feat(attest): Windows support — fetch zip from cimon-releases, ncc 0.38 upgrade#118
Merged
Conversation
The v0 maintenance branch needs CI gating for backports like the node24 bump (#116). Without this, PRs into release/v0 silently skip the verify suite. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Backport of #115 to the v0 line. GitHub forces Node 24 on runners June 2 and removes Node 20 support September 16, after which the action would fail to start on Node-20-pinned runtimes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
When process.platform is win32 the action now fetches the cimon_windows_x86_64.zip release asset from cycodelabs/cimon-releases (rather than the Linux-only install.sh), extracts it to RUNNER_TEMP/cimon, and invokes the resulting cimon.exe. Linux path is unchanged. Adds @actions/tool-cache and @actions/http-client deps for cross-platform download + zip extraction. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9af4492c56
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
The Windows path called https://api.github.com/repos/cycodelabs/cimon-releases/releases/latest unauthenticated, which uses GitHub's per-IP REST limit (60 req/h). Busy self-hosted runner fleets behind one egress IP can blow through that and fail before cimon.exe is downloaded. The action already accepts github-token (defaults to github.token); plumb it through to the latest-release lookup as Bearer auth and pass it to tc.downloadTool so private mirrors work too. Warn if no token is present. Reported by review on PR #118.
Contributor
Author
|
Addressed the unauthenticated latest-release lookup in 19b0797:
Demo re-pinned to the new SHA and re-run is in flight; will reply with the green link. |
Contributor
Author
|
Green: https://github.com/CycodeLabsDemo/cimon-demo-simple-app/actions/runs/25846998945 — Cimon attest + verify both pass on |
RoniCycode
approved these changes
May 14, 2026
ronens88
added a commit
that referenced
this pull request
May 16, 2026
#118 already shipped the cross-platform install path (release-zip from cycodelabs/cimon-releases, ncc 0.38 upgrade), so this branch's earlier install.ps1-based implementation is dropped. The remaining pieces from this PR that #118 didn't cover are kept here: 1. Per-job install dir + wipe-before-install ($RUNNER_TEMP/cimon-<run_id>-<run_attempt>-<job>/) Closes the silent-reuse hole where a malicious earlier step on a self-hosted runner with persistent $RUNNER_TEMP could plant cimon[.exe] or install.sh at the action's expected path and the action would execute it without re-downloading. Applied uniformly to the Linux install.sh path and the Windows release-zip path. 2. Hardened build-attest-dist.yaml - npm ci --ignore-scripts so a PR adding a malicious dependency can't run a postinstall hook under contents:write before the auto-commit lands. - The auto-commit step refuses to commit unless the only changed file is exactly attest/dist/index.js — anything else fails the workflow loudly instead of silently landing under github-actions[bot]. 3. verify-attest-windows CI job in verify-pr.yaml Exercises ./attest end-to-end on windows-latest with keyed signing. No longer gated by continue-on-error: the comment about install.ps1 missing from S3 is obsolete now that #118 fetches cimon_windows_x86_64.zip directly from the GitHub release. 4. attest/README.md Cross-platform quickstart, GHES support notes, signing-path guidance for air-gapped / data-residency customers. 5. attest/action.yml Name + description disambiguated from the top-level hardening action ("Cimon by Cycode (Attest)" + cross-platform mention). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ronens88
added a commit
that referenced
this pull request
May 16, 2026
#118 already shipped the cross-platform install path (release-zip from cycodelabs/cimon-releases, ncc 0.38 upgrade), so this branch's earlier install.ps1-based implementation is dropped. The remaining pieces from this PR that #118 didn't cover are kept here: 1. Per-job install dir + wipe-before-install ($RUNNER_TEMP/cimon-<run_id>-<run_attempt>-<job>/) Closes the silent-reuse hole where a malicious earlier step on a self-hosted runner with persistent $RUNNER_TEMP could plant cimon[.exe] or install.sh at the action's expected path and the action would execute it without re-downloading. Applied uniformly to the Linux install.sh path and the Windows release-zip path. 2. Hardened build-attest-dist.yaml - npm ci --ignore-scripts so a PR adding a malicious dependency can't run a postinstall hook under contents:write before the auto-commit lands. - Single-file commit guard: the step refuses to act unless the only changed file is exactly attest/dist/index.js. Anything else fails the workflow loudly instead of silently landing under github-actions[bot]. - Fork-safe checkout: pin to pull_request.head.sha and set repository to pull_request.head.repo.full_name. Without these, actions/checkout would try to resolve github.head_ref in the base repo, which does not contain the forks branch, and the rebuild job would fail before it could run at all. - Auto-commit gated to same-repo PRs. On fork PRs the base-repo GITHUB_TOKEN is read-only and cannot push to the fork anyway, so the step fails with a clear rebuild-locally instruction instead of attempting a 403ing push. 3. verify-attest-windows CI job in verify-pr.yaml Exercises ./attest end-to-end on windows-latest with keyed signing. No longer gated by continue-on-error: the comment about install.ps1 missing from S3 is obsolete now that #118 fetches cimon_windows_x86_64.zip directly from the GitHub release. 