Skip to content

fix: use HTTPS for cpanminus download in CI#2050

Merged
zkoppert merged 1 commit intomasterfrom
fix/ci-https-cpanminus
Apr 23, 2026
Merged

fix: use HTTPS for cpanminus download in CI#2050
zkoppert merged 1 commit intomasterfrom
fix/ci-https-cpanminus

Conversation

@zkoppert
Copy link
Copy Markdown
Member

@zkoppert zkoppert commented Apr 22, 2026

Summary

Switches the cpanminus download in CI from plain HTTP to HTTPS, closing a MITM attack vector.

Fixes #2049

Changes

  • .github/workflows/ci.yml:51: curl -L http://cpanmin.uscurl -fsSL https://cpanmin.us
    • https:// prevents network attackers from injecting malicious code
    • -f fails fast on HTTP errors instead of piping error pages to perl
    • -sS suppresses progress but shows errors

Testing

  • CI runs on this PR validate that cpanminus installs correctly over HTTPS and all tests pass across Ruby 3.2/3.3/3.4.

@zkoppert
fix: use HTTPS for cpanminus download in CI
105bfa7 
Switch curl from http:// to https:// when downloading cpanminus to
prevent MITM attacks. Also add -fsSL flags for fail-fast on HTTP
errors and silent progress.

Fixes #2049

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Zack Koppert <zkoppert@github.com>
@zkoppert zkoppert self-assigned this Apr 22, 2026
@zkoppert zkoppert marked this pull request as ready for review April 23, 2026 00:08
Copilot AI review requested due to automatic review settings April 23, 2026 00:08
Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the CI workflow by switching the cpanminus bootstrap download from HTTP to HTTPS, reducing exposure to MITM attacks during dependency installation.

Changes:

  • Update the cpanminus install command in CI to use https://cpanmin.us.
  • Make curl fail on HTTP errors and reduce noisy output via -fsSL.
Show a summary per file
File Description
.github/workflows/ci.yml Switches cpanminus download to HTTPS with safer curl flags during CI Perl dependency setup.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0

@zkoppert zkoppert merged commit ce5f9e3 into master Apr 23, 2026
14 checks passed
@zkoppert zkoppert deleted the fix/ci-https-cpanminus branch April 23, 2026 00:10
@zkoppert zkoppert mentioned this pull request Apr 23, 2026
Draft
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@zkoppert zkoppert

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix: CI downloads and executes code over plain HTTP (MITM risk)

2 participants

@zkoppert