chore(agents): bump claude-code to 2.1.159#89
Open
github-actions[bot] wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated bump for
claude-codeto version2.1.159.linux/x86_642.1.143e2126caf00ed3ec09371a29947658c7e9b31185256b2ac5728263bd95f7e3541linux/aarch642.1.143befd054f02c17e4b61a6a92b30286a147ca8c5c1bbf38b91dd14cba6fbb1e07dCI downloaded each artifact from the URL above and recorded the
SHA-256 shown here.
How to verify the SHA-256s
CI cross-checks each download against Anthropic's
manifest.json(CDN-edge integrity — same origin, so not an independent oracle).
You can spot-check manually:
The
linux-x64/linux-arm64checksums must match thelinux/x86_64/linux/aarch64rows above.Why this needs a human
Once merged, the hashes above lock these binaries in place — every
future build aborts unless the download matches byte-for-byte. CI
just computed them from a single fetch against upstream, so merging
without spot-checking trusts whatever upstream served at that one
moment. The cross-check above is what catches a CDN-edge tamper or
an upstream-account compromise before it propagates into our
images. A surprise version jump (off-schedule, several releases at
once, pre-release tag) is its own signal worth a second look.