4. attest/README.md Cross-platform quickstart, GHES support notes, signing-path guidance for air-gapped / data-residency customers. 5. attest/action.yml Name + description disambiguated from the top-level hardening action ("Cimon by Cycode (Attest)" + cross-platform mention). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ronens88
added a commit
that referenced
this pull request
May 17, 2026
) #118 already shipped the cross-platform install path (release-zip from cycodelabs/cimon-releases, ncc 0.38 upgrade), so this branch's earlier install.ps1-based implementation is dropped. The remaining pieces from this PR that #118 didn't cover are kept here: 1. Per-job install dir + wipe-before-install ($RUNNER_TEMP/cimon-<run_id>-<run_attempt>-<job>/) Closes the silent-reuse hole where a malicious earlier step on a self-hosted runner with persistent $RUNNER_TEMP could plant cimon[.exe] or install.sh at the action's expected path and the action would execute it without re-downloading. Applied uniformly to the Linux install.sh path and the Windows release-zip path. 2. Hardened build-attest-dist.yaml - npm ci --ignore-scripts so a PR adding a malicious dependency can't run a postinstall hook under contents:write before the auto-commit lands. - Single-file commit guard: the step refuses to act unless the only changed file is exactly attest/dist/index.js. Anything else fails the workflow loudly instead of silently landing under github-actions[bot]. - Fork-safe checkout: pin to pull_request.head.sha and set repository to pull_request.head.repo.full_name. Without these, actions/checkout would try to resolve github.head_ref in the base repo, which does not contain the forks branch, and the rebuild job would fail before it could run at all. - Auto-commit gated to same-repo PRs. On fork PRs the base-repo GITHUB_TOKEN is read-only and cannot push to the fork anyway, so the step fails with a clear rebuild-locally instruction instead of attempting a 403ing push. 3. verify-attest-windows CI job in verify-pr.yaml Exercises ./attest end-to-end on windows-latest with keyed signing. No longer gated by continue-on-error: the comment about install.ps1 missing from S3 is obsolete now that #118 fetches cimon_windows_x86_64.zip directly from the GitHub release. 4. attest/README.md Cross-platform quickstart, GHES support notes, signing-path guidance for air-gapped / data-residency customers. 5. attest/action.yml Name + description disambiguated from the top-level hardening action ("Cimon by Cycode (Attest)" + cross-platform mention). Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds Windows support to
cimon-action/attestso customers can call the action from awindows-latest(or self-hosted Windows) runner.On Windows the action now:
cycodelabs/cimon-releasesGitHub API,cimon_windows_x86_64.zipdirectly from that release (the public release asset, no S3 dependency),$RUNNER_TEMP/cimon/,cimon.exeinstead ofcimon.Linux path is unchanged (still goes through
install.shon S3).Also upgrades
@vercel/nccfrom 0.34.0 → 0.38.4. The old bundler emittedrequire()calls inside an ESM bundle, which Node 24 (runtime per the action.yml) rejects withERR_AMBIGUOUS_MODULE_SYNTAX. ncc 0.38 usescreateRequirefromnode:moduleinstead.Coordination with #114
#114 (DRAFT,
feature/windows-ghes-attestation) is the same scope with more security hardening (per-job tmpdir isolation, install.ps1 from S3 with a unique subdirectory, README updates, CI workflow). However, install.ps1 is not yet published to S3 (https://cimon-releases.s3.amazonaws.com/install.ps1returns 403), so #114 can't actually run end-to-end today.This PR is a smaller, working alternative that downloads the release zip directly. Once install.ps1 is published, the two approaches should be merged — happy to rebase onto #114's branch if preferred.
Test
End-to-end verified on a real
windows-latestrun viacimon-demo-simple-app:The demo workflow uses
cycodelabs/cimon-action/attest@<this branch's SHA>and pin-down comments to switch back to@v1once this lands.Files
attest/index.js— addsinstallCimonWindows(), gates byprocess.platform.attest/package.json/package-lock.json— adds@actions/http-client+@actions/tool-cache; upgrades@vercel/ncc.attest/dist/index.js— regenerated from source.🤖 Generated with Claude Code