Skip to content

Commit 5017ace

Browse files
committed
fix(ci): enforce HTTPS on the sccache download curl (SonarCloud Security gate)
The phase-2 sccache fetch in build.sh used `curl -fsSL` (which follows redirects via -L) without --proto =https --proto-redir =https, tripping the same "Not enforcing HTTPS / redirections to insecure websites" Major hotspot the model-download curls were already hardened against — which dropped the New-Code Security Rating to C and failed the gate. Add the proto flags so neither the URL nor the GitHub release redirect can downgrade to cleartext. Verified the download still succeeds through the github.com -> objects.githubusercontent.com (HTTPS) redirect. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01JdLpWD8nedY7LwNnHefZLF
1 parent 3beefc6 commit 5017ace

1 file changed

Lines changed: 2 additions & 1 deletion

File tree

.github/build.sh

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,8 @@ if [ "${USE_CACHE:-true}" = "true" ] && [ -n "${SCCACHE_WEBDAV_TOKEN:-}${SCCACHE
2626
&& [ "$(uname -s)" = "Linux" ] && [ "$(uname -m)" = "x86_64" ]; then
2727
SCCACHE_REL="sccache-v0.8.2-x86_64-unknown-linux-musl"
2828
echo "build.sh: fetching ${SCCACHE_REL} (no sccache on PATH)..."
29-
if curl -fsSL "https://github.com/mozilla/sccache/releases/download/v0.8.2/${SCCACHE_REL}.tar.gz" \
29+
if curl -fsSL --proto =https --proto-redir =https \
30+
"https://github.com/mozilla/sccache/releases/download/v0.8.2/${SCCACHE_REL}.tar.gz" \
3031
-o /tmp/sccache.tgz && tar -xzf /tmp/sccache.tgz -C /tmp; then
3132
export PATH="/tmp/${SCCACHE_REL}:$PATH"
3233
echo "build.sh: sccache -> $(command -v sccache || echo 'still missing')"

0 commit comments

Comments
 (0)