From 20f7f8c70e7d510a54edbd51bd67a493cda4e149 Mon Sep 17 00:00:00 2001
From: Felix Rieseberg <f@anthropic.com>
Date: Sat, 11 Apr 2026 08:17:18 -0700
Subject: [PATCH 1/3] Modernize GitHub Actions workflow

- Bump actions to latest releases and pin to commit SHAs
- Replace deprecated ::set-output + actions/cache with setup-node built-in yarn cache
- Bump Node 18 -> 20
- Use --frozen-lockfile in build job install
---
 .github/workflows/build.yml | 43 +++++++++++--------------------------
 1 file changed, 12 insertions(+), 31 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 772b14e..b27d23d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,21 +12,12 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Node.js
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: 18.x
-      - name: Get yarn cache directory path
-        id: yarn-cache-dir-path
-        run: echo "::set-output name=dir::$(yarn cache dir)"
-      - uses: actions/cache@v1
-        id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
-        with:
-          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
-          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            ${{ runner.os }}-yarn-
+          node-version: 20.x
+          cache: yarn
       - name: Install
         run: yarn --frozen-lockfile
       - name: lint
@@ -55,22 +46,12 @@ jobs:
           arch: arm64
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Node.js
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: 18.x
-      - name: Get yarn cache directory path
-        id: yarn-cache-dir-path
-        run: echo "::set-output name=dir::$(yarn cache dir)"
-      - uses: actions/cache@v1
-        if: matrix.os != 'macOS-latest'
-        id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
-        with:
-          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
-          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            ${{ runner.os }}-yarn-
+          node-version: 20.x
+          cache: yarn
       - name: Set MacOS signing certs
         if: matrix.os == 'macOS-latest'
         run: chmod +x tools/add-macos-cert.sh && ./tools/add-macos-cert.sh
@@ -81,7 +62,7 @@ jobs:
         if: matrix.os == 'windows-latest'
         continue-on-error: true
         id: write_file
-        uses: timheuer/base64-to-file@v1
+        uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # v1.2.4
         with:
           fileName: 'win-certificate.pfx'
           encodedString: ${{ secrets.WINDOWS_CODESIGN_P12 }}
@@ -96,7 +77,7 @@ jobs:
         env:
           DISK_URL: ${{ secrets.DISK_URL }}
       - name: Install
-        run: yarn
+        run: yarn --frozen-lockfile
       - name: Make
         if: startsWith(github.ref, 'refs/tags/')
         run: yarn make --arch=${{ matrix.arch }}
@@ -107,7 +88,7 @@ jobs:
           WINDOWS_CODESIGN_FILE: ${{ steps.write_file.outputs.filePath }}
           WINDOWS_CODESIGN_PASSWORD: ${{ secrets.WINDOWS_CODESIGN_PASSWORD }}
       - name: Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         if: startsWith(github.ref, 'refs/tags/')
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -118,4 +99,4 @@ jobs:
             out/**/*.dmg
             out/**/*setup*.exe
             out/**/*.rpm
-            out/**/*.zip
\ No newline at end of file
+            out/**/*.zip

From 1bef3cce6273c54f3ec8b859588e7d06e4ad3a0b Mon Sep 17 00:00:00 2001
From: Felix Rieseberg <f@anthropic.com>
Date: Sat, 11 Apr 2026 09:04:03 -0700
Subject: [PATCH 2/3] Switch CI from yarn to npm (repo uses package-lock.json)

---
 .github/workflows/build.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b27d23d..922f9c4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -17,11 +17,11 @@ jobs:
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 20.x
-          cache: yarn
+          cache: npm
       - name: Install
-        run: yarn --frozen-lockfile
+        run: npm ci
       - name: lint
-        run: yarn lint
+        run: npm run lint
   build:
     needs: lint
     name: Build (${{ matrix.os }} - ${{ matrix.arch }})
@@ -51,7 +51,7 @@ jobs:
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 20.x
-          cache: yarn
+          cache: npm
       - name: Set MacOS signing certs
         if: matrix.os == 'macOS-latest'
         run: chmod +x tools/add-macos-cert.sh && ./tools/add-macos-cert.sh
@@ -77,10 +77,10 @@ jobs:
         env:
           DISK_URL: ${{ secrets.DISK_URL }}
       - name: Install
-        run: yarn --frozen-lockfile
+        run: npm ci
       - name: Make
         if: startsWith(github.ref, 'refs/tags/')
-        run: yarn make --arch=${{ matrix.arch }}
+        run: npm run make -- --arch=${{ matrix.arch }}
         env:
           APPLE_ID: ${{ secrets.APPLE_ID }}
           APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}

From 3eab26fed10f5f756adcfd7eae23a7701db7323d Mon Sep 17 00:00:00 2001
From: Felix Rieseberg <f@anthropic.com>
Date: Sat, 11 Apr 2026 09:31:38 -0700
Subject: [PATCH 3/3] check-links: allow 403 from github user-attachments CDN

---
 tools/check-links.js | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/tools/check-links.js b/tools/check-links.js
index 40cd8cb..2aaa6eb 100644
--- a/tools/check-links.js
+++ b/tools/check-links.js
@@ -15,9 +15,13 @@ async function main() {
       const response = await fetch(link, { method: 'HEAD' })
 
       if (!response.ok) {
-        // If we're inside GitHub's release asset server, we just ran into AWS not allowing
-        // HEAD requests, which is different from a 404.
-        if (!response.url.startsWith('https://github-production-release-asset')) {
+        // GitHub's release-asset and user-attachments CDNs reject anonymous HEAD
+        // requests (403), which is different from a 404.
+        const isGithubCdn =
+          response.url.startsWith('https://github-production-release-asset') ||
+          response.url.startsWith('https://github-production-user-asset') ||
+          link.startsWith('https://github.com/user-attachments/')
+        if (!isGithubCdn) {
           throw new Error (`HTTP Error Response: ${response.status} ${response.statusText}`)
         }
       }