Release v2.78.1: npm postinstall no longer hits GitHub rate limits · fallow-rs/fallow

Patch release

npm install fallow postinstall no longer fails on shared-IP CI runners with digest-unavailable. The postinstall verifier previously fetched each platform binary's expected SHA-256 from the unauthenticated GitHub release API. Pooled CI IPs (Buildkite, GitHub Actions shared runners, internal build clusters) routinely exceeded GitHub's 60 req/hr unauthenticated limit, and pnpm install --frozen-lockfile aborted with fallow: binary verification failed ... (digest-unavailable): GitHub release API returned HTTP 403: API rate limit exceeded. The release workflow's npm-prep job now computes the SHA-256 of every binary inside each @fallow-cli/<platform> package and writes it into the platform package's package.json under fallowDigests. verify-binary.js reads that embedded value first and only falls back to the GitHub API for older platform packages that lack the field, so steady-state installs perform zero network calls during digest verification. The Ed25519 signature layer and the FALLOW_SKIP_BINARY_VERIFY escape hatch are unchanged. (Closes #597. Thanks @drgnkpr for the report.)
Windows clippy on main is green again. Replaced an unfulfilled #[expect(dead_code)] annotation on ScopedChild::id with #[allow]. The function is pub inside a pub mod, so rustc never flags it as dead under -D warnings, and the previous expect annotation broke ci.yml's Windows leg. No user-visible behavior change.

npm install -g fallow@2.78.1

Full Changelog: v2.78.0...v2.78.1