup on Windows job#1018
Merged
Conversation
hermit has no Windows support — its bootstrap script only handles Darwin and Linux, so activate-hermit crashes with an unbound-variable error on windows-latest. The Windows release job has never succeeded since it was added; the OIDC codesign failure masked it until now. Install node, pnpm, and the rust toolchain via pinned setup actions matching the hermit manifest versions, and inline the single-line desktop-install-ci recipe since just is itself a hermit-managed tool. Co-authored-by: Will Pfleger <pfleger.will@gmail.com> Signed-off-by: Will Pfleger <pfleger.will@gmail.com>
… cache-poisoning zizmor flags actions/setup-node in this release workflow (contents: write, feeds a signed installer) as a cache-poisoning vector because its static model treats setup-node's package-manager-cache as default-on. Our pinned v4.4.0 sets no cache input and does not cache, but the analyzer can't see that. Setting package-manager-cache: false makes the intent explicit and clears the error-level alert; it is a real no-write knob on v5 and an ignored input on v4.4.0. Co-authored-by: Will Pfleger <pfleger.will@gmail.com> Signed-off-by: Will Pfleger <pfleger.will@gmail.com>
tlongwell-block
pushed a commit
that referenced
this pull request
Jun 13, 2026
* origin/main: (33 commits) fix(desktop): make Windows release compile cleanly (#1029) Add production Docker Compose bundle (#985) feat(profile): show active turn badges on agent profile panel and popover (#1026) chore(release): release version 0.3.20 (#1027) fix(release): resolve Windows sidecar path and Linux AppImage updater format (#1024) chore(release): release version 0.3.19 (#1014) fix(release): ignore prerelease tags in changelog generation (#1021) fix: repair main build after cross-PR merge skew (#1020) feat(agents): show per-turn duration and prune dead turns within ~25s of host crash (#1017) fix(release): replace hermit with native tool setup on Windows job (#1018) feat(acp): surface error-class outcomes to the activity feed only, never the channel (#1010) fix(desktop): migrate Sprout workspace storage (#1016) feat(auth): force token refresh on rejected token (401/403), never the browser (#1015) fix(release): mark prerelease versions so they do not become latest (#1013) feat(acp): implement systemPrompt with protocol version gating (#981) fix(release): update repository name check from block/sprout to block/buzz (#1012) feat(release): all-OS desktop builds + universal auto-update manifest (#1011) Add relay disconnect UX: friendly errors, reconnect, cached identity (#1004) feat(agents): add active turn indicators to Agents Menu (#1005) ci: add fork guards to docker, release, and auto-tag workflows (#1007) ... Co-authored-by: npub1t2tgm7d8f995uqvmnm8h88sg3wnpp9a5xysjf6dg3tjmgt3ltulqdp8ehr <5a968df9a7494b4e019b9ecf739e088ba61097b4312124e9a88ae5b42e3f5f3e@sprout-oss.stage.blox.sqprod.co> Signed-off-by: npub1t2tgm7d8f995uqvmnm8h88sg3wnpp9a5xysjf6dg3tjmgt3ltulqdp8ehr <5a968df9a7494b4e019b9ecf739e088ba61097b4312124e9a88ae5b42e3f5f3e@sprout-oss.stage.blox.sqprod.co>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
hermit has no Windows support — its bootstrap script only branches on
DarwinandLinux, socashapp/activate-hermitcrashes withHERMIT_STATE_DIR_RAW: unbound variableonwindows-latest. TheRelease Windowsjob has depended on hermit for its entire toolchain since it was added, so it has never succeeded; the codesign OIDC failure earlier in the pipeline masked it until that was fixed.This replaces
activate-hermitin the Windows job with pinned native setup actions, matching the exact versions hermit pins:dtolnay/rust-toolchainat1.95.0(fromrust-toolchain.toml), withtargets: x86_64-pc-windows-msvcfolded in — this replaces the separaterustup target addstep.actions/setup-nodeat24.14.0.pnpm/action-setupat11.4.0(matchespackageManagerinpackage.json).just desktop-install-ciis replaced with its one-line body,pnpm install --frozen-lockfile, dropping thejustdependency entirely (justis itself a hermit-managed tool and was used for this single recipe).cmakeis left to the Windows runner's preinstalled copy; the existingCMAKE_POLICY_VERSION_MINIMUMenv is unchanged. The macOS and Linux jobs are untouched — they use hermit correctly on supported platforms.