Checkmarx · cx-luis-ventuzelos · Jun 18, 2026 · Jun 1, 2026 · Jun 2, 2026 · Jun 10, 2026
diff --git a/.github/workflows/delete-packages-and-releases.yml b/.github/workflows/delete-packages-and-releases.yml
@@ -52,4 +52,4 @@ jobs:
             | while IFS= read -r tag; do
                 echo "Deleting release and tag: $tag"
                 gh release delete "$tag" --yes --cleanup-tag || true
-              done
+              done
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -1,9 +1,7 @@
 name: Nightly Release
 
 permissions:
-  id-token: write
-  contents: write
-  packages: write
+  contents: read
 
 on:
   push:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,6 +18,11 @@ on:
         required: false
         default: true
         type: boolean
+      bumpVersion:
+        description: 'Bump npm version, create and merge version PR'
+        required: false
+        default: true
+        type: boolean
   workflow_dispatch:
     inputs:
       cliTag:
@@ -33,6 +38,11 @@ on:
         required: false
         default: true
         type: boolean
+      bumpVersion:
+        description: 'Bump npm version, create and merge version PR'
+        required: false
+        default: true
+        type: boolean
 
 permissions:
   contents: read
@@ -72,18 +82,26 @@ jobs:
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 22.11.0
-          registry-url: https://npm.pkg.github.com/
+          registry-url: https://npm.echohq.com/
+
+      - name: Configure GitHub Packages auth
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: npm config set //npm.pkg.github.com/:_authToken "${GH_TOKEN}"
 
       - name: Generate Tag name
         id: generate_tag_name
         env:
           INPUT_DEV: ${{ inputs.dev }}
           INPUT_JS_TAG: ${{ inputs.jsTag }}
+          INPUT_BUMP_VERSION: ${{ inputs.bumpVersion }}
         run: |
           if [ "$INPUT_DEV" == "true" ]; then
             TAG_NAME=$(npm version prerelease --preid="$INPUT_JS_TAG" --no-git-tag-version --allow-same-version)
-          else
+          elif [ "$INPUT_BUMP_VERSION" == "true" ]; then
             TAG_NAME=$(npm version patch --no-git-tag-version)
+          else
+            TAG_NAME=v$(node -p "require('./package.json').version")
           fi
 
           echo "Generated TAG_NAME: $TAG_NAME"
@@ -124,7 +142,7 @@ jobs:
 
       - name: Create Pull Request
         id: create_pr
-        if: inputs.dev == false
+        if: inputs.dev == false && inputs.bumpVersion == true
         uses: step-security/create-pull-request@50c103da2b9ca12cd5bc013fc6931051a5aa872b # v8.1.1
         with:
           token: ${{ env.GITHUB_TOKEN }}
@@ -136,13 +154,13 @@ jobs:
 
       - name: Wait for PR to be created
         id: pr
-        if: inputs.dev == false
+        if: inputs.dev == false && inputs.bumpVersion == true
         uses: octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae # v3.0.0
         with:
           route: GET /repos/${{ github.repository }}/pulls?head=${{ github.repository_owner }}:${{ env.BRANCH_NAME }}
 
       - name: Merge Pull Request
-        if: inputs.dev == false
+        if: inputs.dev == false && inputs.bumpVersion == true
         uses: octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae # v3.0.0
         with:
           route: PUT /repos/${{ github.repository }}/pulls/${{ steps.create_pr.outputs.pull-request-number }}/merge

diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml
@@ -6,8 +6,6 @@ on:
       new_cli_version:
         description: 'New CLI version (optional)'
         required: false
-  repository_dispatch:
-    types: [cli-version-update]
 
 permissions:
   contents: read
@@ -29,8 +27,8 @@ jobs:
             LATEST_VERSION=$(curl -sL https://api.github.com/repos/Checkmarx/ast-cli/releases/latest | jq -r ".tag_name")
           fi
           CURRENT_VERSION=$(<checkmarx-ast-cli.version)
-          echo ::set-output name=release_tag::$LATEST_VERSION
-          echo ::set-output name=current_tag::$CURRENT_VERSION
+          echo "release_tag=$LATEST_VERSION" >> $GITHUB_OUTPUT
+          echo "current_tag=$CURRENT_VERSION" >> $GITHUB_OUTPUT
 
       # Update the version file if the latest version differs
       - name: Update Checkmarx CLI version in version file
@@ -40,15 +38,56 @@ jobs:
         run: |
           echo ${{ steps.checkmarx-ast-cli.outputs.release_tag }} > checkmarx-ast-cli.version
 
-      # Update the TypeScript file's cliDefaultVersion field
-      - name: Update cliDefaultVersion in CxInstaller.ts
+      # Download CLI binaries and generate checksums
+      - name: Download CLI and generate checksums
         if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag
         env:
-          NEW_CLI_VERSION: ${{ steps.checkmarx-ast-cli.outputs.release_tag }}
+          RELEASE_TAG: ${{ steps.checkmarx-ast-cli.outputs.release_tag }}
         run: |
-          FILE_PATH="src/main/osinstaller/CxInstaller.ts"
-          # Ensure that 'cliDefaultVersion' is updated correctly
-          sed -i "s/\(cliDefaultVersion = '\)[^']*\(';\)/\1${NEW_CLI_VERSION}\2/" $FILE_PATH
+          VERSION=$RELEASE_TAG
+
+          # Initialize checksums object
+          CHECKSUMS='{}'
+
+          # Platform configurations: platform_name,architecture,extension,os_platform
+          PLATFORMS=(
+            "windows,x64,zip,windows"
+            "darwin,x64,tar.gz,darwin"
+            "linux,x64,tar.gz,linux"
+            "linux,arm64,tar.gz,linux"
+            "linux,armv6,tar.gz,linux"
+          )
+
+          for PLATFORM_CONFIG in "${PLATFORMS[@]}"; do
+            IFS=',' read -r OS_TYPE ARCH EXT OS_PLATFORM <<< "$PLATFORM_CONFIG"
+
+            KEY="${OS_PLATFORM}_${ARCH}"
+            URL="https://download.checkmarx.com/CxOne/CLI/${VERSION}/ast-cli_${VERSION}_${OS_PLATFORM}_${ARCH}.${EXT}"
+
+            echo "Downloading checksum for ${KEY} from ${URL}..."
+
+            # Download binary
+            TEMP_FILE="/tmp/ast-cli_${KEY}.${EXT}"
+            if curl -sL -o "$TEMP_FILE" "$URL"; then
+              # Calculate SHA-256
+              CHECKSUM=$(sha256sum "$TEMP_FILE" | awk '{print $1}')
+              echo "✓ ${KEY}: ${CHECKSUM}"
+
+              # Update checksums JSON
+              CHECKSUMS=$(echo "$CHECKSUMS" | jq --arg key "$KEY" --arg value "$CHECKSUM" '.[$key] = $value')
+
+              # Cleanup
+              rm -f "$TEMP_FILE"
+            else
+              echo "✗ Failed to download ${KEY}"
+              exit 1
+            fi
+          done
+
+          # Write checksums to file
+          echo "$CHECKSUMS" | jq '.' > checkmarx-ast-cli.checksums
+          echo "Checksums updated:"
+          cat checkmarx-ast-cli.checksums
 
       # Create a Pull Request with the version changes
       - name: Create Pull Request

diff --git a/.npmrc b/.npmrc
@@ -0,0 +1,2 @@
+# Default registry for most packages
+registry=https://npm.echohq.com/
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Default registry for most packages
		registry=https://npm.echohq.com/