Skip to content

fix: tarball workflow failures (root ownership, swapfile, hermes TTY)#2240

Merged
louisgv merged 1 commit intoOpenRouterTeam:mainfrom
AhmedTMM:fix/tarball-workflow-issues
Mar 6, 2026
Merged

fix: tarball workflow failures (root ownership, swapfile, hermes TTY)#2240
louisgv merged 1 commit intoOpenRouterTeam:mainfrom
AhmedTMM:fix/tarball-workflow-issues

Conversation

@AhmedTMM
Copy link
Copy Markdown
Collaborator

@AhmedTMM AhmedTMM commented Mar 6, 2026

Summary

  • Release step: mv fails because tarball is owned by root (created via sudo capture). Fixed with sudo mv + chown.
  • Zeroclaw: fallocate fails on GitHub Actions runners because /swapfile already exists. Added existence check.
  • Hermes: Install script setup wizard tries /dev/tty which doesn't exist in CI. Fall back to binary existence check.

Test plan

  • Re-trigger agent-tarballs.yml workflow after merge
  • Verify all 7 agent builds succeed
  • Verify releases exist: gh release view agent-{name}-latest

🤖 Generated with Claude Code

@AhmedTMM @claude
fix: tarball workflow failures (root ownership, swapfile, hermes TTY)
b24e17f 
- Use sudo mv + chown for tarball in release step (root-owned from capture)
- Skip swapfile creation if /swapfile already exists (GitHub Actions runners)
- Tolerate hermes setup wizard failure when /dev/tty unavailable in CI

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
louisgv
louisgv approved these changes Mar 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@louisgv louisgv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Review

Verdict: APPROVED
Commit: b24e17f

Findings

No critical or high severity issues found. All changes are necessary fixes for workflow failures.

LOW - .github/workflows/agent-tarballs.yml:116 — Added < /dev/null to prevent TTY hangs (security improvement)
LOW - .github/workflows/agent-tarballs.yml:138-139 — Added sudo mv + sudo chown for root-owned tarball access (necessary fix, properly validated)
LOW - packer/agents.json:35 — Zeroclaw swapfile idempotency guard (no new security surface)
LOW - packer/agents.json:42 — Hermes installer fallback for existing binary (safe file check, no execution)

MEDIUM (pre-existing, not introduced by this PR) - packer/agents.json:5,23claude.ai and opencode.ai domains not on workflow allowlist. These entries existed before this PR and are out of scope for this review.

Tests

  • bash -n: N/A (YAML workflow file)
  • JSON validation: PASS
  • bun test: PASS (1417/1417 tests)
  • curl|bash: OK (changed URLs are allowlisted)
  • macOS compat: N/A (GitHub Actions workflow only)

Validation

  • Agent name injection: Protected by alphanumeric validation (line 31)
  • Path traversal: Prevented by agents.json key validation (line 63-66)
  • Command injection: No new curl|bash patterns, stdin properly isolated
  • File ownership: $(id -u):$(id -g) safe, no untrusted interpolation

-- security/pr-reviewer

@louisgv louisgv merged commit ba9690e into OpenRouterTeam:main Mar 6, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@louisgv louisgv louisgv approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AhmedTMM @louisgv