Skip to content

Feature/cross platform installation scripts #351

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bishoy-at-pieces wants to merge 26 commits into
base: main
Choose a base branch
from
Open

Feature/cross platform installation scripts #351

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
bd82371
feat: Add cross-platform installation scripts
bishoy-at-pieces Jul 9, 2025
5b625cf
feat: Add manage command group with update, status, and uninstall
bishoy-at-pieces Jul 9, 2025
67a58ba
feat: Integrate manage command into CLI
bishoy-at-pieces Jul 9, 2025
fd6923b
docs: Update README with installation scripts and manage command
bishoy-at-pieces Jul 9, 2025
b9aa430
add update POS command
bishoy-at-pieces Jul 9, 2025
2fe3b41
add pieces status to the manage update command
bishoy-at-pieces Jul 9, 2025
edc982f
fix formating
bishoy-at-pieces Jul 9, 2025
db83732
add change the structure of the commands (pieces update) to update Pi…
bishoy-at-pieces Jul 14, 2025
b263422
Merge branch 'main' into feature/cross-platform-installation-scripts
bishoy-at-pieces Jul 14, 2025
6f49ab1
Merge branch 'main' into feature/cross-platform-installation-scripts
bishoy-at-pieces Jul 14, 2025
8e7d159
fix weak python version parsing
bishoy-at-pieces Jul 14, 2025
f5f9503
add new choco and winget in the manage command
bishoy-at-pieces Jul 14, 2025
cfc3841
add cleanup function
bishoy-at-pieces Jul 14, 2025
4034f17
Fix security issues in PATH manipulation:
bishoy-at-pieces Jul 14, 2025
3f457ac
ensure reliability in the installation scripts
bishoy-at-pieces Jul 15, 2025
5bfa8af
Merge branch 'main' into feature/cross-platform-installation-scripts
bishoy-at-pieces Jul 15, 2025
927a234
fix colors in the status
bishoy-at-pieces Jul 15, 2025
de7d866
ensure reliablity in the sh script
bishoy-at-pieces Jul 15, 2025
0143854
refactor: Modularize manage commands into separate files
bishoy-at-pieces Jul 15, 2025
1e3956b
fix: Skip onboarding for completion command
bishoy-at-pieces Jul 15, 2025
d7afe69
Docs & Security Helpers For Inspo
tsavo-at-pieces Jul 18, 2025
d5bed75
comment the installer script method until it is save
bishoy-at-pieces Jul 23, 2025
394d274
Merge branch 'main' into feature/cross-platform-installation-scripts
bishoy-at-pieces Aug 28, 2025
9f0c329
add checksums and installation security
bishoy-at-pieces Aug 28, 2025
0bf485f
feat: add dependency logging
bishoy-at-pieces Aug 28, 2025
2ca25d3
fix: resolve Path.exists patching issues in executable location tests
bishoy-at-pieces Aug 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
197 changes: 197 additions & 0 deletions .github/workflows/release-security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,197 @@
name: Secure Release Process

on:
release:
types: [created]

jobs:
generate-checksums:
name: Generate Checksums
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout Code
uses: actions/checkout@v4

- name: Generate Installation Script Checksums
run: |
echo "Generating SHA256 checksums for installation scripts..."
sha256sum install_pieces_cli.sh > install_pieces_cli.sh.sha256
sha256sum install_pieces_cli.ps1 > install_pieces_cli.ps1.sha256

# Create a combined checksum file
cat > checksums.txt << EOF
# Pieces CLI Installation Scripts Checksums
# Generated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
# Release: ${{ github.ref_name }}

$(cat install_pieces_cli.sh.sha256)
$(cat install_pieces_cli.ps1.sha256)
EOF

- name: Upload Checksums to Release
uses: softprops/action-gh-release@v1
with:
files: |
install_pieces_cli.sh.sha256
install_pieces_cli.ps1.sha256
checksums.txt

sign-artifacts:
name: Sign Release Artifacts
runs-on: ubuntu-latest
needs: generate-checksums
permissions:
id-token: write
contents: write
steps:
- name: Checkout Code
uses: actions/checkout@v4

- name: Install Cosign
uses: sigstore/cosign-installer@v3

- name: Sign Installation Scripts
run: |
echo "Signing installation scripts with Cosign..."

