Skip to content

fix: sc upgrade crashes with syntax error for existing installs#341

Closed
Cre-eD wants to merge 35 commits into
mainfrom
fix/sc-sh-version-embed-and-empty-guard
Closed

fix: sc upgrade crashes with syntax error for existing installs#341
Cre-eD wants to merge 35 commits into
mainfrom
fix/sc-sh-version-embed-and-empty-guard

Conversation

@Cre-eD

@Cre-eD Cre-eD commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Root cause

push.yaml line 637 used a single-quoted sed script:

sed -i -e 's/VERSION="0\.0\.0"/VERSION="${VERSION}"/g' ...

Single quotes suppress shell expansion, so the literal string ${VERSION} was written into every distributed sc.sh. At runtime (user's shell), $VERSION is unset → VERSION="". Then:

semver_compare "" "2026.x.y"
  → compareNumber "" "2026"
  → $((2026 - ))   ← syntax error

Broke everyone doing sc upgrade or curl … | bash who already had sc installed.

Changes

push.yaml — switch to double-quoted sed so the CI env var expands at build time:

sed -i -e "s/VERSION=\"0\\.0\\.0\"/VERSION=\"${VERSION}\"/" ...

sc.sh — two belt-and-suspenders guards so the script never crashes even if VERSION is empty for any other reason:

  • compareNumber: handle one-empty-arg cases (was only guarding both-empty)
  • version-compare block: skip semver_compare when VERSION is empty; an empty target version means "fetch latest", so the default VERSION_COMPARE="1" is correct

Test plan

  • Verify VERSION="2026.x.y" bash -c 'echo ... | sed -e "s/..."' expands correctly (confirmed locally)
  • After next release: curl -s https://dist.simple-container.com/sc.sh | grep ^VERSION= should show the baked version, not ${VERSION}
  • sc upgrade on an already-installed sc completes without syntax error

dependabot Bot and others added 30 commits May 16, 2026 16:55
Bumps caddy from `14f5b3e` to `f96a3b7`.

---
updated-dependencies:
- dependency-name: caddy
  dependency-version: 2.11.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps alpine/kubectl from `e9acf90` to `405e713`.

---
updated-dependencies:
- dependency-name: alpine/kubectl
  dependency-version: latest
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/pulumi/pulumi-command/sdk](https://github.com/pulumi/pulumi-command) from 0.9.2 to 1.2.1.
- [Release notes](https://github.com/pulumi/pulumi-command/releases)
- [Commits](pulumi/pulumi-command@v0.9.2...v1.2.1)

---
updated-dependencies:
- dependency-name: github.com/pulumi/pulumi-command/sdk
  dependency-version: 1.2.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps the docker-minor-and-patch group with 1 update in the / directory: alpine.


Updates `alpine` from 3.21 to 3.23

---
updated-dependencies:
- dependency-name: alpine
  dependency-version: '3.23'
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: docker-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps the pip-minor-and-patch group in /docs with 3 updates: [mkdocs](https://github.com/mkdocs/mkdocs), [mkdocs-material](https://github.com/squidfunk/mkdocs-material) and [mkdocs-mermaid2-plugin](https://github.com/fralau/mkdocs-mermaid2-plugin).


Updates `mkdocs` from 1.5.3 to 1.6.1
- [Release notes](https://github.com/mkdocs/mkdocs/releases)
- [Commits](mkdocs/mkdocs@1.5.3...1.6.1)

Updates `mkdocs-material` from 9.4.14 to 9.7.6
- [Release notes](https://github.com/squidfunk/mkdocs-material/releases)
- [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG)
- [Commits](squidfunk/mkdocs-material@9.4.14...9.7.6)

Updates `mkdocs-mermaid2-plugin` from 1.1.1 to 1.2.3
- [Release notes](https://github.com/fralau/mkdocs-mermaid2-plugin/releases)
- [Changelog](https://github.com/fralau/mkdocs-mermaid2-plugin/blob/master/CHANGELOG.md)
- [Commits](fralau/mkdocs-mermaid2-plugin@v1.1.1...v1.2.3)

