- Guard uploaded_keys append with !dry_run so the rollback list
never contains keys for objects that were never written.
- Prefer GITHUB_ACTOR over local OS username for manifest.uploaded_by;
manifest.json is CDN-fronted so leaking a developer's login is
unnecessary (falls back to 'local').
- Extend test_windows_has_no_stale_third_party to cover bun.exe/rg.exe
too, matching the macOS forbidden-set pattern.
* feat(build): swap podman server resources for Lima (WS3)
- Upload limactl (arm64 + x64) to R2 via new 'browseros upload lima' CLI.
- Rewrite scripts/build/config/server-prod-resources.json: 2 Lima entries,
12 podman-family entries removed.
- Update codesign metadata (server_binaries.py) to add limactl, drop podman
family. Sign modules need no edits (data-driven).
- Delete orphaned podman-{vfkit,krunkit} entitlement plists.
- Release-gating note in browseros-agent/CLAUDE.md: don't cut releases off
dev between this commit and WS6 landing (OpenClaw still invokes podman).
* fix: address review comments for 0422-ws3_lima_resources
- Tighten _find_limactl_member to match exactly .../bin/limactl via
Path.parts, avoiding incidental matches like 'xbin/limactl'.
- Fall back USER -> USERNAME -> 'unknown' for uploaded_by so Windows
shells don't all record 'unknown'.
- Comment the broad except in upload_lima to explain why rollback
must fire for any mid-loop failure.
* chore: drop bun + rg from Windows sign list
These executables are already absent from server-prod-resources.json (no
Windows entries shipped); keeping them in the sign list produces
"Binary not found" warnings on every Windows build.
Introduces release.macos.arm64.yaml for single-architecture arm64
macOS release builds. Mirrors the windows/linux single-arch pattern
(configure -> compile -> sign_macos -> package_macos -> upload),
skipping the universal_build module to avoid the x64 cross-compile
and lipo merge. Reuses the sparkle_setup step and the same
notarization env vars as the universal macOS config.
* feat(ota): bundle full server resources tree (server + third_party bins)
The OTA Sparkle payload now ships the complete resources/ tree the agent
build produced, not just browseros_server. Every third-party binary (bun,
ripgrep, podman, gvproxy, vfkit, krunkit, podman-mac-helper, win-sshproxy)
flows to OTA-updated installs so podman integration works for users on the
OTA channel, matching fresh Chromium-build installs.
Extract the per-binary sign table into build/common/server_binaries.py so
the Chromium-build sign path (modules/sign/) and OTA sign path (modules/ota/)
share a single source of truth. Adding a new third-party dep is now a
one-file edit that both paths pick up automatically; unknown executables
under resources/bin/ are a hard error at release time.
* fix(ota): address review comments on bundle signing flow
- Avoid double-zipping during notarization: add notarize_macos_zip for
pre-built Sparkle bundles so notarytool submits the zip directly
instead of re-wrapping it through ditto --keepParent (Apple's service
does not descend into nested archives). Keep notarize_macos_binary for
single-binary callers. Share credential setup + submit logic via
internal helpers.
- Fail fast on unknown executables in sign_server_bundle_macos: collect
the unknown-files list before any codesign call so a missing shared-
table entry aborts in seconds, not after a full signing round.
- Drop dead get_entitlements_path helper (no callers remain after the
bundle refactor).
* fix(ota): address PR review comments (greptile + claude)
- sign_server_bundle_macos filters to executables only (p.is_file() +
not p.is_symlink() + os.access X_OK) before applying the unknown-file
guard. Non-Mach-O files (configs, dylibs, etc.) under resources/bin/
no longer cause misleading 'unknown executable' hard failures.
- sign_server_bundle_windows now hard-errors on a missing expected
binary instead of silently skipping it. Symmetric with the macOS
guard — an incomplete bundle must not publish.
- ServerOTAModule.execute() uses tempfile.TemporaryDirectory context
managers for both the download and staging roots so they are cleaned
up on every path, including failures.
- Per-platform sign/notarize/Sparkle-sign failures now raise RuntimeError
instead of silently skipping the platform — a release pipeline can no
longer omit a target while reporting success.
- Move import os and import shutil to the top of ota/sign_binary.py.
- Drop unused log_error import from ota/server.py.