# Sign the shell script
cosign sign-blob --yes \
--output-signature install_pieces_cli.sh.sig \
--output-certificate install_pieces_cli.sh.crt \
install_pieces_cli.sh

# Sign the PowerShell script
cosign sign-blob --yes \
--output-signature install_pieces_cli.ps1.sig \
--output-certificate install_pieces_cli.ps1.crt \
install_pieces_cli.ps1

- name: Create Verification Instructions
run: |
cat > VERIFY.md << 'EOF'
# Verification Instructions for Pieces CLI

## Checksum Verification

### Linux/macOS:
```bash
sha256sum -c install_pieces_cli.sh.sha256
```

### Windows (PowerShell):
```powershell
(Get-FileHash install_pieces_cli.ps1).Hash -eq (Get-Content install_pieces_cli.ps1.sha256).Split()[0]
```

## Signature Verification (Advanced)

Install Cosign: https://docs.sigstore.dev/cosign/installation/

### Verify Shell Script:
```bash
cosign verify-blob \
--certificate install_pieces_cli.sh.crt \
--signature install_pieces_cli.sh.sig \
--certificate-identity-regexp "https://github.com/pieces-app/*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
install_pieces_cli.sh
```

### Verify PowerShell Script:
```bash
cosign verify-blob \
--certificate install_pieces_cli.ps1.crt \
--signature install_pieces_cli.ps1.sig \
--certificate-identity-regexp "https://github.com/pieces-app/*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
install_pieces_cli.ps1
```
EOF

- name: Upload Signatures to Release
uses: softprops/action-gh-release@v1
with:
files: |
*.sig
*.crt
VERIFY.md

create-requirements-with-hashes:
name: Create Requirements with Hashes
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout Code
uses: actions/checkout@v4

- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: '3.11'

- name: Install pip-tools
run: pip install pip-tools

- name: Generate Requirements with Hashes
run: |
# Create requirements.in if it doesn't exist
if [ ! -f requirements.in ]; then
echo "pieces-cli" > requirements.in
fi

# Compile with hashes
pip-compile --generate-hashes \
--output-file requirements-hashes.txt \
requirements.in

# Add header to the file
cat > temp.txt << 'EOF'
# Pieces CLI Requirements with Hash Verification
# Generated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
#
# Install with:
# pip install --require-hashes --no-deps -r requirements-hashes.txt
#
EOF
cat requirements-hashes.txt >> temp.txt
mv temp.txt requirements-hashes.txt

- name: Upload Requirements to Release
uses: softprops/action-gh-release@v1
with:
files: requirements-hashes.txt

security-scan:
name: Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4

- name: Run Trivy Security Scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'

- name: Upload Trivy Results
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'

- name: Run Bandit Security Scan
run: |
pip install bandit
bandit -r src/ -f json -o bandit-report.json || true

# Create summary
if [ -f bandit-report.json ]; then
echo "## Bandit Security Scan Results" >> $GITHUB_STEP_SUMMARY
echo "Issues found: $(jq '.metrics."_totals"."SEVERITY.HIGH"' bandit-report.json)" >> $GITHUB_STEP_SUMMARY
fi
Comment on lines +168 to +197

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the problem, we need to add a permissions block to the security-scan job in .github/workflows/release-security.yml. This block should explicitly restrict the permissions of the GITHUB_TOKEN to the minimum necessary for the job—most likely contents: read, which allows the job to clone the repository but not modify it. The block should be added directly under runs-on: ubuntu-latest in the security-scan job definition, without modifying the rest of the workflow. No additional dependencies or imports are required for this change.

Suggested changeset 1
.github/workflows/release-security.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release-security.yml b/.github/workflows/release-security.yml
--- a/.github/workflows/release-security.yml
+++ b/.github/workflows/release-security.yml
@@ -167,6 +167,8 @@
   security-scan:
     name: Security Scan
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout Code
         uses: actions/checkout@v4
EOF
@@ -167,6 +167,8 @@
security-scan:
name: Security Scan
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout Code
uses: actions/checkout@v4
Copilot is powered by AI and may make mistakes. Always verify output.
Loading
Loading