Fix signed macOS release promotion follow-up jobs#22788
Merged
Conversation
shijie-oai
changed the title
shijie-oai
changed the title
shijie-oai
commented
May 15, 2026
Comment on lines
+1218
to
+1223
| for dotslash_asset_name in "${dotslash_asset_names[@]}"; do | ||
| if [[ "$asset_name" == "$dotslash_asset_name" ]]; then | ||
| delete_asset=true | ||
| break | ||
| fi | ||
| done |
Collaborator
Author
There was a problem hiding this comment.
For now maps to codex, codex-app-server, codex-responses-api-proxy, bwrap, codex-command-runner, codex-windows-sandbox-setup, codex-zsh, argument-comment-lint but moved away from hardcoding to better support future expansion.
shijie-oai
commented
May 15, 2026
Comment on lines
+1281
to
+1286
| # promote_signed intentionally skips build jobs that are ancestors of release; | ||
| # include the always() status function so Actions does not apply its implicit | ||
| # success() check to the whole dependency chain before evaluating release outputs. | ||
| if: >- | ||
| ${{ | ||
| always() && |
Collaborator
Author
There was a problem hiding this comment.
I think Codex is right - I am not expert in GHA and he said did make sense. Debated between !cancled vs sucess but success sounds less sketchy...
shijie-oai
commented
May 15, 2026
Comment on lines
-1226
to
-1233
| - if: ${{ env.SIGN_MACOS == 'false' }} | ||
| uses: facebook/dotslash-publish-release@9c9ec027515c34db9282a09a25a9cab5880b2c52 # v2 | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| with: | ||
| tag: ${{ github.ref_name }} | ||
| config: .github/dotslash-unsigned-config.json | ||
|
|
Collaborator
Author
There was a problem hiding this comment.
ya no need to publish unsigned dotslash anymore.
bolinfest
reviewed
May 15, 2026
| # success() check to the whole dependency chain before evaluating release outputs. | ||
| if: >- | ||
| ${{ | ||
| always() && |
Collaborator
There was a problem hiding this comment.
Suggested change
| always() && | |
| !cancelled() && |
bolinfest
reviewed
May 15, 2026
| if: ${{ needs.release.outputs.should_publish_python_runtime == 'true' }} | ||
| if: >- | ||
| ${{ | ||
| always() && |
Collaborator
There was a problem hiding this comment.
Suggested change
| always() && | |
| !cancelled() && |
bolinfest
reviewed
May 15, 2026
| if: ${{ needs.release.outputs.sign_macos == 'true' && !contains(needs.release.outputs.version, '-') }} | ||
| if: >- | ||
| ${{ | ||
| always() && |
Collaborator
There was a problem hiding this comment.
Suggested change
| always() && | |
| !cancelled() && |
bolinfest
reviewed
May 15, 2026
| if: ${{ needs.release.outputs.sign_macos == 'true' }} | ||
| if: >- | ||
| ${{ | ||
| always() && |
Collaborator
There was a problem hiding this comment.
Suggested change
| always() && | |
| !cancelled() && |
bolinfest
approved these changes
May 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The
release_mode=promote_signedpath intentionally skips the build jobs after signed macOS artifacts are staged, then runs thereleasejob from the signed handoff. In therust-v0.131.0-alpha.19promotion run,releasesucceeded but the npm, PyPI, andlatest-alpha-clifollow-up jobs were skipped because their custom jobif:expressions let GitHub Actions apply the implicitsuccess()status check before readingneeds.release.outputs.*.The unsigned build handoff does not need DotSlash manifests. Publishing unsigned DotSlash manifests creates release assets that can conflict with the later signed promotion, especially shared outputs such as
bwrap,codex-command-runner, andcodex-windows-sandbox-setup.What Changed
SIGN_MACOS == 'false'..github/dotslash-unsigned-config.json.!cancelled()status function plus an explicitneeds.release.result == 'success'check before consulting release outputs.latest-alpha-cli.Verification
rg -n "dotslash-unsigned-config|SIGN_MACOS == 'false'.*dotslash|unsigned-config" .github/workflows/rust-release.yml .github || truegit diff --check -- .github/workflows/rust-release.yml .github/dotslash-unsigned-config.json