Skip to content

ci: fix L4 vm-e2e under Homebrew tap-trust + stale OMZ hash#130

Merged
fullstackjam merged 3 commits into
mainfrom
ci/l4-homebrew-tap-trust
Jun 22, 2026
Merged

ci: fix L4 vm-e2e under Homebrew tap-trust + stale OMZ hash#130
fullstackjam merged 3 commits into
mainfrom
ci/l4-homebrew-tap-trust

Conversation

@fullstackjam

@fullstackjam fullstackjam commented Jun 22, 2026

Copy link
Copy Markdown
Collaborator

What does this PR do?

Gets the L4 vm-e2e suite (vm-e2e-spike.yml) green again and fixes a real user-facing break it surfaced: openboot install --shell install aborting on a stale Oh-My-Zsh hash.

Why?

L4 had two unrelated failures, neither caused by recent feature work (#129):

  1. Homebrew tap-trust enforcement. Recent Homebrew refuses to load formulae/casks from untrusted third-party taps. This broke TestVM_Interactive_InstallScript (installs from openbootdotdev/tap) and the macos-14 runner ships aws/tap, azure/bicep, hashicorp/tap pre-tapped and untrusted. Fixed by trusting pre-existing taps in the workflow and openbootdotdev/tap in the install helper. (CI/test-only.)

  2. Stale pinned Oh-My-Zsh installer hash. InstallOhMyZsh fetched the installer from the ohmyzsh master branch but verified it against a hash pinned 2026-04-19. Upstream rewrote tools/install.sh on 2026-06-15, so every openboot install --shell install now aborts with "hash mismatch: download may be compromised". Fixed by pinning the URL to an immutable commit (96ea1708) and refreshing the hash — pinning URL+hash to the same commit stops a future upstream edit from silently breaking the installer again. (Real production fix.)

The edge test also now logs the dev-binary output on failure (it previously discarded it, making the fast exit impossible to diagnose).

Testing

  • go vet ./... passes
  • Relevant tests added or updated (shell unit tests green; edge test instrumented)
  • L4 vm-e2e dispatched on this branch — all 11 TestVM_ pass* (run 27956783712), including the two previously red (Edge_ShellActuallyWorks, FullSetupConfiguresEverything)
  • New OMZ hash verified independently (own fetch of pinned commit → 4534045f…77bb)

Cross-repo checklist

  • Does this need a docs/content update in openboot.dev? — No.
  • Does this change the CLI ↔ server API contract? — No.

Notes for reviewer

  • Touches .github/workflows/vm-e2e-spike.yml but only adds a setup step to a non-required workflow — no branch-protection / required-check changes, so no GitHub UI action needed.
  • Two logically separate commits: ci: (tap-trust, test-only) and fix: (OMZ pin, production).
  • The OMZ master→commit pin is a behaviour change: users now get the installer from a fixed verified commit rather than latest master. This is intentional — it makes the supply-chain hash check coherent.

@fullstackjam
ci: make L4 vm-e2e robust to Homebrew tap-trust enforcement
a7601f0 
Recent Homebrew refuses to load formulae/casks from untrusted third-party
taps ('Refusing to load formula ... from untrusted tap'). This broke the
L4 suite two ways on the macos-14 runner:

- TestVM_Interactive_InstallScript: 'brew install openboot' from the
  openbootdotdev/tap tap is refused.
- The runner ships aws/tap, azure/bicep and hashicorp/tap pre-tapped and
  untrusted, so brew operations the suite drives emit trust errors.

Trust all pre-existing taps in the workflow and trust openbootdotdev/tap
in the install helper. Also log the install output in
TestVM_Edge_ShellActuallyWorks on failure — it previously discarded the
dev-binary output, making its fast exit impossible to diagnose.
@fullstackjam
fix(shell): pin Oh-My-Zsh installer to immutable commit, refresh stal…
4c73aa7 
…e hash

InstallOhMyZsh fetched the installer from the ohmyzsh master branch but
verified it against a hash pinned on 2026-04-19. Upstream rewrote
tools/install.sh on 2026-06-15, so every 'openboot install --shell install'
now aborts with 'hash mismatch: download may be compromised' — a real
user-facing break, not just a test failure.

Pin the URL to commit 96ea17080a7addd1cd8b6253422776bc237fc6b1 and refresh
the hash to that commit's script (verified independently:
4534045f...77bb). Pinning URL + hash to the same immutable commit keeps
them consistent so a future upstream edit can't silently break the
installer again.
@github-actions github-actions Bot added tests Tests only ci CI/CD changes labels Jun 22, 2026
@fullstackjam
chore(archtest): rebaseline no-direct-exec after shell.go comment shift
dee4287 
The OMZ pin comment added 6 lines, shifting the pre-existing exec.Command
in InstallOhMyZsh from line 178 to 184. Same call, no new violation.
@fullstackjam fullstackjam merged commit 6caebf4 into main Jun 22, 2026
12 checks passed
@fullstackjam fullstackjam deleted the ci/l4-homebrew-tap-trust branch June 22, 2026 13:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci CI/CD changes tests Tests only

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fullstackjam