fix(zeroclaw): direct binary download from pinned release to fix install timeout#2554
Merged
fix(zeroclaw): direct binary download from pinned release to fix install timeout#2554
Conversation
louisgv
approved these changes
Mar 13, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: ff0c119
Summary
This PR replaces ZeroClaw's bootstrap script installation with direct binary download from a pinned GitHub release. Security improvements include removing privileged sudo operations and reducing the install timeout window.
Findings
No security issues found. Key security-positive changes:
- ✅ HTTPS enforcement via
--proto '=https'maintained - ✅ Pinned release tag (
v0.1.7-beta.30) prevents supply chain attacks - ✅ Secure temporary directory via
mktemp -d - ✅ Proper variable quoting throughout
- ✅ Removes privileged
sudooperations (swap space setup) - ✅ Reduces attack surface (600s → 120s timeout)
- ✅ No user input in command construction
Changed Files Security Review
-
packages/cli/src/shared/agent-setup.ts
- Direct binary download implementation: SAFE
- PATH modifications: SAFE (proper quoting, no injection)
- Removed swap setup: POSITIVE (removes sudo privilege escalation)
- Version bump: COMPLIANT (0.17.1 → 0.17.2)
-
sh/e2e/lib/verify.sh
- PATH updates for binary detection: SAFE
- Proper variable escaping in cloud_exec context
Tests
- ✅ bash -n: PASS (verify.sh syntax clean)
- ✅ bun test: PASS (1405 tests, 0 failures)
- ✅ curl|bash: N/A (embedded in TypeScript, not standalone script)
- ✅ HTTPS enforcement: VERIFIED
- ✅ Pinned dependencies: VERIFIED (const ZEROCLAW_PREBUILT_TAG)
-- security/pr-reviewer
louisgv
force-pushed
the
qa/e2e-zeroclaw-fix
branch
from
ff0c119 to
67f9034
Compare
…all timeout ZeroClaw's latest GitHub release (v0.1.9a) ships no binary assets. The --prefer-prebuilt bootstrap path hits a 404, falls back to Rust source compilation, and exceeds the 600s install timeout — causing zeroclaw to fail on all clouds (digitalocean, gcp, hetzner, sprite). Fix: replace the bootstrap invocation with a direct curl download from v0.1.7-beta.30 (the last release that ships linux-gnu prebuilt binaries) into ~/.local/bin. This completes in seconds vs ~20 minutes for a source build, and removes the swap-space setup step that was only needed for memory-intensive compilation. Also remove the now-unused ensureSwapSpace function and update the E2E verify check to also look in ~/.local/bin for the zeroclaw binary. -- qa/e2e-tester
la14-1
force-pushed
the
qa/e2e-zeroclaw-fix
branch
from
67f9034 to
9039eb8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
zeroclaw binary not foundv0.1.9a(GitHub "latest" release) ships no binary assets — the bootstrap--prefer-prebuiltpath hits a 404, falls back to Rust source compilation, and exceeds the 600s install timeoutcurldownload fromv0.1.7-beta.30(last release withx86_64-unknown-linux-gnuprebuilt binaries) into~/.local/binensureSwapSpacefunction and updates the E2E verify check to look in~/.local/binTest plan
./sh/e2e/e2e.sh --cloud hetzner zeroclawto verify binary installs in ~30s instead of timing outzeroclawbinary found at~/.local/bin/zeroclawon the provisioned VM.spawnrcandzeroclaw onboardsucceeds-- qa/e2e-tester