* chore: bump server
* fix: install linux sysroot in configure, not via gclient hook
`gn gen` was failing on the arm64 leg with `Missing sysroot
(//build/linux/debian_bullseye_arm64-sysroot)`. The previous design
relied on `git_setup` writing `target_cpus` to `.gclient` so that
`gclient sync`'s DEPS hook would download the cross-arch sysroot. That
chain breaks for any chromium_src that was synced before cross-arch
support landed (the hook is gated on .gclient state at sync time) and
for partial pipeline runs that skip git_setup entirely. Nothing in
configure declared or verified its sysroot precondition.
Make configure self-healing: on Linux, invoke
`build/linux/sysroot_scripts/install-sysroot.py --arch=<target>`
directly before `gn gen`. install-sysroot.py is idempotent (stamp file
+ SHA check), fast when already installed, and decoupled from .gclient
— it's exactly what the failing assertion's error message recommends.
The script accepts our arch names directly: `x64` translates to `amd64`
internally via ARCH_TRANSLATIONS, and `arm64` is a valid pass-through.
Also temporarily pin release.linux.yaml to x64 only while we validate
the sysroot bootstrap end-to-end. Flip back to `[x64, arm64]` once
arm64 is green.
* chore: pin release.linux.yaml to arm64-only for sysroot bootstrap test
x64 already builds cleanly — the failing leg is arm64 cross-compile from
an x64 host. Pin the config to arm64 to exercise the new
install-sysroot.py path in configure without burning time on x64.
Flip back to [x64, arm64] once arm64 is green.
`release.linux.yaml` now declares `architecture: [x64, arm64]` and the
runner loops the entire pipeline once per architecture. depot_tools
fetches both Linux sysroots automatically — `git_setup` idempotently
ensures `target_cpus = ['x64', 'arm64']` is in `.gclient` before
`gclient sync`, so cross-compiling arm64 from an x64 host just works.
The resolver returns `List[Context]` (single-element for the common
single-arch case), and `build/cli/build.py` loops `execute_pipeline` over
the per-arch contexts. Modules stay 100% arch-agnostic — no new
orchestration module, no new YAML schema beyond the list form.
Also fix a cross-compile bug in `build/modules/package/linux.py`: the
appimagetool binary must match the BUILD machine's arch (it executes
locally), not the target arch. Split into a host-keyed
`LINUX_HOST_APPIMAGETOOL` lookup vs the existing target-keyed
`LINUX_ARCHITECTURE_CONFIG`. Target arch is still passed to appimagetool
via the `ARCH` env var.
- build/common/resolver.py: scalar OR list `architecture` -> List[Context]
- build/cli/build.py: loop pipeline per arch, log multi-arch headers
- build/config/release.linux.yaml: `architecture: [x64, arm64]`
- build/modules/setup/git.py: idempotent `target_cpus` edit on Linux
- build/modules/package/linux.py: host vs target appimagetool split
- build/modules/package/linux_test.py: cover the host/target split
* feat: add missing patches to features.yaml
Add 37 patch files from chromium_patches/ that were not tracked in
features.yaml. Creates 3 new features (cdp-api, vertical-tabs,
crash-reporter) and adds missing files to 3 existing features
(chromium-ui-fixes, side-panel-fixes, first-run).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* test: split sparkle third-party from mac-sparkle-updater
Move third_party/sparkle/ into its own feature since the Sparkle
framework is downloaded on-the-fly during build, not a permanent
patch in the tree.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: minor
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix: support artifact-extracted directory structure in OTA binary discovery
The download_resources system now extracts server binaries into
platform-specific subdirectories (e.g., darwin-arm64/resources/bin/),
but the OTA module only looked for flat binary names. This adds
find_server_binary() which checks both layouts, keeping backward
compatibility with --binaries while supporting the new structure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: download server binaries from R2 instead of requiring --binaries
Remove the --binaries flag from `ota server release`. The module now
downloads artifact zips from artifacts/server/latest/ in R2, extracts
them, then signs and packages as before. This eliminates the need to
have mono build output locally.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The app icon was oversized in the macOS Dock because the source icon
filled the entire 1024x1024 canvas with no padding. Apple's macOS Big
Sur+ HIG requires ~100px padding on each side (artwork at 824x824
within 1024x1024 canvas). Resized the source icon and regenerated all
platform icons.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat: update to 146, fix clean
