The workflow to update `pledge` has been failing since 2024-02-20

[StevenMaude]

The date coincides with the release of Cosmopolitan 3.3.

The zip containing the binary we need no longer appears to be distributed via GitHub, but via a dedicated website. It is also possible to download the individual binary now, instead of the entire zip file.

See https://github.com/jart/cosmopolitan/issues/1111#issuecomment-1966143840 [^1]

[^1]: Dave knew about this because he opened the linked issue, but it probably got forgotten about in between it getting opened and resolved.

[evansd]

Thanks Steve. I haven't forgotten about this because I get a failure notification email every morning to remind me! But it's never been a huge priority to fix because I keep an eye on the Cosmopolitan changelog and none of the new releases have actually changed pledge at all.

Sadly, Justine hasn't kept up the individual binary releases: v3.3.1 is the last build but the project itself is on v3.5.4. And I was in any case a bit reluctant to rely on non-Github binary assets as it just introduces more "trust surface area" in terms of operational security.

I think eventually we're going to have to switch to compiling pledge ourselves, but I've been putting off tackling that.

[StevenMaude]

No worries; I just noticed because I was looking at how the workflows here were doing things.