From 4a698c6b10e229fd80b70bff1cee2f018a643ef1 Mon Sep 17 00:00:00 2001 From: Eric Fitzgerald Date: Wed, 1 Jul 2026 10:46:23 -0400 Subject: [PATCH] ci(security): pin vacuum to v0.29.7 in the OpenAPI validation job The `install_vacuum.sh` bootstrap auto-detects the latest release; when that detection hiccups it builds a download URL with an empty version (.../download/v/vacuum_linux_x86_64_.tar.gz) and 404s, flaking the required OpenAPI Validation check (seen on #511). Download a pinned release asset directly instead so the step is deterministic. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01Kk9GxWS9EpazjbwBKfMpUX --- .github/workflows/security.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index da53aa77..217a2847 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -95,8 +95,17 @@ jobs: uses: actions/checkout@v7 - name: Install vacuum + # Pin the version: the quobix install_vacuum.sh script auto-detects the + # latest release, and when that detection hiccups it builds a URL with an + # empty version and 404s, flaking this required check. Download a pinned + # release asset directly instead. + env: + VACUUM_VERSION: "0.29.7" run: | - curl -fsSL https://quobix.com/scripts/install_vacuum.sh | sudo sh + curl -fsSL "https://github.com/daveshanley/vacuum/releases/download/v${VACUUM_VERSION}/vacuum_${VACUUM_VERSION}_linux_x86_64.tar.gz" -o /tmp/vacuum.tar.gz + tar -xzf /tmp/vacuum.tar.gz -C /tmp vacuum + sudo install -m 0755 /tmp/vacuum /usr/local/bin/vacuum + vacuum version - name: Validate OpenAPI specification run: |