security: harden notifications, ref handling, signals, and release pipeline#3
Merged
watany-dev merged 2 commits intomainfrom May 1, 2026
Merged
Conversation
…peline
Pre-release security pass before public beta. Changes are grouped into four
self-contained hardening areas, each with new tests:
- internal/notify: replace ad-hoc PowerShell quoting with -EncodedCommand
(UTF-16LE base64), add `--` separator for notify-send, sanitize control
characters and cap field length so a malicious branch name or backupRef
can't smuggle escapes into a toast or terminal.
- internal/git: tighten branch-name handling for backup refs to an allowlist
([A-Za-z0-9._-]) with hash fallback, and replace the prefix-only IsBackupRef
with a full-pattern match so that user-supplied refs containing git
revision syntax (@{N}, ^, ~, :) cannot reach `git reset --hard` via
`rescue restore`.
- internal/cli + cmd/git-real: thread context.Context through Run, runStart,
runChallenge, and sleepUntil; main wires signal.NotifyContext for SIGINT
and SIGTERM so Ctrl-C during the grace period exits cleanly without
applying a penalty.
- Makefile + release workflow: build with -trimpath, -buildvcs, embedded
version/commit/date, and a pinned SOURCE_DATE_EPOCH for reproducible
binaries; sign SHA256SUMS via cosign keyless OIDC and ship the .sig/.pem
alongside the archives. Adds `git real --version` and verification
instructions in the README.
https://claude.ai/code/session_01BQTaxBPYMX7YFsicvwNdUG
zizmor (v1.24.1) flagged 22 supply-chain and least-privilege findings on the existing workflows. Address all of them: - Pin every action to a full commit SHA with the corresponding semver tag in a comment, so a tag-rewrite attack on a popular action repository (e.g. tj-actions/changed-files) cannot reach our builds. - Switch the workflow-level `permissions` to deny-by-default and grant the minimum scope per job: read for build, write only for the publish job that mints the release and signs blobs via OIDC. - Add `permissions: contents: read` to the ci check job. - Pass `persist-credentials: false` to actions/checkout so the GITHUB_TOKEN is not persisted into `.git/config` for later steps. - Disable the setup-go cache in the release workflow to avoid cache poisoning influencing released binaries. - Replace softprops/action-gh-release with the runner-resident `gh release create`, removing one third-party dependency from the publish path. actionlint reports no findings; zizmor now reports zero findings (the 5 remaining are low-confidence suppressions). https://claude.ai/code/session_01BQTaxBPYMX7YFsicvwNdUG
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pre-release security pass before public beta. Changes are grouped into four
self-contained hardening areas, each with new tests:
(UTF-16LE base64), add
--separator for notify-send, sanitize controlcharacters and cap field length so a malicious branch name or backupRef
can't smuggle escapes into a toast or terminal.
([A-Za-z0-9._-]) with hash fallback, and replace the prefix-only IsBackupRef
with a full-pattern match so that user-supplied refs containing git
revision syntax (@{N}, ^, ~, :) cannot reach
git reset --hardviarescue restore.runChallenge, and sleepUntil; main wires signal.NotifyContext for SIGINT
and SIGTERM so Ctrl-C during the grace period exits cleanly without
applying a penalty.
version/commit/date, and a pinned SOURCE_DATE_EPOCH for reproducible
binaries; sign SHA256SUMS via cosign keyless OIDC and ship the .sig/.pem
alongside the archives. Adds
git real --versionand verificationinstructions in the README.
https://claude.ai/code/session_01BQTaxBPYMX7YFsicvwNdUG