---
updated-dependencies:
- dependency-name: mkdocs
  dependency-version: 1.6.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pip-minor-and-patch
- dependency-name: mkdocs-material
  dependency-version: 9.7.6
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pip-minor-and-patch
- dependency-name: mkdocs-mermaid2-plugin
  dependency-version: 1.2.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pip-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
…ith 31 updates

Bumps the gomod-minor-and-patch group with 24 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go) | `1.49.0` | `1.62.2` |
| [github.com/MShekow/directory-checksum](https://github.com/MShekow/directory-checksum) | `1.4.9` | `1.4.18` |
| [github.com/atombender/go-jsonschema](https://github.com/atombender/go-jsonschema) | `0.23.0` | `0.23.1` |
| [github.com/aws/aws-lambda-go](https://github.com/aws/aws-lambda-go) | `1.47.0` | `1.54.0` |
| [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.29.7` | `1.32.17` |
| [github.com/cloudflare/cloudflare-go](https://github.com/cloudflare/cloudflare-go) | `0.104.0` | `0.116.0` |
| [github.com/disgoorg/disgo](https://github.com/disgoorg/disgo) | `0.18.5` | `0.19.3` |
| [github.com/fatih/color](https://github.com/fatih/color) | `1.18.0` | `1.19.0` |
| [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `5.19.0` | `5.19.1` |
| [github.com/onsi/gomega](https://github.com/onsi/gomega) | `1.38.2` | `1.41.0` |
| [github.com/otiai10/copy](https://github.com/otiai10/copy) | `1.14.0` | `1.14.1` |
| [github.com/pulumi/pulumi-aws/sdk/v6](https://github.com/pulumi/pulumi-aws) | `6.83.0` | `6.83.3` |
| [github.com/pulumi/pulumi-cloudflare/sdk/v6](https://github.com/pulumi/pulumi-cloudflare) | `6.2.0` | `6.15.0` |
| [github.com/pulumi/pulumi-docker/sdk/v4](https://github.com/pulumi/pulumi-docker) | `4.5.8` | `4.11.2` |
| [github.com/pulumi/pulumi-gcp/sdk/v8](https://github.com/pulumi/pulumi-gcp) | `8.0.0` | `8.41.1` |
| [github.com/pulumi/pulumi-kubernetes/sdk/v4](https://github.com/pulumi/pulumi-kubernetes) | `4.18.1` | `4.31.0` |
| [github.com/pulumi/pulumi-mongodbatlas/sdk/v3](https://github.com/pulumi/pulumi-mongodbatlas) | `3.30.0` | `3.38.0` |
| [github.com/pulumi/pulumi-random/sdk/v4](https://github.com/pulumi/pulumi-random) | `4.17.0` | `4.20.0` |
| [github.com/pulumi/pulumi/pkg/v3](https://github.com/pulumi/pulumi) | `3.184.0` | `3.241.0` |
| [github.com/samber/lo](https://github.com/samber/lo) | `1.38.1` | `1.53.0` |
| [github.com/tmc/langchaingo](https://github.com/tmc/langchaingo) | `0.1.13` | `0.1.14` |
| [go.mongodb.org/mongo-driver](https://github.com/mongodb/mongo-go-driver) | `1.16.1` | `1.17.9` |
| [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) | `0.35.0` | `0.36.1` |
| [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.35.0` | `0.36.1` |



Updates `cloud.google.com/go/storage` from 1.49.0 to 1.62.2
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@pubsub/v1.49.0...storage/v1.62.2)

Updates `github.com/MShekow/directory-checksum` from 1.4.9 to 1.4.18
- [Release notes](https://github.com/MShekow/directory-checksum/releases)
- [Commits](MShekow/directory-checksum@v1.4.9...v1.4.18)

Updates `github.com/atombender/go-jsonschema` from 0.23.0 to 0.23.1
- [Release notes](https://github.com/atombender/go-jsonschema/releases)
- [Commits](omissis/go-jsonschema@v0.23.0...v0.23.1)

Updates `github.com/aws/aws-lambda-go` from 1.47.0 to 1.54.0
- [Release notes](https://github.com/aws/aws-lambda-go/releases)
- [Commits](aws/aws-lambda-go@v1.47.0...v1.54.0)

