ci: Fetch version.txt via API in docs alias failure notification#13050
Merged
Conversation
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
anthonyshew
pushed a commit
that referenced
this pull request
Jun 10, 2026
## Release v2.9.18 > [!CAUTION] > Versioned docs aliasing FAILED. [View logs](https://github.com/vercel/turborepo/actions/runs/27311683638) ### Changes - release(turborepo): 2.9.17 (#13047) (`7dd54b7`) - ci: Fetch version.txt via API in docs alias failure notification (#13050) (`7d361a4`) - fix: Harden cache archive symlink restore (#13051) (`403a355`) - chore: Remove web UI mode (#13052) (`8cff6d5`) - fix: Harden query server file access (#13053) (`2a2bc5c`) - fix: Confine prune patch paths (#13054) (`7f353ca`) - fix: Prevent git argument injection in SCM refs (#13055) (`f46f896`) - fix: Strip special mode bits from cache restore (#13056) (`92e1f8e`) - fix: Contain incremental cache outputs (#13057) (`16dc881`) - fix(turborepo): Normalize Windows daemon path hash (#13020) (`24e2d34`) - fix: Preserve vt100 cell byte counts (#13058) (`34514e2`) - fix: Separate artifact signature fields (#13059) (`3018717`) - fix: Validate OidHash hex buffers (#13060) (`da8e348`) - fix: Block self-hosted login URLs from attempting to use Vercel's SSO (#13061) (`2a76556`) --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
anthonyshew
pushed a commit
that referenced
this pull request
Jun 11, 2026
## Release v2.9.19-canary.1 > [!CAUTION] > Versioned docs aliasing FAILED. [View logs](https://github.com/vercel/turborepo/actions/runs/27313807565) ### Changes - release(turborepo): 2.9.17-canary.7 (#13046) (`7981598`) - fix: Send Ctrl+C to Windows PTY tasks (#13041) (`e62661a`) - release(turborepo): 2.9.17 (#13047) (`7dd54b7`) - ci: Fetch version.txt via API in docs alias failure notification (#13050) (`7d361a4`) - fix: Harden cache archive symlink restore (#13051) (`403a355`) - chore: Remove web UI mode (#13052) (`8cff6d5`) - fix: Harden query server file access (#13053) (`2a2bc5c`) - fix: Confine prune patch paths (#13054) (`7f353ca`) - fix: Prevent git argument injection in SCM refs (#13055) (`f46f896`) - fix: Strip special mode bits from cache restore (#13056) (`92e1f8e`) - fix: Contain incremental cache outputs (#13057) (`16dc881`) - fix(turborepo): Normalize Windows daemon path hash (#13020) (`24e2d34`) - fix: Preserve vt100 cell byte counts (#13058) (`34514e2`) - fix: Separate artifact signature fields (#13059) (`3018717`) - fix: Validate OidHash hex buffers (#13060) (`da8e348`) - fix: Block self-hosted login URLs from attempting to use Vercel's SSO (#13061) (`2a76556`) - release(turborepo): 2.9.18 (#13062) (`912e7eb`) - fix: Re-authenticate when stored token loses access to linked team (#13064) (`0afbf1e`) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
govtech42
pushed a commit
to mirror81/turborepo
that referenced
this pull request
Jun 24, 2026
## Release v2.10.0 > [!CAUTION] > Versioned docs aliasing FAILED. [View logs](https://github.com/vercel/turborepo/actions/runs/28111901682) ### Changes - fix: Wait for process trees before task completion (vercel#12809) (`a3b4d94`) - release(turborepo): 2.9.15-canary.1 (vercel#12810) (`f7b9d3a`) - ci: Sign macOS release binaries (vercel#12811) (`fe3b84f`) - release(turborepo): 2.9.15-canary.2 (vercel#12812) (`c34a86b`) - fix: Prevent cache archive symlink reads (vercel#12813) (`ab90c81`) - release(turborepo): 2.9.15-canary.3 (vercel#12814) (`d92bfcb`) - fix: Avoid path-racy chmod during directory restore (vercel#12815) (`c62c92b`) - fix: Prevent cache restore symlink race writes (vercel#12817) (`0f167cf`) - chore: Deny Rust panic extraction