Skip to content

Feature/003 review fixes#12

Merged
bobinson merged 5 commits into
mainfrom
feature/003_review-fixes
Jun 8, 2026
Merged

Feature/003 review fixes#12
bobinson merged 5 commits into
mainfrom
feature/003_review-fixes

Conversation

@bobinson

@bobinson bobinson commented Jun 8, 2026

Copy link
Copy Markdown
Owner
  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Refactoring (no functional changes)
  • Documentation update
  • New audit agent or skill
  • [x ] Infrastructure / CI change

Components Affected

  • Go Backend (backend/)
  • Python Agents (agents/)
  • Frontend (frontend/)
  • CLI (cli/)
  • [x ] Docker / Deployment
  • Documentation (docs/)

bobinson added 5 commits June 7, 2026 15:18
fix(release): pin trivy installer to a release tag (supply-chain)
451b0fd 
Review finding: the trivy install piped an UNPINNED main-branch contrib/install.sh
into sh, inconsistent with every SHA-pinned action in this workflow and running
in the artifact-signing job. Pin both the install.sh ref and the installed
version to v0.71.0. Verified the pinned command installs 0.71.0.

Author: bobinson
docs(install): correct reject_if_system_dir firmlink comment
eaf836b 
Review finding: the comment claimed resolve_path canonicalises /etc->/private/etc,
but BSD readlink has no -f so it may not. Reword to state the /private/* forms
are blacklisted explicitly (not relied upon to resolve). No behavior change.

Author: bobinson
style(backend): drop redundant errcheck prefixes in client_test.go
4bad079 
Review finding: backend/.golangci.yml excludes errcheck from *_test.go, so the
hand-added _ = / _, _ = on test-server Encode/Write were redundant and made
client_test.go inconsistent with the other test files. Removed all of them
(incl. 3 pre-existing) so the file is uniformly unprefixed. golangci clean,
go test passes.

Author: bobinson
refactor(scripts): extract shared sha256_of helper
40df6eb 
Review finding: the portable sha256sum/shasum block was copy-pasted into
build-release.sh, smoke-install.sh and smoke-negative.sh. Extract scripts/lib/hash.sh
with sha256_of() (adds the missing 'neither tool present' error arm), sourced by
all three. TDD: test_hash_sh.sh added (RED before the helper, GREEN after) and
wired into lint-installer; shellcheck now covers scripts/lib. Verified: all 4
release platforms build, SHA256SUMS matches independent sha256sum, smoke suites pass.

Author: bobinson
fix(release): migrate darwin-amd64 runner macos-13 -> macos-15-intel
883b578 
macos-13 (Intel) was deprecated 2025-09-22 and fully retired 2025-12-08, so
the darwin-amd64 build-binary leg hung forever 'waiting for a runner' (no
macos-13 exists to assign). macos-15-intel is GitHub's x86_64 replacement.
arm64 stays on macos-14 (still supported).

Author: bobinson
@bobinson bobinson merged commit 5f555d8 into main Jun 8, 2026
28 of 29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bobinson