Add automatic update checks for security tools (zizmor, SFW)#1186
Open
John-David Dalton (jdalton) wants to merge 4 commits intomainfrom
Open
Add automatic update checks for security tools (zizmor, SFW)#1186John-David Dalton (jdalton) wants to merge 4 commits intomainfrom
John-David Dalton (jdalton) wants to merge 4 commits intomainfrom
Conversation
Checks for new zizmor and SFW releases, respects pnpm minimumReleaseAge cooldown for third-party tools, updates embedded checksums. Also adds Claude Code version sync phase.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
- Add else clause when oldHash is undefined so allFound is set to false, preventing version bump with missing checksum entries - Deduplicate download-and-hash logic in fetchSfwChecksums by computing the URL once before the shared try/catch block
Contributor
Author
|
Cursor (@cursor) review |
SFW_FREE_CHECKSUMS and SFW_ENTERPRISE_CHECKSUMS share platform keys (e.g. 'linux-arm64'). Add objectName parameter to replaceChecksumValue that scopes regex replacement within the target object block, preventing cross-object mismatches.
Contributor
Author
|
Cursor (@cursor) review |
Like the zizmor update path, prevent partial checksum updates when some SFW asset downloads fail. Return unchanged checksums and changed: false so the caller does not write an inconsistent state.
Contributor
Author
|
Cursor (@cursor) review |
1 similar comment
Contributor
Author
|
Cursor (@cursor) review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 9e65251. Configure here.
Contributor
Author
|
Cursor (@cursor) review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 9e65251. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this adds
A version checker that runs as part of the
/updateworkflow:minimumReleaseAgecooldown (reads frompnpm-workspace.yaml)@anthropic-ai/claude-codecatalog version from installed binaryWhen new versions are found, the script updates the embedded checksums in
setup-security-tools/index.mtsin-place.Files
.claude/hooks/setup-security-tools/update.mts— the version checker.claude/skills/updating/SKILL.md— adds phases 3b (security tools) and 3c (Claude Code sync)Depends on
PR #1185 (setup-security-tools) must be merged first — update.mts modifies files created by that PR.
Note
Medium Risk
Introduces an automated script that fetches GitHub release metadata and downloads binaries to recompute embedded checksums, which could impact the integrity/availability of the security-tool setup if parsing or downloads fail. Changes are limited to tooling/docs and
.gitignore, not runtime application logic.Overview
Adds a new Node script (
.claude/hooks/setup-security-tools/update.mts) that checks GitHubreleases/latestforzizmorand Socket Firewall (sfw-freeand enterprise), then updates the embedded version/checksum constants in thesetup-security-toolshook when newer artifacts are found.zizmorupdates are gated by pnpm’sminimumReleaseAgecooldown (read frompnpm-workspace.yaml), while SFW updates bypass cooldown and always refresh checksums by downloading platform assets and hashing them.Updates the
updatingskill docs to include this security-tools update step, and adjusts.gitignoreto track.claude/hooks/and.claude/settings.jsoninstead of ignoring all of.claude/.Reviewed by Cursor Bugbot for commit 9e65251. Configure here.