by default (vercel#12818) (`958fc4e`) - fix: Make structured log symlink defense race-safe (vercel#12821) (`46df4de`) - fix: Preserve Bun alias child packages (vercel#12822) (`cbfef22`) - fix: Avoid UTF-8 panics at boundaries (vercel#12823) (`a9b43ba`) - fix: Preserve non-UTF-8 Git path boundaries (vercel#12826) (`85ba487`) - fix: Create daemon dirs with private permissions (vercel#12827) (`aca956e`) - fix: Return Berry lockfile errors instead of panicking (vercel#12828) (`3fd29a3`) - fix: Isolate Corepack state in integration tests (vercel#12831) (`f49f23b`) - ci: Use larger Windows runners for Rust tests (vercel#12832) (`7618d6e`) - docs: Add `with-vite-module-federation` example (vercel#12794) (`2209f61`) - test: Run Rust tests without partitioning (vercel#12833) (`e53c512`) - chore: Remove `TaskHashTracker`-based `expect()` calls (vercel#12836) (`a10a5fe`) - chore: Deduplicate hash canonicalization (vercel#12837) (`795a912`) - fix: Prevent Windows process drain hangs (vercel#12838) (`030f50b`) - fix: Refactor execsync to execfilesync for Shell command built from environment values (vercel#12829) (`a410750`) - test: Bound vt100 random quickcheck (vercel#12839) (`8f9eac2`) - fix: Validate daemon discovery responses (vercel#12840) (`f3268b2`) - fix: Store `PackageGraph` root invariants (vercel#12841) (`67d733d`) - chore: Avoid engine graph node expects (vercel#12842) (`639c535`) - test: Make Rust tests parallel-safe (vercel#12843) (`dd34c30`) - fix: Avoid graph utility node lookup panics (vercel#12844) (`8beff2e`) - fix: Avoid graph walker `expect()` calls (vercel#12845) (`0734316`) - fix: Remove fs panic extraction lints (vercel#12846) (`d6396de`) - fix: Remove fixed map panic extraction calls (vercel#12847) (`412dc00`) - fix: Remove devtools WebSocket panics (vercel#12850) (`2d11941`) - fix: Remove json rewrite panic lint allow (vercel#12848) (`88709b4`) - fix: Remove turborepo-types panic lint allows (vercel#12849) (`9d2cda3`) - chore: Remove turborepo-hash build expect (vercel#12851) (`c271628`) - fix: Remove napi panic lint allows (vercel#12852) (`9d631fe`) - fix: Avoid globwatch expect calls (vercel#12853) (`800b355`) - fix: Remove LSP expect callsites (vercel#12854) (`5a22478`) - fix: Remove scope panic lint allows (vercel#12855) (`98cacad`) - fix: Remove task hash panic lints (vercel#12856) (`c727e30`) - fix: Remove frameworks panic lint allows (vercel#12857) (`6a5e891`) - fix: Remove microfrontends proxy expect lint allow (vercel#12859) (`787eee6`) - fix: Avoid API client expect calls (vercel#12858) (`43d3229`) - fix: Avoid task executor expect calls (vercel#12860) (`709ebd2`) - fix: Remove turbo-trace unwrap callsite (vercel#12863) (`23ed3ac`) - fix: Remove Vercel API mock expect usage (vercel#12862) (`0386df2`) - fix: Remove vt100 expect lint allow (vercel#12861) (`db1ee55`) - fix: Remove turborepo-shim expect callsites (vercel#12864) (`6b7c2c7`) - test: Deflake daemon existing process test (vercel#12865) (`1c57b5b`) - fix: Avoid repository NAPI unwrap calls (vercel#12866) (`459d1e6`) - fix: Remove pidlock panic callsites (vercel#12867) (`aacfcc6`) - fix: Remove telemetry panic callsites (vercel#12868) (`9968f36`) - chore: Remove Rust re-export shims (vercel#12870) (`0c7b052`) - fix: Remove turbo-json panic lint allows (vercel#12869) (`3eb13fd`) - fix: Remove `globwalk`'s `expect()` callsites (vercel#12871) (`ca42137`) - fix: Remove `turbopath`'s `expect()` callsites (vercel#12872) (`e781dbe`) - test: Deflake Corepack prepare lock on Windows (vercel#12873) (`53c9b4b`) - fix: Remove signals panic callsites (vercel#12874) (`b5e3b6d`) - fix: Remove turbo-trace expect allow (vercel#12876) (`67657e5`) - fix: Remove Vercel API mock unwrap usage (vercel#12877) (`dd99f86`) - fix: Remove task executor unwrap usage (vercel#12878) (`f16c120`) - fix: Remove run summary expect usage (vercel#12879) (`2670768`) - fix: Remove microfrontends proxy unwrap usage (vercel#12880) (`80da7a6`) - fix: Remove api client unwrap usage (vercel#12881) (`73f3c1b`) - fix: Remove globwalk unwrap usage (vercel#12883) (`a058336`) - fix: Remove UI `expect()` usage (vercel#12882) (`843515e`) - fix: Remove microfrontends expect usage (vercel#12885) (`91d5ac0`) - fix: Remove `boundaries`'s `expect()` usage (vercel#12887) (`4ae4b19`) - fix: Remove `turborepo-process`'s `unwrap()` usage (vercel#12888) (`7badbb5`) - fix: Remove UI unwrap usage (vercel#12889) (`8c4316e`) - fix: Remove microfrontends unwrap allow (vercel#12890) (`26168cd`) - fix: Remove `turborepo-process`'s `expect()` usage (vercel#12891) (`f3e8a42`) - fix: Remove scm expect usage (vercel#12893) (`4c0a0e0`) - fix: Remove auth unwrap usage (vercel#12886) (`a2eed47`) - fix: Remove `turbopath`'s `unwrap()` usage (vercel#12884) (`e1f2003`) - fix: Remove `auth`'s `expect()` usage (vercel#12895) (`d13dee7`) - fix: Remove wax unwrap usage (vercel#12899) (`04c99fb`) - fix: Remove scm unwrap usage (vercel#12897) (`715cd2c`) - fix: Remove `turborepo-boundaries`'s `unwrap()` usage (vercel#12896) (`4484b36`) - fix: Remove daemon unwrap usage (vercel#12898) (`643b982`) - fix: Include lockfile-changed packages in affected tasks (vercel#12900) (`81cae94`) - fix: Remove `turborepo-wax`'s `expect()` usage (vercel#12901) (`18816eb`) - fix: Remove `turborepo-filewatch`'s `expect()` usage (vercel#12903) (`d1dff11`) - fix: Remove `turborepo-cache`'s `expect()` usage (vercel#12902) (`ccd358d`) - fix: Remove `turborepo-daemon`'s `expect()` usage (vercel#12904) (`a9d8836`) - fix: Remove `turborepo-engine`'s `unwrap()` usage (vercel#12906) (`5262b40`) - fix: Remove filewatch unwrap usage (vercel#12907) (`364c801`) - fix: Remove engine expect usage (vercel#12908) (`92ef87c`) - fix: Remove cache unwrap usage (vercel#12909) (`c08053c`) - fix: Remove `turborepo-lockfiles` `expect()` usage (vercel#12910) (`756ae7c`) - chore: Set pnpm minimum release age (vercel#12912) (`1636a8c`) - fix: Remove `turborepo-lockfiles`'s `unwrap()` usage (vercel#12911) (`40f8d8f`) - fix: Remove `turborepo-vt100`'s `unwrap()` usage (vercel#12913) (`c7482f9`) - release(turborepo): 2.9.15-canary.4 (vercel#12905) (`9f289d9`) - fix: Remove `turborepo-lib`'s `unwrap()` usage (vercel#12915) (`a8ce590`) - fix: Remove `turborepo-lib`'s `expect()` usage (vercel#12914) (`d1745a6`) - fix: Remove shim test unwrap usage (vercel#12917) (`0d98ca3`) - fix: Remove turbo json test unwrap allowance (vercel#12918) (`01367e9`) - fix: Remove run summary test unwrap usage (vercel#12916) (`88745d1`) - release(turborepo): 2.9.15-canary.5 (vercel#12919) (`b44d419`) - fix: Restore task completion semantics (vercel#12923) (`1a71128`) - fix: Preserve nested Bun workspace dependency versions (vercel#12924) (`a77a0e5`) - release(turborepo): 2.9.15-canary.6 (vercel#12925) (`f675858`) - fix: Restore release PR auto-merge (vercel#12927) (`155e672`) - perf: Index repo gitignore matchers (vercel#12928) (`187a0fd`) - ci: Disable incremental Rust test builds (vercel#12929) (`8c7dbc6`) - perf: Trim OpenTelemetry crate features (vercel#12930) (`7f0afe7`) - perf: Trim microfrontends proxy HTTP features (vercel#12931) (`ac537a8`) - fix: Accept `experimentalCI` object config (vercel#12934) (`6f662f2`) - release(turborepo): 2.9.15-canary.7 (vercel#12935) (`0e56cdc`) - fix: Restore a few internal invariant checks (vercel#12933) (`767a9d4`) - fix: Improve profile tracing coverage (vercel#12936) (`3063672`) - fix: Use build-scale OTel duration buckets (vercel#12939) (`6ed6fb0`) - fix: Preserve pnpm injected peer package entries (vercel#12940) (`31123f4`) - feat: Add heap allocation profiling (vercel#12943) (`c7ad6f2`) - release(turborepo): 2.9.15-canary.8 (vercel#12945) (`06e81ea`) - docs: Correct attribute presence claims in turborepo-otel (vercel#12932) (`8fc94f3`) - chore(turbo-codemod): remove duplicate "in" in transforms path comment (vercel#12948) (`5fa3039`) - chore: Switch Geist font imports to npm geist package (vercel#12952) (`ebebf41`) - fix: Respect root gitignore during prune (vercel#12953) (`f96ccc4`) - fix: Harden OTEL endpoint validation (vercel#12954) (`076ff97`) - release(turborepo): 2.9.15 (vercel#12955) (`c85d410`) - fix: Avoid hanging PTY shutdown (vercel#12958) (`52e81bd`) - fix: Retry npm tlog publish failures (vercel#12959) (`5317f65`) - release(turborepo): 2.9.16-canary.1 (vercel#12960) (`2284fa9`) - fix: Preserve nested Bun dependency versions (vercel#12963) (`8d4eaf8`) - Revert "fix: Preserve nested Bun dependency versions" (vercel#12964) (`3b1b6e9`) - release(turborepo): 2.9.16-canary.2 (vercel#12961) (`5e5b248`) - fix: Preserve nested Bun dependency versions (vercel#12965) (`7952b46`) - fix: Don't delete existing `.git` when using `--no-git` flag (vercel#12968) (`b4aa626`) - fix: Keep non-PTY stdin alive for persistent tasks (vercel#12972) (`26ae68b`) - release(turborepo): 2.9.16 (vercel#12970) (`fac2b75`) - release(turborepo): 2.9.17-canary.1 (vercel#12973) (`e9a27cc`) - fix: Add auth HTTP timeouts (vercel#12976) (`787f12c`) - fix: Detect affected root tasks in query (vercel#12977) (`e7fdf7d`) - fix: Wait for Windows graceful shutdown (vercel#12979) (`ac6f362`) - release(turborepo): 2.9.17-canary.2 (vercel#12980) (`14720cc`) - test: Skip installs for JSON output fixtures (vercel#12981) (`882c19f`) - feat: Add Rsbuild examples (vercel#12942) (`e533423`) - test: Skip installs for single package dry runs (vercel#12982) (`8d773db`) - test: Skip Corepack setup without installs (vercel#12983) (`d8cfabe`) - test: Skip installs for metadata-only Rust tests (vercel#12985) (`62cae8d`) - test: Skip remaining unnecessary fixture installs (vercel#12986) (`ed45325`) - test: Add final hash contract snapshots (vercel#12984) (`1ad2ad5`) - test: Trim run logging integration matrix (vercel#12987) (`34e89b2`) - test: Trim affected query integration matrix (vercel#12988) (`8dd1efb`) - test: Narrow Windows integration test group (vercel#12989) (`b79ef0d`) - test: Trim task dependency integration coverage (vercel#12990) (`62973fe`) - test: Trim affected integration coverage (vercel#12991) (`8e094b8`) - test: Collapse integration test matrices (vercel#12992) (`6446ba6`) - test: Collapse non-watch integration matrices (vercel#12993) (`691aaf1`) - test: Collapse summary and caching test setup (vercel#12994) (`410a38a`) - test: Trim lockfile-aware caching integration matrix (vercel#12995) (`d11be19`) - test: Move inference, env, and otel coverage lower (vercel#12996) (`a0c4666`) - test: Trim turborepo-scm subprocess tests (vercel#12998) (`f52c18b`) - test: Remove Windows nextest thread cap (vercel#12999) (`773445f`) - test: Trim workspace config integration tests (vercel#13000) (`b043ede`) - test: Trim run logging integration coverage (vercel#13001) (`9cace3e`) - test: Trim summary inference and single package tests (vercel#13002) (`1be86c6`) - test: Trim continue and persistent integration tests (vercel#13004) (`0a91801`) - test: Trim force and workspace inheritance tests (vercel#13005) (`cc5b55d`) - test: