Commit 5017ace
committed
fix(ci): enforce HTTPS on the sccache download curl (SonarCloud Security gate)
The phase-2 sccache fetch in build.sh used `curl -fsSL` (which follows redirects via -L)
without --proto =https --proto-redir =https, tripping the same "Not enforcing HTTPS /
redirections to insecure websites" Major hotspot the model-download curls were already
hardened against — which dropped the New-Code Security Rating to C and failed the gate.
Add the proto flags so neither the URL nor the GitHub release redirect can downgrade to
cleartext. Verified the download still succeeds through the
github.com -> objects.githubusercontent.com (HTTPS) redirect.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01JdLpWD8nedY7LwNnHefZLF1 parent 3beefc6 commit 5017ace
1 file changed
Lines changed: 2 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
26 | 26 | | |
27 | 27 | | |
28 | 28 | | |
29 | | - | |
| 29 | + | |
| 30 | + | |
30 | 31 | | |
31 | 32 | | |
32 | 33 | | |
| |||
0 commit comments