Updates `github.com/aws/aws-sdk-go-v2/config` from 1.29.7 to 1.32.17
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@config/v1.29.7...config/v1.32.17)

Updates `github.com/aws/aws-sdk-go-v2/credentials` from 1.17.60 to 1.19.16
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@credentials/v1.17.60...credentials/v1.19.16)

Updates `github.com/cloudflare/cloudflare-go` from 0.104.0 to 0.116.0
- [Release notes](https://github.com/cloudflare/cloudflare-go/releases)
- [Changelog](https://github.com/cloudflare/cloudflare-go/blob/v0.116.0/CHANGELOG.md)
- [Commits](cloudflare/cloudflare-go@v0.104.0...v0.116.0)

Updates `github.com/disgoorg/disgo` from 0.18.5 to 0.19.3
- [Release notes](https://github.com/disgoorg/disgo/releases)
- [Commits](disgoorg/disgo@v0.18.5...v0.19.3)

Updates `github.com/fatih/color` from 1.18.0 to 1.19.0
- [Release notes](https://github.com/fatih/color/releases)
- [Commits](fatih/color@v1.18.0...v1.19.0)

Updates `github.com/go-git/go-git/v5` from 5.19.0 to 5.19.1
- [Release notes](https://github.com/go-git/go-git/releases)
- [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md)
- [Commits](go-git/go-git@v5.19.0...v5.19.1)

Updates `github.com/onsi/gomega` from 1.38.2 to 1.41.0
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.38.2...v1.41.0)

Updates `github.com/otiai10/copy` from 1.14.0 to 1.14.1
- [Release notes](https://github.com/otiai10/copy/releases)
- [Commits](otiai10/copy@v1.14.0...v1.14.1)

Updates `github.com/pulumi/pulumi-aws/sdk/v6` from 6.83.0 to 6.83.3
- [Release notes](https://github.com/pulumi/pulumi-aws/releases)
- [Changelog](https://github.com/pulumi/pulumi-aws/blob/master/CHANGELOG_OLD.md)
- [Commits](pulumi/pulumi-aws@v6.83.0...v6.83.3)

Updates `github.com/pulumi/pulumi-cloudflare/sdk/v6` from 6.2.0 to 6.15.0
- [Release notes](https://github.com/pulumi/pulumi-cloudflare/releases)
- [Changelog](https://github.com/pulumi/pulumi-cloudflare/blob/master/CHANGELOG_OLD.md)
- [Commits](pulumi/pulumi-cloudflare@v6.2.0...v6.15.0)

Updates `github.com/pulumi/pulumi-docker/sdk/v4` from 4.5.8 to 4.11.2
- [Release notes](https://github.com/pulumi/pulumi-docker/releases)
- [Changelog](https://github.com/pulumi/pulumi-docker/blob/master/CHANGELOG_OLD.md)
- [Commits](pulumi/pulumi-docker@v4.5.8...v4.11.2)

Updates `github.com/pulumi/pulumi-gcp/sdk/v8` from 8.0.0 to 8.41.1
- [Release notes](https://github.com/pulumi/pulumi-gcp/releases)
- [Changelog](https://github.com/pulumi/pulumi-gcp/blob/master/CHANGELOG_OLD.md)
- [Commits](pulumi/pulumi-gcp@v8.0.0...v8.41.1)

Updates `github.com/pulumi/pulumi-kubernetes/sdk/v4` from 4.18.1 to 4.31.0
- [Release notes](https://github.com/pulumi/pulumi-kubernetes/releases)
- [Changelog](https://github.com/pulumi/pulumi-kubernetes/blob/master/CHANGELOG.md)
- [Commits](pulumi/pulumi-kubernetes@v4.18.1...v4.31.0)

Updates `github.com/pulumi/pulumi-mongodbatlas/sdk/v3` from 3.30.0 to 3.38.0
- [Release notes](https://github.com/pulumi/pulumi-mongodbatlas/releases)
- [Changelog](https://github.com/pulumi/pulumi-mongodbatlas/blob/master/CHANGELOG_OLD.md)
- [Commits](pulumi/pulumi-mongodbatlas@v3.30.0...v3.38.0)

