Revert make.com vendoring, download with SHA-256 verification (#5684)

Copilot · compulim · web-flow · commit c41701419936 · 2026-02-03T12:13:25.000-08:00
* Initial plan

* Revert make.com vendoring, add SHA verification and download from Internet

Co-authored-by: compulim &lt;1622400+compulim@users.noreply.github.com&gt;

* Security: Move chmod after SHA verification

Co-authored-by: compulim &lt;1622400+compulim@users.noreply.github.com&gt;

* Remove makeComSha256 field, hardcode SHA in build:pre:setup script

Co-authored-by: compulim &lt;1622400+compulim@users.noreply.github.com&gt;

* Reorder build:pre script: local-dependencies before setup

Co-authored-by: compulim &lt;1622400+compulim@users.noreply.github.com&gt;

* Use more specific .gitignore patterns with leading/trailing slashes

Co-authored-by: compulim &lt;1622400+compulim@users.noreply.github.com&gt;

---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: compulim &lt;1622400+compulim@users.noreply.github.com&gt;
diff --git a/packages/test/test-assets/.gitignore b/packages/test/test-assets/.gitignore
@@ -1,2 +1,3 @@
-node_modules
-out
+/make.com
+/node_modules/
+/out/
diff --git a/packages/test/test-assets/make.com b/packages/test/test-assets/make.com
diff --git a/packages/test/test-assets/package.json b/packages/test/test-assets/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@msinternal/test-assets",
   "version": "0.0.0-0",
-  "description": "",
+  "description": "Uses make.com from Cosmopolitan Libc. Source code available at: https://github.com/jart/cosmopolitan/tree/master/third_party/make",
   "private": true,
   "author": "Microsoft Corporation",
   "license": "MIT",
@@ -10,10 +10,11 @@
   },
   "scripts": {
     "build": "npm run --if-present build:pre && npm run build:run && npm run --if-present build:post",
-    "build:pre": "npm run build:pre:local-dependencies && npm run build:pre:watch",
+    "build:pre": "npm run build:pre:local-dependencies && npm run build:pre:setup && npm run build:pre:watch",
     "build:pre:local-dependencies": "../../../scripts/npm/build-local-dependencies.sh",
+    "build:pre:setup": "command -v make >/dev/null 2>&1 || { [ -x ./make.com ] || { curl -fsSL -o make.com https://cosmo.zip/pub/cosmos/bin/make && EXPECTED_SHA=7b14377fbd6fff445abbf922583112c25a678b375eea624bd1765f74756f54fb && ACTUAL_SHA=$(shasum -a 256 make.com | cut -d' ' -f1) && [ \"$EXPECTED_SHA\" = \"$ACTUAL_SHA\" ] || { echo \"ERROR: make.com SHA mismatch! Expected: $EXPECTED_SHA, Got: $ACTUAL_SHA\" >&2; rm make.com; exit 1; } && chmod +x make.com; }; }",
     "build:pre:watch": "../../../scripts/npm/build-watch.sh",
-    "build:run": "./make.com clean all",
+    "build:run": "MAKE_BIN=$(command -v make || echo ./make.com) && \"$MAKE_BIN\" clean all",
     "bump": "vg bump prod && vg bump dev && (npm audit fix || exit 0)",
     "eslint": "npm run precommit",
     "postversion": "../../../scripts/npm/postversion.sh",
