Skip to content

Release: homebrew workflow hardening#393

Merged
Data-Wise merged 3 commits intomainfrom
dev
Feb 16, 2026
Merged

Release: homebrew workflow hardening#393
Data-Wise merged 3 commits intomainfrom
dev

Conversation

@Data-Wise
Copy link
Owner

Summary

  • Fix script injection in homebrew-release workflow: Move ${{ }} expressions to env: block to prevent code injection via crafted tag names
  • Harden SHA256 calculation: Add retry logic, validate hash length, use sha256sum for Linux compatibility
  • Sync CLAUDE.md: Update stale file counts and add missing teach subcommands

Changes

  • .github/workflows/homebrew-release.yml — security hardening
  • CLAUDE.md — stale count fixes

Test plan

  • CI passes
  • Manual dispatch of homebrew-release workflow after merge

🤖 Generated with Claude Code

Test User and others added 3 commits February 15, 2026 19:19
- Use env indirection for github context to prevent script injection
- Replace shasum with sha256sum (standard on Ubuntu runners)
- Add --retry 3 with delay on tarball download
- Add empty SHA256 validation guard (64-char hex check)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update stale counts (lib 69→74, tests 181→186) and add 4 missing
teach subcommands (cache, profiles, migrate, validate).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ening

fix: harden homebrew-release workflow security
@Data-Wise Data-Wise merged commit d6997bb into main Feb 16, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant