Skip to content

[pull] master from DataDog:master#612

Merged
pull[bot] merged 2 commits into
ConnectionMaster:masterfrom
DataDog:master
Jun 22, 2026
Merged

[pull] master from DataDog:master#612
pull[bot] merged 2 commits into
ConnectionMaster:masterfrom
DataDog:master

Conversation

@pull

@pull pull Bot commented Jun 22, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

Kyle-Neale and others added 2 commits June 22, 2026 13:30
…#24076)

* Verify SHA256 of PyApp and rcodesign downloads in build-ddev workflow

The build-ddev release workflow downloaded the PyApp source tarball and the
rcodesign binary tarball via curl piped into tar with no integrity check.
Because the resulting binaries are signed and published to PyPI and GitHub
releases, a tampered upstream archive (or a MITM on the runner) could ship
malicious code in official ddev artifacts.

Pin the SHA256 of each tarball alongside its version and verify with
`shasum -a 256 -c -` (same pattern already used for PBS in
resolve-build-deps.yaml) before extraction. The rcodesign hash matches the
upstream-published SHA256SUMS entry.

Jira: https://datadoghq.atlassian.net/browse/AI-6755

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Fall back from sha256sum to shasum in Fetch PyApp for Windows runners

Git-for-Windows bash ships sha256sum (GNU coreutils) but not shasum (Perl),
so the previous step failed on the Windows matrix targets. Prefer sha256sum
when available and fall back to shasum on macOS where it's the canonical
tool. Linux gets sha256sum, Windows gets sha256sum, macOS gets shasum.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* GA + dataflows

* add account config

* fix typo

* fix comments
@pull pull Bot locked and limited conversation to collaborators Jun 22, 2026
@pull pull Bot added the ⤵️ pull label Jun 22, 2026
@pull pull Bot merged commit 02e5f10 into ConnectionMaster:master Jun 22, 2026
1 check passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants