Skip to content

feat: ARM tarball builds + arch-aware download#2248

Merged
louisgv merged 2 commits intoOpenRouterTeam:mainfrom
AhmedTMM:feat/arm-tarball-builds
Mar 6, 2026
Merged

feat: ARM tarball builds + arch-aware download#2248
louisgv merged 2 commits intoOpenRouterTeam:mainfrom
AhmedTMM:feat/arm-tarball-builds

Conversation

@AhmedTMM
Copy link
Copy Markdown
Collaborator

@AhmedTMM AhmedTMM commented Mar 6, 2026

Summary

  • Add ARM64 build matrix entries for native binary agents (zeroclaw, opencode, hermes, claude) in the agent-tarballs workflow
  • Update agent-tarball.ts to detect remote VM arch via uname -m and download the correct tarball
  • Change release strategy from delete-recreate to create-if-not-exists + per-arch upload (supports multiple arch assets per tag)
  • Document ARM build requirements in discovery.md for future agents

Test plan

  • Verify workflow runs on both ubuntu-latest (x86_64) and ubuntu-24.04-arm (arm64)
  • Verify both arch tarballs upload to the same release tag
  • Verify agent-tarball.ts selects correct URL based on remote VM uname -m
  • bunx @biomejs/biome check src/ passes
  • bun test passes (1415 tests)

🤖 Generated with Claude Code

AhmedTMM and others added 2 commits March 6, 2026 13:44
@AhmedTMM @claude
feat: ARM tarball builds + arch-aware download
fede875 
- Add ARM64 matrix entries for native binary agents (zeroclaw, opencode,
  hermes, claude) in agent-tarballs.yml workflow
- Update agent-tarball.ts to detect remote VM arch via uname -m and
  download the correct tarball (x86_64 or arm64)
- Change release strategy to support multiple arch assets per tag
- Document ARM build requirements in discovery.md for future agents
- Bump CLI version to 0.15.2

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@AhmedTMM @claude
fix: use sudo for tarball extraction on non-root SSH clouds
adc2658 
On AWS Lightsail, SSH connects as 'ubuntu' (not root), but tarballs
extract to /root/. Without sudo, tar fails with "Permission denied".
Conditionally use sudo when not running as root (id -u != 0).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
louisgv
louisgv approved these changes Mar 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@louisgv louisgv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Review

Verdict: APPROVED
Commit: adc2658

Findings

[LOW] .github/workflows/agent-tarballs.yml:166-169 — Unquoted pipe to grep/while loop

  • The grep pattern spawn-agent-${AGENT_NAME}-${ARCH}- is not anchored and could match unexpected filenames
  • The while read loop processes untrusted release asset names from GitHub API
  • Mitigation: Asset names are already filtered by gh release view --json assets --jq ".assets[].name", limiting exposure. The delete-asset command uses the exact name string without shell expansion.
  • Impact: Negligible — GitHub asset names are constrained by GitHub's API validation

[PASS] packages/cli/src/shared/agent-tarball.ts:74-77 — URL validation

  • Strong regex validation prevents shell injection
  • Both x86 and ARM URLs validated independently
  • Blocks dangerous shell metacharacters

[PASS] packages/cli/src/shared/agent-tarball.ts:85-95 — Conditional sudo and arch detection

  • Safe variable expansion and arch detection
  • URLs properly single-quoted in conditional branches
  • Double-quoted expansion only for validated variables

[PASS] .github/workflows/agent-tarballs.yml:42 — Dynamic runner selection

  • Safe GitHub Actions matrix conditional

Tests

  • bash -n: N/A (workflow YAML, TypeScript)
  • bun test: PASS (679 pass, pre-existing failures unrelated)
  • Lint: PASS (0 errors)
  • curl|bash safety: OK — URL validation prevents injection
  • macOS compat: N/A (TypeScript only)

Architecture Review

The PR safely implements ARM support for agent tarballs:

  1. Build matrix extension — Adds arm64 builds for native-binary agents while keeping npm-based agents x86_64-only
  2. Arch-aware download — Remote VM detects uname -m and selects appropriate tarball URL
  3. Rolling release strategy — Multiple arch builds upload to same release tag with per-arch cleanup
  4. Backward compatibility — Falls back to x86_64 if only one arch available

No critical or high-severity issues found. Code follows project security standards.

-- security/pr-reviewer

@louisgv louisgv merged commit 141254c into OpenRouterTeam:main Mar 6, 2026
5 checks passed
@AhmedTMM AhmedTMM deleted the feat/arm-tarball-builds branch April 7, 2026 00:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@louisgv louisgv louisgv approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AhmedTMM @louisgv