Skip to content

ci: pin cpm to release 0.998003 instead of master#1065

Draft
Koan-Bot wants to merge 1 commit intoTest-More:masterfrom
Koan-Bot:koan.atoomic/pin-cpm-release
Draft

ci: pin cpm to release 0.998003 instead of master#1065
Koan-Bot wants to merge 1 commit intoTest-More:masterfrom
Koan-Bot:koan.atoomic/pin-cpm-release

Conversation

@Koan-Bot
Copy link

@Koan-Bot Koan-Bot commented Mar 7, 2026

What

Pin the cpm dependency installer to a specific release tag instead of pulling from master.

Why

The curl | perl - pattern piping an unpinned script from master is a supply-chain risk:
any compromise of the cpm repo's master branch would execute arbitrary code in CI.

How

  • Download cpm from pinned tag 0.998003 instead of master
  • Save to file before execution (no direct pipe to interpreter)
  • Use curl -f to fail on HTTP errors instead of silently feeding error pages to perl
  • Applied to both macos.yml and windows.yml (Linux uses the Docker image)

Testing

CI will validate on push — the cpm install step should succeed with the pinned URL.

🤖 Generated with Claude Code

@Koan-Bot @claude
ci: pin cpm to release 0.998003 instead of master
ff7be7c 
Replace the fragile `curl | perl -` pattern that piped an unpinned
script from the cpm master branch directly into the interpreter.

The new approach:
- Downloads from a pinned tag (0.998003) instead of master
- Saves to a file before execution (no direct pipe to interpreter)
- Uses curl -f to fail on HTTP errors instead of silently passing
  error pages to perl

Applied to both macos.yml and windows.yml workflows.
Linux CI is unaffected (uses cpm from the Docker image).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Koan-Bot