Updates `github.com/pulumi/pulumi-random/sdk/v4` from 4.17.0 to 4.20.0
- [Release notes](https://github.com/pulumi/pulumi-random/releases)
- [Changelog](https://github.com/pulumi/pulumi-random/blob/master/CHANGELOG_OLD.md)
- [Commits](pulumi/pulumi-random@v4.17.0...v4.20.0)

Updates `github.com/pulumi/pulumi/pkg/v3` from 3.184.0 to 3.241.0
- [Release notes](https://github.com/pulumi/pulumi/releases)
- [Changelog](https://github.com/pulumi/pulumi/blob/master/CHANGELOG.md)
- [Commits](pulumi/pulumi@v3.184.0...v3.241.0)

Updates `github.com/pulumi/pulumi/sdk/v3` from 3.184.0 to 3.241.0
- [Release notes](https://github.com/pulumi/pulumi/releases)
- [Changelog](https://github.com/pulumi/pulumi/blob/master/CHANGELOG.md)
- [Commits](pulumi/pulumi@v3.184.0...v3.241.0)

Updates `github.com/samber/lo` from 1.38.1 to 1.53.0
- [Release notes](https://github.com/samber/lo/releases)
- [Commits](samber/lo@v1.38.1...v1.53.0)

Updates `github.com/tmc/langchaingo` from 0.1.13 to 0.1.14
- [Release notes](https://github.com/tmc/langchaingo/releases)
- [Commits](tmc/langchaingo@v0.1.13...v0.1.14)

Updates `go.mongodb.org/mongo-driver` from 1.16.1 to 1.17.9
- [Release notes](https://github.com/mongodb/mongo-go-driver/releases)
- [Commits](mongodb/mongo-go-driver@v1.16.1...v1.17.9)

Updates `golang.org/x/crypto` from 0.50.0 to 0.51.0
- [Commits](golang/crypto@v0.50.0...v0.51.0)

Updates `golang.org/x/oauth2` from 0.35.0 to 0.36.0
- [Commits](golang/oauth2@v0.35.0...v0.36.0)

Updates `golang.org/x/term` from 0.42.0 to 0.43.0
- [Commits](golang/term@v0.42.0...v0.43.0)

Updates `golang.org/x/text` from 0.36.0 to 0.37.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.36.0...v0.37.0)

Updates `google.golang.org/api` from 0.223.0 to 0.274.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.223.0...v0.274.0)

Updates `k8s.io/apimachinery` from 0.35.0 to 0.36.1
- [Commits](kubernetes/apimachinery@v0.35.0...v0.36.1)

Updates `k8s.io/client-go` from 0.35.0 to 0.36.1
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](kubernetes/client-go@v0.35.0...v0.36.1)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/storage
  dependency-version: 1.62.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/MShekow/directory-checksum
  dependency-version: 1.4.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/atombender/go-jsonschema
  dependency-version: 0.23.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/aws/aws-lambda-go
  dependency-version: 1.54.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-version: 1.32.17
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/aws/aws-sdk-go-v2/credentials
  dependency-version: 1.19.16
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/cloudflare/cloudflare-go
  dependency-version: 0.116.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/disgoorg/disgo
  dependency-version: 0.19.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/fatih/color
  dependency-version: 1.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.19.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/onsi/gomega
  dependency-version: 1.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/otiai10/copy
  dependency-version: 1.14.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi-aws/sdk/v6
  dependency-version: 6.83.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi-cloudflare/sdk/v6
  dependency-version: 6.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi-docker/sdk/v4
  dependency-version: 4.11.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi-gcp/sdk/v8
  dependency-version: 8.41.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi-kubernetes/sdk/v4
  dependency-version: 4.31.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi-mongodbatlas/sdk/v3
  dependency-version: 3.38.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi-random/sdk/v4
  dependency-version: 4.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi/pkg/v3
  dependency-version: 3.241.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi/sdk/v3
  dependency-version: 3.241.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/samber/lo
  dependency-version: 1.53.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/tmc/langchaingo
  dependency-version: 0.1.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod-minor-and-patch
- dependency-name: go.mongodb.org/mongo-driver
  dependency-version: 1.17.9
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: golang.org/x/crypto
  dependency-version: 0.51.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: golang.org/x/term
  dependency-version: 0.43.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: golang.org/x/text
  dependency-version: 0.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: google.golang.org/api
  dependency-version: 0.274.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.36.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: k8s.io/client-go
  dependency-version: 0.36.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@ea165f8...043fb46)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/cache](https://github.com/actions/cache) from 4.3.0 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@0057852...27d5ce7)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.3.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@d3f86a1...3e5f45b)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.12.0 to 4.0.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@8d2750c...4d04d5d)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [reecetech/version-increment](https://github.com/reecetech/version-increment) from 2023.10.2 to 2024.10.1.
- [Release notes](https://github.com/reecetech/version-increment/releases)
- [Commits](reecetech/version-increment@71036b2...a29aa75)

