security: harden supply chain dependencies#44
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the dotfiles’ supply chain by pinning external dependencies (install scripts, GitHub Actions, and shell/editor plugins) to immutable references and adding checksum verification before executing downloaded artifacts.
Changes:
- Replace
curl | bash-style installs with commit/tag pinning plus SHA-256 verification for Homebrew/Brewfile/font downloads. - Pin GitHub Actions usages to full commit SHAs and add checksum verification for downloaded CI binaries.
- Pin zsh/neovim plugin bootstraps to fixed revisions (zinit plugins via
ver"<sha>", lazy.nvim via commit checkout, yaskkserv2 via--tag).
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| install_scripts/lib/dotinstaller/install-skk.sh | Pin yaskkserv2 install to a release tag. |
| install_scripts/lib/dotinstaller/install-homebrew.sh | Pin Homebrew installer script to a commit and verify SHA-256 before execution. |
| install_scripts/lib/dotinstaller/install-fonts.sh | Pin font downloads to fixed releases and verify SHA-256 checksums. |
| install_scripts/lib/dotinstaller/install-brewfile.sh | Pin homebrew-file installer to a commit and verify SHA-256 before execution. |
| .github/workflows/neovim-health.yml | Pin third-party actions to full commit SHAs. |
| .github/workflows/lua-lint.yml | Pin actions and add SHA-256 verification for downloaded lint tool binaries. |
| .github/workflows/gitguardian.yml | Pin GitGuardian action (and checkout) to full commit SHAs. |
| .config/zsh/rc/pluginlist.zsh | Pin zinit/plugins to fixed revisions (plugins via ver"<sha>"). |
| .config/nvim/lua/rc/plugins/init.lua | Pin lazy.nvim bootstrap to a specific commit referenced from lazy-lock.json. |
Comments suppressed due to low confidence (1)
.config/nvim/lua/rc/plugins/init.lua:13
- If the
git checkout <commit>fails (e.g., commit not reachable from the cloned branch),vim.v.shell_errorwill be non-zero butoutstill contains the clone output and the error text says "Failed to clone". Capture and report the checkout output separately and update the error message to reflect whether clone or checkout failed.
local out = vim.fn.system({ "git", "clone", "--filter=blob:none", "--single-branch", lazyrepo, lazypath })
if vim.v.shell_error == 0 then
vim.fn.system({ "git", "-C", lazypath, "checkout", "306a05526ada86a7b30af95c5cc81ffba93fef97" })
end
if vim.v.shell_error ~= 0 then
vim.api.nvim_echo({
{ "Failed to clone lazy.nvim:\n", "ErrorMsg" },
{ out, "WarningMsg" },
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Fix /dev/temp/null typo to /dev/null in install-skk.sh - Use mktemp + trap for temp files instead of fixed /tmp paths - Add sha256sum/shasum fallback for Linux compatibility - Fix zinit comment to reflect tag pinning (not commit pinning) - Quote ZPLG_HOME path in zinit clone
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Comments suppressed due to low confidence (1)
.config/nvim/lua/rc/plugins/init.lua:13
- If
git clonesucceeds but the subsequentgit checkout <sha>fails, the error shown will still say "Failed to clone lazy.nvim" and will display the clone output (not the checkout failure), becauseoutisn't updated for the checkout step. Capture and check the checkout result separately (and adjust the message to something like "Failed to install lazy.nvim") so failures are diagnosable.
local out = vim.fn.system({ "git", "clone", "--filter=blob:none", "--single-branch", lazyrepo, lazypath })
if vim.v.shell_error == 0 then
vim.fn.system({ "git", "-C", lazypath, "checkout", "306a05526ada86a7b30af95c5cc81ffba93fef97" })
end
if vim.v.shell_error ~= 0 then
vim.api.nvim_echo({
{ "Failed to clone lazy.nvim:\n", "ErrorMsg" },
{ out, "WarningMsg" },
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Use portable mktemp templates for macOS BSD compatibility - Pin zinit to commit hash instead of tag (tags can be retargeted) - Improve lazy.nvim bootstrap error reporting for checkout failures
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
curl | bashパターンをコミット固定+SHA256チェックサム検証に置換--branch=stable→ 特定コミットに変更yaskkserv2のcargo install --gitに--tag 0.1.7を追加Motivation
サプライチェーン攻撃リスク分析の結果、外部依存のバージョン未固定・チェックサム未検証が複数箇所で確認されたため対策を実施。
Test plan
./install_scripts/dotinstaller.sh linkでリンク確認nvim --headless "+Lazy sync" +qaでプラグイン同期確認./setup.sh --installを実行し、チェックサム検証が機能することを確認