Pre-cut audit cleanups (0.19.9) — checksum-gate test, darwin doc, gofmt, hasGitEntry, node-action bump#359
Merged
Conversation
GitHub forces actions/checkout@v4, setup-go@v5, goreleaser-action@v6 (and sibling node-20 actions) onto node24 from 2026-06-16. Bump every node24-tracked uses: pin across the five workflows to its node24 major: checkout@v5, setup-go@v6, goreleaser-action@v7, setup-node@v6, setup-python@v6, upload-artifact@v5. deploy-pages@v4 / upload-pages-artifact@v3 have no node24 release yet and sit off the flip-cut path (docs.yml) — left pinned with a why-comment. Add internal/release/node24_actions_guard_test.go: parses every .github/workflows/*.yml uses: pin and reds if any node24-tracked action is pinned below its recorded node24-minimum major. The minimum map is the in-test oracle (from the deprecation facts), so a regression to @v4 fails the guard. Companion adversarial sub-test reverts checkout to @v4 and asserts the guard trips. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… AC-4) AC-1: internal/release/install_checksum_gate_test.go builds a local dist/ fixture (a tar.gz holding a bare runnable spacedock + a matching checksums.txt) and drives `sh install.sh` via SPACEDOCK_INSTALL_FROM, no goreleaser. Asserts the happy path installs a runnable binary and that a byte-appended (tampered) tarball makes install.sh exit non-zero installing nothing. Companion load-bearing sub-test strips the gate lines (install.sh:164-169) to a temp copy, runs the SAME tamper case against it, and asserts the gateless installer wrongly exits 0 — proving the live tamper assertion actually binds the gate. Verified: deleting install.sh's gate reds the tamper assertion; restoring it greens all four. AC-4: cross-reference comment at hasGitEntry (handlers.go) naming TestDiscoverWorkflowsSkipsNestedCheckout as its sole guard, so a future edit knows what protects it. Comment-only; internal/status stays green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
gofmt -l flagged this file. Under go1.26.1 a naive gofmt -w would rewrite the line-23 bare '' in the cwd comment into a curly U+201D (the go/doc comment reformatter treating '' as a typographic quote) — a content change, not whitespace. Reword the comment to drop the bare '' first, so the only formatting change gofmt applies is the benign comment-column realignment on lines 62-65. Verified: gofmt -l clean, zero U+201D bytes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
0.19.9 added linux binaries but release.yml's file-header still described
a darwin-only build ("cross-builds the darwin … tarballs", "darwin binaries
are built natively"). Reword the header to name the darwin+linux ×
arm64+amd64 matrix .goreleaser.yaml actually builds, keeping the accurate
"runs on macOS" note (darwin native; linux cross-compiles, CGO_ENABLED=0).
docs/releasing.md was already reconciled and is left unchanged.
Guard it in goreleaser_guard_test.go: TestReleaseHeaderNamesEveryBuildOS
parses .goreleaser.yaml's goos set (the independent oracle) and asserts
release.yml's leading comment header names every build OS — so a header
that drops `linux` reds even while it still mentions `darwin`. Companion
adversarial sub-test strips `linux` from a header copy and asserts the
guard trips. Verified: reverting to the darwin-only header reds the check.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
clkao
added a commit
that referenced
this pull request
Jun 13, 2026
The load-bearing sub-test (and the main tamper case) tampered by byte-appending to the tarball. On macOS `tar` tolerates the trailing bytes, but on Linux CI `tar` REJECTS the corrupted archive independent of the checksum gate, so the gateless install exited 1 instead of the expected 0 — TestChecksumGateGuardIsLoadBearing failed on Linux and the byte-append did not isolate the gate. Swap the tamper for a structurally-VALID tar.gz whose `spacedock` payload differs, leaving checksums.txt unchanged: the archive extracts cleanly on every platform, so the ONLY post-strip rejection is sha256 != checksums.txt — the checksum gate, isolated. Applied to both the main tamper case and the load-bearing sub-test. install.sh and the gate are untouched. Verified: full extract with `tar -xzf … spacedock` succeeds (rc=0); deleting install.sh's gate still reds the tamper assertion; release pkg green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
clkao
added a commit
that referenced
this pull request
Jun 13, 2026
clkao
added a commit
that referenced
this pull request
Jun 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bump node-20 GitHub Actions to their node24 majors before the 2026-06-16 deprecation, and close four non-blocking findings from the 0.19.9 pre-cut audit.
What changed
sh install.sh(reds if the gate is removed or weakened).goreleaser.yamlEvidence
go test ./...green (15 pkgs, exit 0)5ar