---
updated-dependencies:
- dependency-name: reecetech/version-increment
  dependency-version: 2024.10.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.19.0 to 5.19.1.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md)
- [Commits](go-git/go-git@v5.19.0...v5.19.1)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.19.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>

# Conflicts:
#	go.sum
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>

# Conflicts:
#	go.mod
#	go.sum
…abot

Dependabot PRs don't receive `secrets.SC_CONFIG` (lives in the
repo-secret namespace, not the `dependabot` one), so `build-setup`
always fails — and downstream Blacksmith jobs `needs:` it, so each
Dependabot PR was burning multi-vCPU Blacksmith minutes on a doomed
build. The cheap PR workflows (CodeQL, Semgrep, govulncheck, Fuzz,
TruffleHog, DCO) still run unchanged on every Dependabot PR; they're
on free ubuntu-latest and catch the supply-chain risk that matters for
dependency bumps.

Codeowners can opt a Dependabot PR back into the full Blacksmith build
by adding the `ci-run` label (most useful right before merging a
consolidated dep PR). `pull_request.types: [opened, synchronize,
reopened, labeled]` ensures the label add re-triggers the workflow.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Three breaking-change adapters introduced by the consolidated bumps in
this branch, none of which Dependabot's auto-tidy could fix on its own:

- disgo v0.18.5 → v0.19.3 (gomod group): `webhook.Client` switched
  from interface to struct, so the `alertSender.client` field becomes
  `*webhook.Client`. `Client.CreateMessage` also gained a required
  `rest.CreateWebhookMessageParams{}` argument — pass an empty value
  to preserve the previous default behaviour.

- pulumi-cloudflare/sdk v6.2.0 → v6.15.0 (gomod group):
  `cloudflare.LookupZoneResult.ZoneId` changed from `*string` to
  `string`. Drop the `lo.FromPtr(...)` wrapper at the 4 call sites in
  registrar.go.

- pulumi/pkg/v3 v3.184.0 → v3.241.0 (gomod group):
  `backend.RemoveStack` signature gained a fourth `removeBackups bool`
  arg. Pass `false` at both destroy.go call sites to preserve the
  pre-bump behaviour (no backup deletion).

Also picks up the go.sum hash update for pulumi-command/sdk v1.2.1
that `go mod tidy` performed after the manual merge resolution.

`go build ./...` and `go test -count=1 -run '^$' -vet=off ./...` both
pass. The `go vet` printf warnings surfaced in this tree are
pre-existing on main and stem from the local Go 1.26 being stricter
than CI's Go 1.25 — not from this batch.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
…o bump