* fix: update all 16 failed patches for Chromium 146.0.7680.31
- Update BASE_COMMIT to 4d3225104176d (Chromium 146)
- Shift BrowserOS command IDs to avoid upstream 40300-40302 conflict
- Fix settings BUILD.gn and menu patches for upstream removals
- Shift syncable prefs IDs to 100379-100380 after upstream additions
- Migrate theme patch from theme_service_factory.cc to theme_service.cc
(RegisterProfilePrefs moved upstream)
- Fix toolbar_actions_model.cc for upstream API changes
- Fix toolbar_pref_names.cc for upstream base::ListValue usage
- Fix ui_features.cc/.h for removed kPopupBrowserUseNewLayout
- Fix api_sources.gni for new upstream entries
- Shift infobar delegate ID to 132
- Shift extension histogram values by +4 (1961-1985)
- Shift api_permission_id kBrowserOS to 265
- Update histogram enums.xml to match shifted values
- Delete chromium_install_modes.cc patch (file removed in 146)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: enable vertical tabs
* feat: default browseros theme
* chore: bump PATCH and OFFSET
* fix: update extensions-manifestv2 series patch for Chromium 146
Regenerated the patch from a clean diff against 146.0.7680.31 to fix
line number offsets and context mismatches in extensions_ui.cc.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: update vertical_tab_strip_state_controller patch for Chromium 146
Upstream refactored includes and renamed NotifyStateChanged to
NotifyModeChanged. Regenerated patch with correct context.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: update default theme to neutral gray (136,136,136)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: rename base::Value::Dict/List to base::DictValue/ListValue for Chromium 146
Chromium 146 moved base::Value::Dict and base::Value::List to top-level
classes base::DictValue and base::ListValue. Updated all 23 patch files.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: regenerate browseros_prefs.cc patch (fix corrupt trailing newline)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: update patches for Chromium 146 build API changes
- browseros_action_utils.h: remove nonexistent base/containers/contains.h include
- chrome_content_browser_client.cc: PrivateNetworkRequestPolicyOverride → LocalNetworkAccessRequestPolicyOverride
- extension_updater.cc: InstallStageTracker::Get → InstallStageTrackerFactory::GetForBrowserContext
- toolbar_actions_model.cc: base::Contains → std::ranges::contains
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* chore: bump PATCH and OFFSET
* fix: add AppArmor profile and improve .deb packaging for Ubuntu 23.10+
Ship an AppArmor profile with the .deb package that grants the
`userns` permission, fixing the fatal sandbox crash on Ubuntu 23.10+
and other distros that restrict unprivileged user namespaces via
AppArmor (closes#165).
Also adds: Qt5/Qt6 shim libraries for native file dialogs on KDE,
update-alternatives registration for default browser selection,
prerm cleanup script, and Provides/Recommends metadata.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: correct CDN download path for .deb and add multi-size icons
Update .deb download path from lowercase "browseros.deb" to "BrowserOS.deb"
to match the URL advertised in README (cdn.browseros.com/download/BrowserOS.deb).
Also install icons at all available sizes instead of only 256x256.
Closes#368
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add multi-size icons and AppStream metainfo to .deb package
Install product icons at all standard hicolor sizes (16, 22, 24, 32,
48, 64, 128, 256) instead of only 256px, so desktop environments can
pick the appropriate resolution for panels, menus, and task switchers.
Ship AppStream metainfo at /usr/share/metainfo/browseros.metainfo.xml
so GNOME Software, KDE Discover, and other software centers can
discover and display BrowserOS in their catalogs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: guard postinst update-alternatives with $1=configure check
Matches prerm's pattern — only register alternatives during normal
configure, not during dpkg error-recovery paths (abort-upgrade, etc.)
where /usr/bin/browseros may not exist yet.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add bun binary signing for macOS and Windows
Register the bun runtime binary in the code signing pipelines so it gets
properly signed and notarized alongside browseros_server and codex.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add bun runtime download and copy resource configs
Add bun binary entries for all platform/arch combos (macOS arm64/x64,
Linux arm64/x64, Windows x64) to download from R2 and copy into the
Chromium build output alongside browseros_server.
Also adds the server bundle (index.js) download and copy entries.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
