Merged
Conversation
Both codes were documented in README.md but missing from the --help output, creating an inconsistency that misleads users and agents relying on --help as the authoritative reference. Signed-off-by: K1-R1 <77465250+K1-R1@users.noreply.github.com>
A missing .sha256 file previously produced only a warning and continued, allowing an unverified binary to install silently. Now exits with an error. Users in restricted environments can opt out via SMOOSH_NO_VERIFY=1, which emits a prominent unsafe warning. Signed-off-by: K1-R1 <77465250+K1-R1@users.noreply.github.com>
The previous curl-based binary download had no integrity check (mvdan/sh does not publish separate checksum files). Switching to go install routes through the Go module sum database (sum.golang.org), an append-only transparency log that provides cryptographic integrity. Also adds a bash32 CI job that parses smoosh under /bin/bash (Bash 3.2 on macOS runners), catching any Bash 4+ syntax that would break the compatibility guarantee. Signed-off-by: K1-R1 <77465250+K1-R1@users.noreply.github.com>
Actions are already pinned to commit SHAs, but without Dependabot those pins will never be updated. Monthly cadence keeps them current without generating noise. Signed-off-by: K1-R1 <77465250+K1-R1@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces several improvements to CI workflows, installation safety, and error handling in the project. The most notable changes include switching to safer installation methods for
shfmt, adding Bash 3.2 syntax checks, enforcing checksum verification for installs, and improving error reporting for missing dependencies.CI/CD Workflow Improvements:
shfmtwithgo installin bothci.ymlandrelease.yml, ensuring integrity verification via the Go module sum database. Updated$GITHUB_PATHto include the Go binary directory. [1] [2]bash32job inci.ymlto check syntax compatibility with Bash 3.2 on macOS, preventing use of Bash 4+ features in scripts..github/dependabot.ymlto enable monthly automated dependency updates for GitHub Actions workflows.Installation Safety Enhancements:
SMOOSH_NO_VERIFYenvironment variable toinstall.sh, allowing users to skip checksum verification (with warning) or aborting install if checksum files are missing, to protect against unverified installs. [1] [2] [3]Error Handling and Documentation:
smooshby requiring thefilecommand for MIME validation in--allmode, exiting with an error if not found, and updated exit codes and documentation accordingly. [1] [2]