fix: pin install script URLs to commit SHAs and eliminate pipe-to-shell#246
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens several Task helper installer scripts by reducing supply-chain risk and addressing OpenSSF Scorecard “Pinned-Dependencies” findings in the repository’s script-based tool setup flow.
Changes:
- Replace unpinned/shortened installer URLs with
raw.githubusercontent.comURLs pinned to specific commit SHAs. - Remove
curl | sh/bashpatterns by downloading installer scripts to a temporary file before execution. - Add temp directory cleanup via
trapto ensure downloaded scripts are removed on exit/signals.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .taskfiles/scripts/install_act.sh | Pins act installer script to a commit SHA and executes from a downloaded temp file. |
| .taskfiles/scripts/install_actionlint.sh | Pins actionlint download script to a commit SHA and removes pipe-to-shell execution. |
| .taskfiles/scripts/install_azd.sh | Replaces aka.ms shortlink with a commit-pinned raw GitHub URL and executes locally downloaded script. |
| .taskfiles/scripts/install_golangci-lint.sh | Pins golangci-lint install script to a commit SHA and executes it from disk. |
| .taskfiles/scripts/install_opentofu.sh | Pins the OpenTofu installer script to a commit SHA and avoids piping to a shell. |
| .taskfiles/scripts/setup_fnm.sh | Pins the fnm installer script to a commit SHA and executes from a downloaded temp file. |
Contributor
Author
|
@DariuszPorowski Please have a look if you find time. Thanks, Mani |
DariuszPorowski
requested changes
Apr 8, 2026
Collaborator
There was a problem hiding this comment.
Each of the "domain" taskfiles has version section,
mpf/.taskfiles/github.Taskfile.yml
Line 7 in fead608
Can you use this to provide SHA, instead of hardcoding in scripts?
vars:
GITHUB_VERSION:
map:
actionlint: 123...456 # v1.2.3
act: latest
maniSbindra
force-pushed
the
fix/pin-install-script-dependencies
branch
from
f9a2351 to
6a192a4
Compare
This was referenced Apr 12, 2026
DariuszPorowski
approved these changes
Apr 13, 2026
Replace `curl | bash` pattern with download-to-temp-file execution in 6 install scripts flagged by OpenSSF Scorecard (Pinned-Dependencies). Changes per script: - Pin raw.githubusercontent.com URLs to specific commit SHAs instead of branch refs (master/main) or URL shorteners (aka.ms, get.opentofu.org, fnm.vercel.app) - Download install scripts to temp files before executing (no more piping curl output directly to shell) - Add cleanup traps to remove temp directories on exit Affected scripts: - install_act.sh (nektos/act@fe017a1) - install_actionlint.sh (rhysd/actionlint@62c50a9) - install_azd.sh (Azure/azure-dev@0340065) - install_golangci-lint.sh (golangci/golangci-lint@870ddc1) - install_opentofu.sh (opentofu/get.opentofu.org@c4f7de9) - setup_fnm.sh (Schniz/fnm@bfb1860) Resolves GitHub Advanced Security alerts #5, #6, #7, #8, #9, #10. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Move hardcoded INSTALL_SCRIPT_SHA values from shell scripts into *_INSTALLER_SHA vars maps in each domain Taskfile. Scripts now read the SHA from the INSTALLER_SHA env var passed by the Taskfile cmd block, keeping tool versions and installer SHAs as separate concerns. This addresses review feedback to follow the repo's existing pattern of centralizing configuration in Taskfile vars. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Adds a regex guard in all 6 installer scripts to reject non-SHA values (e.g., branch names like 'main') and prevent silently reintroducing unpinned dependency risk. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…cripts
The VERSION="${1:-${VERSION:-latest}}" line was accidentally removed
during the SHA validation commit, causing scripts to crash under set -u
when referencing the unbound VERSION variable.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Update usage() in all 6 install scripts to document INSTALLER_SHA as a required environment variable, with examples showing the env var prefix and a note that Taskfile sets it automatically. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Break single-line || { ...; } patterns into multi-line format to
satisfy shfmt CI linting rules.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
DariuszPorowski
force-pushed
the
fix/pin-install-script-dependencies
branch
from
2a0a075 to
f66a2ca
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes 6 OpenSSF Scorecard Pinned-Dependencies alerts (#5, #6, #7, #8, #9, #10) flagged by GitHub Advanced Security. Also addresses review feedback to centralize SHA management and bumps Go to fix stdlib vulnerabilities.
Problem
Six install scripts used
curl | bashwith unpinned URLs (branch refs likemaster/mainor URL shorteners likeaka.ms). This is a supply-chain risk: if the remote script is compromised, arbitrary code runs with the user's privileges.Changes
1. Pin installer script URLs to commit SHAs and eliminate pipe-to-shell
For each of the 6 scripts:
raw.githubusercontent.comURLs pinned to specific commit SHAscurl -o, then executedtrap cleanup EXIT INT TERMensures temp directories are removed2. Centralize installer SHAs in Taskfile vars maps
Per review feedback from @DariuszPorowski, moved hardcoded
INSTALL_SCRIPT_SHAvalues from shell scripts into*_INSTALLER_SHAvars maps in each domain Taskfile:github.Taskfile.ymlGITHUB_INSTALLER_SHAgolang.Taskfile.ymlGO_INSTALLER_SHAazure.Taskfile.ymlAZURE_INSTALLER_SHAterraform.Taskfile.ymlTERRAFORM_INSTALLER_SHAruntime.Taskfile.ymlRUNTIME_INSTALLER_SHAScripts now read the SHA from the
INSTALLER_SHAenv var passed by the Taskfilecmdblock. Each SHA line includes a version tag or commit date comment for traceability.3. Bump Go from 1.26.1 to 1.26.2
Fixes 4 stdlib vulnerabilities:
crypto/x509crypto/x509crypto/tlscrypto/x509install_act.shfe017a1install_actionlint.sh62c50a9install_azd.sh0340065install_golangci-lint.sh870ddc1install_opentofu.shc4f7de9setup_fnm.shbfb1860Validation
task sh:lint— shellcheck + shfmt pass for all modified scriptstask build:mpf— Go binary compilestask go:lint— golangci-lint + govulncheck pass (0 vulnerabilities)task testunit— 74/74 unit tests passMaintainability
SHAs are centralized in the Taskfile
*_INSTALLER_SHAvars maps with version/date annotations. To update a SHA, edit the single line in the relevant Taskfile.