Skip to content

Harden ephemeral Sparkle release signing#106

Merged
jmcte merged 1 commit into
mainfrom
codex/sparkle-ephemeral-release
Jul 13, 2026
Merged

Harden ephemeral Sparkle release signing#106
jmcte merged 1 commit into
mainfrom
codex/sparkle-ephemeral-release

Conversation

@jmcte

@jmcte jmcte commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Require the sparkle-release capability on APW’s self-hosted macOS release job.
  • Require the Sparkle EdDSA private key at release time and stream it to generate_appcast instead of relying on a non-persistent VM Keychain.
  • Document the ephemeral-runner security boundary and teach Actionlint the fleet’s custom labels.

Governing Issue

Refs #43

Depends on OMT-Global/github-runner-fleet#179, which provisions the matching Lume base-VM capability.

Validation

  • bash -n scripts/prepare-sparkle-appcast.sh
  • bash -n scripts/test-prepare-sparkle-appcast.sh
  • scripts/test-prepare-sparkle-appcast.sh
  • scripts/ci/validate-appcast-contract.sh
  • actionlint -ignore 'shellcheck reported issue' .github/workflows/release.yml
  • bash scripts/ci/run-fast-checks.sh

Bootstrap Governance

  • Changes are scoped to the linked release and hardware-verification work.
  • No real secrets, runtime auth, or machine-local env files are committed.
  • The private Sparkle key is supplied only as APW_SPARKLE_PRIVATE_ED_KEY at release runtime and is never passed on a command line.

Risk and rollout

  • Requires fleet PR #179 to be merged and the Lume base VM to be rebuilt before this label can schedule.
  • Requires the organization runner group to grant OMT-Global/apw-cli access.
  • Requires creating and storing the new APW_SPARKLE_PRIVATE_ED_KEY release secret and setting APW_SPARKLE_PUBLIC_ED_KEY plus SPARKLE_GENERATE_APPCAST after fleet rollout.

Merge Automation

  • Enable auto-merge once the dependent fleet capability, required checks, and review are satisfied.

Require the Sparkle-capable Lume runner label and pass the release-time EdDSA key only over standard input. Refs #43.
@jmcte jmcte enabled auto-merge (squash) July 13, 2026 07:13

@athena-omt athena-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved. I verified the PR at head f3b733c4c6eb6e0d9d79d6842b976373b79a864e in the Athena worker worktree.

The release workflow now requires the sparkle-release runner capability, fails closed on tagged releases unless APW_SPARKLE_PUBLIC_ED_KEY, SPARKLE_GENERATE_APPCAST, and APW_SPARKLE_PRIVATE_ED_KEY are present, and the appcast helper streams the private EdDSA key to generate_appcast --ed-key-file - rather than placing key material on the command line. The regression coverage checks the missing-secret failure path, signed release notes enforcement, critical-update Security-section enforcement, and the appcast contract entries for the new secret and runner label.

Validation run: bash -n scripts/prepare-sparkle-appcast.sh, bash -n scripts/test-prepare-sparkle-appcast.sh, scripts/test-prepare-sparkle-appcast.sh, scripts/ci/validate-appcast-contract.sh, and git diff --check origin/main...HEAD. Local actionlint was not installed on the worker, but the live PR check rollup is green and auto-merge is already enabled. No code blockers found; the remaining dependency is the documented fleet/secret rollout.

@jmcte jmcte merged commit f56ef52 into main Jul 13, 2026
8 checks passed
@jmcte jmcte deleted the codex/sparkle-ephemeral-release branch July 13, 2026 07:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants