OctopusDeploy · eddymoulton · May 7, 2026 · Apr 28, 2026 · Apr 28, 2026 · Apr 30, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -84,20 +84,27 @@ jobs:
         uses: actions/setup-dotnet@v5.2.0
         with:
           dotnet-version: 9.0.x
-      - name: Compute version suffix for branch builds
+      - name: Compute version override for branch builds
         if: ${{ !startsWith(github.ref, 'refs/tags/') }}
         id: version
         run: |
+          # Latest release tag matching the convention <upstream-version>-octopus.<n> (see README "Releasing")
+          LATEST=$(git tag --list --sort=-v:refname | grep -E '^[0-9]+\.[0-9]+\.[0-9]+-octopus\.[0-9]+$' | head -n 1)
+          if [ -z "$LATEST" ]; then
+            echo "::error::No release tag matching <upstream-version>-octopus.<n> found"
+            exit 1
+          fi
           # Sanitize branch name: lowercase, replace non-alphanumeric with hyphen, trim to 20 chars
           BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
           SAFE_BRANCH=$(echo "$BRANCH" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/--*/-/g' | sed 's/^-//' | sed 's/-$//' | cut -c1-20)
-          echo "override=${SAFE_BRANCH}.${{ github.run_number }}" >> "$GITHUB_OUTPUT"
+          # Join with '.' (not '-') so branch/run land as separate prerelease IDs, keeping ordering correct vs the next octopus.<n+1>
+          echo "override=${LATEST}.${SAFE_BRANCH}.${{ github.run_number }}" >> "$GITHUB_OUTPUT"
       - name: Download artifacts
         uses: actions/download-artifact@v8.0.1
         with:
           path: nuget.package/runtimes/
       - name: Create package
-        run: dotnet pack nuget.package ${{ steps.version.outputs.override && format('/p:MinVerDefaultPreReleaseIdentifiers="{0}"', steps.version.outputs.override) || '' }}
+        run: dotnet pack nuget.package ${{ steps.version.outputs.override && format('/p:MinVerVersionOverride={0}', steps.version.outputs.override) || '' }}
       - name: Upload NuGet package
         uses: actions/upload-artifact@v7.0.0
         with:

diff --git a/build.libgit2.sh b/build.libgit2.sh
@@ -62,7 +62,51 @@ cp libgit2/build/libgit2-$SHORTSHA.$LIBEXT $PACKAGEPATH/$RID/native
 LIBGIT2_PATH="$PACKAGEPATH/$RID/native/libgit2-$SHORTSHA.$LIBEXT"
 
 if [[ $OS == "Darwin" ]]; then
-    echo "macOS: libssh2 sourced from global installation"
+    # We don't run Octopus Server on Mac, so we can avoid the restriction of relying on the system crypto libraries
+    # (Required for FIPS compliance). Instead we just bundle the packages so devs don't need to install them.
+    NATIVE_DIR="$PACKAGEPATH/$RID/native"
+
+    is_homebrew_path() {
+        case "$1" in
+            /opt/homebrew/*|/usr/local/Cellar/*) return 0 ;;
+            *) return 1 ;;
+        esac
+    }
+
+    # Walk the load commands of $1 and, for each Homebrew-rooted dep, copy it next to libgit2,
+    # rewrite the load command to @rpath, and recurse so transitive deps (libssl -> libcrypto, etc.) are covered.
+    bundle_homebrew_deps() {
+        local DYLIB="$1"
+        local DEPS
+        DEPS=$(otool -L "$DYLIB" | tail -n +2 | awk '{print $1}')
+        local DEP
+        for DEP in $DEPS; do
+            if is_homebrew_path "$DEP"; then
+                local DEP_BASENAME
+                DEP_BASENAME=$(basename "$DEP")
+                local DEP_DEST="$NATIVE_DIR/$DEP_BASENAME"
+                if [[ ! -f "$DEP_DEST" ]]; then
+                    echo "Bundling $DEP_BASENAME from $DEP"
+                    cp "$DEP" "$DEP_DEST"
+                    chmod u+w "$DEP_DEST"
+                    install_name_tool -id "@rpath/$DEP_BASENAME" "$DEP_DEST"
+                    bundle_homebrew_deps "$DEP_DEST"
+                fi
+                install_name_tool -change "$DEP" "@rpath/$DEP_BASENAME" "$DYLIB"
+            fi
+        done
+    }
+
+    bundle_homebrew_deps "$LIBGIT2_PATH"
+
+    for DYLIB in "$NATIVE_DIR"/*.dylib; do
+        install_name_tool -add_rpath @loader_path "$DYLIB"
+    done
+
+    # Ad-hoc re-sign — install_name_tool invalidates the existing signature, which is fatal on Apple Silicon.
+    for DYLIB in "$NATIVE_DIR"/*.dylib; do
+        codesign --force --sign - "$DYLIB"
+    done
 else
     # Linux: find libssh2 via ldd
     LIBSSH2_PATH=$(ldd "$LIBGIT2_PATH" | grep libssh2 | awk '{print $3}')