chore: re-release Command Line SDK 21.0.0

[ChiragAgg5k]

Re-releasing Command Line SDK 21.0.0 since the previous release pipeline failed. No version bump or changelog changes — same 21.0.0 release with regenerated SDK content from upstream specs.

Regenerated using:

• appwrite/sdk-generator 1.29.3
• Specs from https://github.com/appwrite/specs/tree/main/specs/1.9.x

Notable diffs vs current dev

• Added .npmrc with min-release-age=7
• bunfig.toml: added [install] minimumReleaseAge = 604800 (7d)
• lib/config.ts: minor refactor — removed usePath helper, made path writable directly

[greptile-apps]

Greptile Summary

This PR updates the Appwrite CLI SDK to version 21.0.0, hardening the GitHub Actions supply chain by pinning all action references to specific commit SHAs, adding minimum release age guards for both npm and Bun, and simplifying the Config class by removing a readonly cast workaround.

• CI/publish workflows: All uses: references replaced with pinned commit SHAs; min-release-age=7 added to .npmrc and bunfig.toml to guard against freshly-published malicious packages.
• Windows signing verification (publish.yml): The hard-failure on signature check errors is replaced with a ::warning::, allowing the release pipeline to complete and publish unsigned Windows binaries when signing is unavailable.
• lib/config.ts: Config.path changed from readonly to mutable, eliminating the usePath() cast workaround at the cost of allowing external mutation of the field.

Confidence Score: 3/5

The publish pipeline can now ship unsigned Windows binaries to all distribution channels without the release job failing — this warrants a second look before merging.

The supply-chain hardening additions (SHA-pinned actions, minimum release age) are solid improvements. However, the Windows signature verification step now exits 0 even when osslsigncode reports failure — meaning a release triggered while signing infrastructure is unavailable will push unsigned .exe files to npm, GitHub Releases, and the Homebrew tap without any pipeline gate. The inline comment suggests this is intentional and temporary, but there is no automated tripwire to re-enable the check once signing is ready.

publish.yml — specifically the Verify Windows signatures step and the overall publish gate around unsigned binaries.

Security Review

• Unsigned binary distribution (publish.yml lines 107\u2013113): Windows code signature verification is downgraded from a hard pipeline failure to a ::warning::. This allows the publish job to complete and distribute unsigned .exe artifacts to all distribution channels (npm, GitHub Releases, Homebrew tap) when signing fails, removing an Authenticode integrity guarantee that end-users may depend on.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	GitHub Actions pinned from floating version tags to specific commit SHAs — good supply-chain hardening with no functional changes.
.github/workflows/publish.yml	Actions pinned to commit SHAs (good), but Windows signature verification is downgraded to a warning — unsigned binaries can now be published without blocking the release pipeline.
.npmrc	Adds min-release-age=7 (days) supply-chain guard for npm; valid with npm ≥ 11.10.0 which is explicitly pinned in the publish workflow.
bunfig.toml	Adds minimumReleaseAge = 604800 (7 days in seconds) to Bun's install config — mirrors the npm .npmrc setting consistently.
lib/config.ts	Removes readonly from Config.path and the usePath() cast workaround; simplifies the code but leaves the field publicly mutable where it was previously read-only from outside the class.

_{Reviews (1): Last reviewed commit: "chore: update Command Line SDK to 21.0.0" | Re-trigger Greptile}

[greptile-apps]

Signature verification failure now silently permits unsigned releases

The verification step previously exited non-zero when a signature check failed, blocking the publish job. With the new code, any failure only emits a ::warning:: and the step exits 0 — so a release can proceed and reach npm/GitHub Releases/Homebrew with unsigned (or malformed-signature) Windows binaries. If the Windows signing infrastructure is not yet ready, the safer option is to gate publishing on signing being available rather than silently shipping unsigned artifacts to end users who may be relying on Authenticode trust for security decisions.

[greptile-apps]

path is now publicly mutable

Removing readonly allows any caller holding a Config instance to silently overwrite path at any time (e.g., localConfig.path = '/tmp/evil'). The usePath() cast workaround was intentional to keep the field immutable from the outside while still allowing controlled internal updates. If the goal is to allow the useCwdConfig method (within the same class) to reassign the field, keeping readonly and using the existing cast (or making the field protected with a public getter) preserves the external immutability contract without the ugly workaround.