From 3cdd8ab5366b5507700585b502199d076144c91d Mon Sep 17 00:00:00 2001
From: Michael Droettboom <mdroettboom@nvidia.com>
Date: Fri, 10 Apr 2026 12:58:22 -0400
Subject: [PATCH 1/2] Pin version and check checksum of yq dependency on
 Windows

---
 .github/workflows/build-wheel.yml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-wheel.yml b/.github/workflows/build-wheel.yml
index eb084c429d..74f19b15b6 100644
--- a/.github/workflows/build-wheel.yml
+++ b/.github/workflows/build-wheel.yml
@@ -82,13 +82,19 @@ jobs:
         # see https://github.com/actions/runner-images/issues/7443.
         if: ${{ startsWith(inputs.host-platform, 'win') }}
         env:
-          # doesn't seem there's an easy way to avoid hard-coding it?
-          YQ_URL: https://github.com/mikefarah/yq/releases/latest/download/yq_windows_amd64.exe
+          YQ_VERSION: v4.52.5
+          YQ_SHA256: 47594981f3848a4b4447494adeca9555f908f7cf0a89c4da3fd0243a4631da1c
           YQ_DIR: yq_latest
         shell: pwsh -command ". '{0}'"
         run: |
+          $yqUrl = "https://github.com/mikefarah/yq/releases/download/${env:YQ_VERSION}/yq_windows_amd64.exe"
           mkdir -Force -ErrorAction SilentlyContinue "${env:YQ_DIR}" | Out-Null
-          Invoke-WebRequest -UseBasicParsing -OutFile "${env:YQ_DIR}/yq.exe" -Uri "$env:YQ_URL"
+          Invoke-WebRequest -UseBasicParsing -OutFile "${env:YQ_DIR}/yq.exe" -Uri "$yqUrl"
+          $hash = (Get-FileHash -Algorithm SHA256 "${env:YQ_DIR}/yq.exe").Hash.ToLower()
+          if ($hash -ne $env:YQ_SHA256) {
+            Write-Error "SHA256 mismatch for yq: expected $env:YQ_SHA256, got $hash"
+            exit 1
+          }
           ls -l $env:YQ_DIR
           echo "$((Get-Location).Path)\\$env:YQ_DIR" >> $env:GITHUB_PATH
           $env:Path += ";$((Get-Location).Path)\\$env:YQ_DIR"

From 4a22bd95b4f76111bd8ddecf19b43ac943eb1131 Mon Sep 17 00:00:00 2001
From: Michael Droettboom <mdroettboom@nvidia.com>
Date: Fri, 10 Apr 2026 13:00:15 -0400
Subject: [PATCH 2/2] Rename yq-latest

---
 .github/workflows/build-wheel.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-wheel.yml b/.github/workflows/build-wheel.yml
index 74f19b15b6..e8986aa3c0 100644
--- a/.github/workflows/build-wheel.yml
+++ b/.github/workflows/build-wheel.yml
@@ -84,7 +84,7 @@ jobs:
         env:
           YQ_VERSION: v4.52.5
           YQ_SHA256: 47594981f3848a4b4447494adeca9555f908f7cf0a89c4da3fd0243a4631da1c
-          YQ_DIR: yq_latest
+          YQ_DIR: yq
         shell: pwsh -command ". '{0}'"
         run: |
           $yqUrl = "https://github.com/mikefarah/yq/releases/download/${env:YQ_VERSION}/yq_windows_amd64.exe"