Trim SCM regression matrix (vercel#13006) (`468a9dd`) - test: Trim miscellaneous integration tests (vercel#13007) (`1eeeb97`) - test: Trim affected and cache integration coverage (vercel#13008) (`8b86297`) - refactor: Split engine builder modules (vercel#13009) (`c1cf87a`) - refactor: Split process child module (vercel#13014) (`24dd7c1`) - refactor: Split CLI module (vercel#13013) (`7bd8841`) - refactor: Split Bun lockfile module (vercel#13012) (`659abfc`) - Fix typo in .gitignore comment (vercel#13010) (`f4f0abd`) - fix: Preserve Bun nested dependency versions (vercel#13016) (`4db4386`) - docs: Exclude Next dev output from cache examples (vercel#13019) (`25349a4`) - release(turborepo): 2.9.17-canary.3 (vercel#13017) (`cb93407`) - fix: Highlight active docs sidebar item (vercel#13023) (`4e88ddd`) - fix: Ignore peer dependencies in package graph (vercel#13025) (`40e3e2b`) - release(turborepo): 2.9.17-canary.4 (vercel#13032) (`0881aa4`) - fix: Preserve pnpm override-resolved prune deps (vercel#13031) (`8c61dd1`) - fix: Keep PTY stdin open for tasks (vercel#13033) (`fb28d8a`) - fix: Add TUI pane padding before logs (vercel#13034) (`08a42f2`) - fix(api-client): Support P-521 ECDSA certificate chains over rustls (vercel#13036) (`03359d9`) - chore: Restore aarch64 musl release builds (vercel#13037) (`40844e9`) - release(turborepo): 2.9.17-canary.5 (vercel#13038) (`d5bd26c`) - docs: Remove ESM warning from gen page (vercel#13039) (`1745bed`) - fix: Bypass npm command shim on Windows (vercel#13040) (`1e6516e`) - feat: Add JIT task input hashing (vercel#13043) (`026b3da`) - fix: Defer hashes for JIT task dependents (vercel#13045) (`2332886`) - release(turborepo): 2.9.17-canary.6 (vercel#13044) (`5550ced`) - release(turborepo): 2.9.17-canary.7 (vercel#13046) (`7981598`) - fix: Send Ctrl+C to Windows PTY tasks (vercel#13041) (`e62661a`) - release(turborepo): 2.9.17 (vercel#13047) (`7dd54b7`) - ci: Fetch version.txt via API in docs alias failure notification (vercel#13050) (`7d361a4`) - fix: Harden cache archive symlink restore (vercel#13051) (`403a355`) - chore: Remove web UI mode (vercel#13052) (`8cff6d5`) - fix: Harden query server file access (vercel#13053) (`2a2bc5c`) - fix: Confine prune patch paths (vercel#13054) (`7f353ca`) - fix: Prevent git argument injection in SCM refs (vercel#13055) (`f46f896`) - fix: Strip special mode bits from cache restore (vercel#13056) (`92e1f8e`) - fix: Contain incremental cache outputs (vercel#13057) (`16dc881`) - fix(turborepo): Normalize Windows daemon path hash (vercel#13020) (`24e2d34`) - fix: Preserve vt100 cell byte counts (vercel#13058) (`34514e2`) - fix: Separate artifact signature fields (vercel#13059) (`3018717`) - fix: Validate OidHash hex buffers (vercel#13060) (`da8e348`) - fix: Block self-hosted login URLs from attempting to use Vercel's SSO (vercel#13061) (`2a76556`) - release(turborepo): 2.9.18 (vercel#13062) (`912e7eb`) - fix: Re-authenticate when stored token loses access to linked team (vercel#13064) (`0afbf1e`) - release(turborepo): 2.9.19-canary.1 (vercel#13065) (`689d579`) - fix: Stop shim from killing local turbo on Windows Ctrl+C (vercel#13067) (`0a341ae`) - release(turborepo): 2.9.19-canary.2 (vercel#13068) (`b62a04b`) - ci: Add PR workflow timeouts (vercel#13070) (`539c17e`) - fix: Deliver Ctrl-C to ConPTY children during graceful shutdown on Windows (vercel#13069) (`ca712ab`) - release(turborepo): 2.9.19-canary.3 (vercel#13071) (`6a2f50c`) - fix: Use PTY for interactive Windows tasks (vercel#13073) (`b95ebda`) - fix: Filter pruned pnpm workspace patches (vercel#13075) (`de378a5`) - fix: Cache outputs through internal symlinks (vercel#13076) (`823faea`) - fix: Prevent ConPTY cursor query output (vercel#13077) (`4e85349`) - release(turborepo): 2.9.19-canary.4 (vercel#13074) (`ba5394a`) - release(turborepo): 2.9.19-canary.5 (vercel#13079) (`a42ea25`) - fix: Preserve PNPM deps check config (vercel#13084) (`57ddec6`) - fix: Speed up default create-turbo download (vercel#13085) (`fc2bebc`) - fix: Preserve pnpm peer-resolved prune entries (vercel#13086) (`d13698f`) - fix: Precompute unblocked JIT descendants (vercel#13088) (`ce4324f`) - fix: Use repo package manager for generate (vercel#13089) (`a562e78`) - fix: Handle Windows package manager shutdown (vercel#13090) (`b6ab687`) - release(turborepo): 2.9.19-canary.6 (vercel#13092) (`90b843f`) - fix: Prevent duplicate PTY graceful shutdown signals (vercel#13093) (`e49085f`) - fix: Remove accidental shell commands example changes (vercel#13094) (`bc11507`) - release(turborepo): 2.9.19-canary.7 (vercel#13095) (`79d597b`) - fix: Refine graceful shutdown messaging (vercel#13098) (`79b18b2`) - fix: Gracefully stop nested PTY processes (vercel#13100) (`c57ffe6`) - fix: Restore TUI force shutdown (vercel#13102) (`ab32c2b`) - release(turborepo): 2.9.19-canary.8 (vercel#13103) (`fbad2e5`) - fix: Upgrade tsdown in kitchen-sink api to fix dev script (vercel#13105) (`54504ec`) - fix: Soften force shutdown message (vercel#13104) (`b09dad1`) - fix: Thread `allow_no_package_manager` to daemon and watcher (vercel#13091) (`95da5c5`) - fix: Preserve bun patchedDependencies during prune (vercel#13106) (`c6e28f2`) - fix: Ignore symlink cycles when caching outputs (vercel#13107) (`d1f32a3`) - release(turborepo): 2.9.19-canary.9 (vercel#13108) (`f2ca090`) - fix: Preserve terminal settings for child PTYs (vercel#13110) (`fe55e56`) - fix: Upgrade esbuild to patched version (vercel#13112) (`157c3b8`) - fix(prune): Relocate stranded transitive deps when promoting npm workspace-nested packages (vercel#13111) (`0938cb9`) - Update Next.js version to 16.2.5 (vercel#13081) (`8f89a09`) - fix: Add ComSpec and PATHEXT to default Windows env passthrough (vercel#13114) (`6988692`) - fix: Respect task inputs when stopping interruptible persistent tasks in watch (vercel#13116) (`0220b35`) - docs: Fix stderr debugging guidance (vercel#13122) (`517e1a5`) - feat: Add deferred hashing for task inputs (vercel#13125) (`4ebb50f`) - fix: Restart deferred hash consumers in watch (vercel#13127) (`6dccf5a`) - chore: Update to Rust 1.96.0 (vercel#12974) (`75ee2cc`) - fix: Improve watch graceful shutdown (vercel#13128) (`5ba8917`) - fix: Hash selected dependency outputs instead of tasks (vercel#13129) (`65175fe`) - release(turborepo): 2.9.19-canary.10 (vercel#13130) (`a12323b`) --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Security audit (VULN-10701) flagged this workflow for checking out
github.event.workflow_run.head_branchin aworkflow_runcontext. The finding is not exploitable — the triggering "Release" workflow isworkflow_dispatch-only, sohead_branchis always a maintainer-created branch — but the checkout is unnecessary surface area. It also has a latent correctness bug: the Release workflow's failure cleanup deletes the staging branch, so by the time this notification workflow runs, the branch it tries to check out may no longer exist.What
actions/checkoutentirelyversion.txtviagh api(raw content) pinned toworkflow_run.head_sha, which is immutable and survives branch deletionunknownfallback; add a fallback for when the API fetch itself failsHow to verify
The fetch logic was tested against the live repo:
End-to-end verification requires a failed Release run; the next docs-alias failure will exercise this path.