From 3998e69ff7ecb567e038260fb7d02efb5aa94e62 Mon Sep 17 00:00:00 2001
From: spacegeologist <zheng.zuo0@gmail.com>
Date: Tue, 26 May 2026 12:52:35 +0800
Subject: [PATCH] fix(ci): avoid piping Bun installer into shell

---
 .gitlab-ci.yml                |  7 ++++++-
 test/gitlab-ci-safety.test.ts | 18 ++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 test/gitlab-ci-safety.test.ts

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7e5e1fa31..b57c006e6 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -10,7 +10,12 @@ variables:
 
 .setup-bun: &setup-bun
   - apt-get update -qq && apt-get install -qq -y curl jq git
-  - curl -fsSL https://bun.sh/install | bash -s "bun-v$BUN_VERSION"
+  - |
+    BUN_INSTALL_SCRIPT="$(mktemp)"
+    trap 'rm -f "$BUN_INSTALL_SCRIPT"' EXIT
+    curl -fsSL https://bun.sh/install -o "$BUN_INSTALL_SCRIPT"
+    test -s "$BUN_INSTALL_SCRIPT"
+    bash "$BUN_INSTALL_SCRIPT" "bun-v$BUN_VERSION"
   - export PATH="$HOME/.bun/bin:$PATH"
 
 version-gate:
diff --git a/test/gitlab-ci-safety.test.ts b/test/gitlab-ci-safety.test.ts
new file mode 100644
index 000000000..4b33a27a5
--- /dev/null
+++ b/test/gitlab-ci-safety.test.ts
@@ -0,0 +1,18 @@
+import { describe, expect, test } from 'bun:test';
+import { readFileSync } from 'fs';
+import { join } from 'path';
+
+const ROOT = join(import.meta.dir, '..');
+
+describe('GitLab CI installer safety', () => {
+  test('does not pipe the remote Bun installer directly into a shell', () => {
+    const ci = readFileSync(join(ROOT, '.gitlab-ci.yml'), 'utf-8');
+    const offenders = ci
+      .split('\n')
+      .map((line, index) => ({ line: index + 1, text: line.trim() }))
+      .filter(({ text }) => /bun\.sh\/install/.test(text))
+      .filter(({ text }) => /\bcurl\b.*\|\s*(bash|sh)\b/.test(text));
+
+    expect(offenders).toEqual([]);
+  });
+});