Improve winget installation tests for latest nightly release

[hustcer]

Improve winget installation tests for latest nightly release

[github-actions]

Script Analysis

• Key observations:
  • Updated to use path manipulation utilities from std library (std/util)
  • Improved path handling by using $nu.home-path for cross-user compatibility
  • Consolidated winget arguments into a constant for better maintainability
  • Added better debugging with version checks and path verification
  • Removed direct runneradmin path references for more portable scripts

Security Review

• Vulnerability findings:
  • ❗ Potential path injection risk in prepare-manifest when using pwd for output directory (line 37)
  • ⚠️ GITHUB_TOKEN is passed as environment variable (line 18 in test-winget.yml) - ensure it's only used where absolutely necessary
  • Missing error handling for winget install failures could mask security issues

Optimization Suggestions

• Performance improvements:
  • Consider adding parallel execution for manifest preparation and winget install steps
  • Cache the get-latest-tag call since it's used multiple times in the same execution
  • Replace ls $KOMAC_PATH | print with more efficient file verification using path exists
  • Consider lazy evaluation for version string processing (split row + | first)

Overall Quality: 4

The script shows good modernization efforts and proper use of Nu 0.90+ features, but could benefit from:

1. More robust error handling
2. Additional security hardening around path handling
3. Better separation of concerns between setup and test logic
4. More consistent use of constants (e.g., version processing)

The changes demonstrate good awareness of cross-platform compatibility and maintainability, but some security and reliability edges could be smoothed out.