RomanNum3ral
/
gstack
mirror of https://github.com/garrytan/gstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix(ci): avoid piping Bun installer into shell

This commit is contained in:
spacegeologist 2026-05-26 12:52:35 +08:00
parent cf50443b63
commit 3998e69ff7
2 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.gitlab-ci.yml
View File

@ -10,7 +10,12 @@ variables:
.setup-bun: &setup-bun .setup-bun: &setup-bun
- apt-get update -qq && apt-get install -qq -y curl jq git - apt-get update -qq && apt-get install -qq -y curl jq git
- curl -fsSL https://bun.sh/install | bash -s "bun-v$BUN_VERSION" - |
BUN_INSTALL_SCRIPT="$(mktemp)"
trap 'rm -f "$BUN_INSTALL_SCRIPT"' EXIT
curl -fsSL https://bun.sh/install -o "$BUN_INSTALL_SCRIPT"
test -s "$BUN_INSTALL_SCRIPT"
bash "$BUN_INSTALL_SCRIPT" "bun-v$BUN_VERSION"
- export PATH="$HOME/.bun/bin:$PATH" - export PATH="$HOME/.bun/bin:$PATH"
version-gate: version-gate:

18
test/gitlab-ci-safety.test.ts Normal file
View File

@ -0,0 +1,18 @@
import { describe, expect, test } from 'bun:test';
import { readFileSync } from 'fs';
import { join } from 'path';
const ROOT = join(import.meta.dir, '..');
describe('GitLab CI installer safety', () => {
test('does not pipe the remote Bun installer directly into a shell', () => {
const ci = readFileSync(join(ROOT, '.gitlab-ci.yml'), 'utf-8');
const offenders = ci
.split('\n')
.map((line, index) => ({ line: index + 1, text: line.trim() }))
.filter(({ text }) => /bun\.sh\/install/.test(text))
.filter(({ text }) => /\bcurl\b.*\|\s*(bash|sh)\b/.test(text));
expect(offenders).toEqual([]);
});
});