ci: fix L4 vm-e2e under Homebrew tap-trust + stale OMZ hash

.github/workflows/vm-e2e-spike.yml

@@ -20,6 +20,17 @@ jobs:
       - name: Build binary
         run: make build
 
+      # GitHub's macos-14 image ships with third-party taps (aws/tap,
+      # azure/bicep, hashicorp/tap) pre-installed. Recent Homebrew refuses
+      # to load formulae/casks from untrusted taps, which breaks `brew`
+      # operations the L4 suite drives. Trust everything already tapped so
+      # the runner behaves like a normal dev machine.
+      - name: Trust pre-existing Homebrew taps
+        run: |
+          brew tap | while read -r t; do
+            [ -n "$t" ] && brew trust "$t" 2>/dev/null || true
+          done
+
       - name: Run L4 vm tests
         run: |
           go test -v -timeout 55m -tags="e2e,vm" \

internal/archtest/baseline/no-direct-exec.txt

@@ -14,7 +14,7 @@ internal/dotfiles/dotfiles.go:449
 internal/installer/step_system.go:132
 internal/npm/npm.go:22
 internal/permissions/screen_recording_cgo.go:21
-internal/shell/shell.go:178
+internal/shell/shell.go:184
 internal/updater/updater.go:205
 internal/updater/updater.go:212
 internal/updater/updater.go:219

internal/shell/shell.go

@@ -20,15 +20,21 @@ import (
 	"github.com/openbootdotdev/openboot/internal/ui"
 )
 
-// knownOMZInstallHash is the SHA256 of the Oh-My-Zsh install script pinned on
-// 2026-04-19 (ohmyzsh/ohmyzsh master, commit circa that date). Update this
-// constant whenever the installer script changes upstream.
-const knownOMZInstallHash = "21043aec5b791ce4835479dc33ba2f92155946aeafd54604a8c83522627cc803"
+// knownOMZInstallHash is the SHA256 of the Oh-My-Zsh install script that
+// omzInstallURL points at. Both are pinned to ohmyzsh/ohmyzsh commit
+// 96ea17080a7addd1cd8b6253422776bc237fc6b1 (2026-06-15). Pinning to an
+// immutable commit (rather than a moving branch like master) keeps the URL
+// and this hash consistent — otherwise any upstream edit to the script
+// invalidates the hash and breaks `openboot install --shell install`.
+// To bump: pick a newer commit, update the URL below, and set this to the
+// SHA256 of that commit's tools/install.sh.
+const knownOMZInstallHash = "4534045f4d983abd9716cd2f515bbe3c2b31ba5b8fd1fef147838778427477bb"
 
 const omzInstallTimeout = 10 * time.Minute
 
-// omzInstallURL is a var so tests can redirect it without a real server.
-var omzInstallURL = "https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh"
+// omzInstallURL is pinned to an immutable commit (see knownOMZInstallHash).
+// It is a var so tests can redirect it without a real server.
+var omzInstallURL = "https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/96ea17080a7addd1cd8b6253422776bc237fc6b1/tools/install.sh"
 
 // omzHTTPClient is a var so tests can inject a mock transport.
 var omzHTTPClient = &http.Client{Timeout: 30 * time.Second}

test/e2e/vm_edge_cases_test.go

@@ -36,8 +36,8 @@ func TestVM_Edge_ShellActuallyWorks(t *testing.T) {
 	bin := vmCopyDevBinary(t, vm)
 
 	// Install with shell setup
-	_, err := vmRunDevBinaryWithGit(t, vm, bin, "install --preset minimal --silent --shell install --dotfiles skip --macos skip")
-	require.NoError(t, err)
+	out, err := vmRunDevBinaryWithGit(t, vm, bin, "install --preset minimal --silent --shell install --dotfiles skip --macos skip")
+	require.NoError(t, err, "install failed, output:\n%s", out)
 
 	t.Run("zsh_login_shell_starts", func(t *testing.T) {
 		// Run a command through a login zsh — this sources .zshrc

test/e2e/vm_helpers_test.go

@@ -25,6 +25,8 @@ func vmInstallViaBrew(t *testing.T, vm *testutil.MacHost) string {
 	script := strings.Join([]string{
 		fmt.Sprintf("export PATH=%q", brewPath),
 		"brew tap openbootdotdev/tap 2>/dev/null || true",
+		// Recent Homebrew refuses to install from untrusted third-party taps.
+		"brew trust openbootdotdev/tap 2>/dev/null || true",
 		"brew install openboot",
 	}, " && ")