The gomod-minor-and-patch group required k8s.io v0.36.1, which in turn
required bumping the `go` directive from 1.25.10 to 1.26.0. Go 1.26's
stricter govet/staticcheck linters surfaced 8 pre-existing printf
mismatches and 6 SA1019 deprecations that previously passed under
1.25. All fixed:

printf (govet) — wrong type or wrong arg count, 8 sites:
- aws_lambda.go: 3 %q verbs but 2 args (dropped extra %q)
- ecs_fargate.go: %q on *EcsFargateInput → %+v
- adopt_redis.go: %q on *string → dereference before logging
- cloudrun.go: %q on *CloudRunInput → %+v
- gke_autopilot.go: %s on pulumi.StringOutput → %v
- redis.go: 4 %q verbs but 3 args (dropped extra %q)
- kube_run.go: %q on *string → lo.FromPtr(...)
- simple_container.go: %s on pulumi.StringPtrOutput → %v

staticcheck SA1019 — deprecated symbol use, 6 sites:
- login.go: workspace.PulumiHomeEnvVar → package-local const
  pulumiHomeEnvVar = "PULUMI_HOME". The deprecated SDK symbol points to
  env.Home (a Var indirection), which would couple us to the env.Var
  API for no behavioural change; "PULUMI_HOME" is a stable CLI contract.
- bucket_uploader.go / kms_key.go / provider.go:
  gcpOptions.WithCredentialsJSON is deprecated by Google as a "potential
  security risk" but Google offers no equivalent in-memory replacement —
  all suggested alternatives require disk or SecretManager round-trips,
  neither of which fits these flows. Suppressed per-line with
  //nolint:staticcheck and a justification comment.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
CI from the first push of the deps-consolidation branch surfaced
three remaining issues all triggered by the same `go 1.25.10 → 1.26.0`
bump:

1. **`go vet` printf non-constant-format on 40+ Logger callsites.**
   Default `go test` runs vet, so all packages using Logger.Info /
   Debug / Warn / Error with `fmt.Sprintf(...)`, `color.XxxFmt(...)`,
   or a bare variable as the format argument now build-fail. Wrapped
   each with an explicit `"%s",` first arg. Touches ch_cloudwatch_alert,
   ch_healthevent_trigger, cancel, deploy, destroy, login, preview,
   provision, gcp/bucket_uploader, aws/cloudtrail_security_alerts,
   provisioner/deploy. Behaviour identical — same string is logged.

2. **`Test_appendUserPasswordToMongoUri` failure.** Go 1.26's
   `net/url.Parse` rejects MongoDB-style multi-host URIs
   (`mongodb://a:27017,b:27017,c:27017/db?opts`) — "invalid port
   after host". The util was already wrong (silently returned the
   unchanged URI for any unparseable input); the test was added in
   #228 and only ever passed under Go 1.25's looser url.Parse.
   Rewrote AppendUserPasswordAndDBToMongoUri to do string surgery
   instead of going through net/url for the input. Rewrote the test
   to verify by string assertion instead of round-tripping through
   url.Parse on the output.

3. **TruffleHog flagged a "Cloudflare API token" in `go.sum`.** The
   `h1:` SHA-256 hash for `pulumi-cloudflare/sdk v6.15.0/go.mod` is
   `WdXrlCWF8RxzVLCAGEQyCqW86lyXYfzawmtTughL/8E=`, which matches
   TruffleHog's `CloudflareApiToken` detector regex by coincidence.
   `go.sum` is a module-checksum file, not a credential carrier.
   Added it to `secret-scan-extra-excludes` in security-scan.yml
   alongside the existing docs / testdata excludes.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
govulncheck reported 17 reachable stdlib vulnerabilities in
crypto/x509 on go 1.26.0, every one of them flagged as "Fixed in:
crypto/x509@go1.26.1". The reachable trace is mostly through
pkg/assistant/mcp/server.go's MCP HTTP server eventually invoking
http.Server.Serve → x509.Certificate.Verify.

Bumping just the `go` directive (no `toolchain` line per project
policy [feedback_sc_no_toolchain]) makes setup-go install Go 1.26.1
and brings in the patched stdlib. `go build ./...` clean.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Cre-eD added 5 commits May 20, 2026 15:26
CodeQL alerts on PR #279:

  go/log-injection (medium) at
    pkg/clouds/aws/helpers/ch_cloudwatch_alert.go:59
    pkg/clouds/aws/helpers/ch_healthevent_trigger.go:18

Both AWS lambda handlers logged the raw `event any` payload via
`fmt.Sprintf("...%v", event)`. The pattern was pre-existing on main —
the Go 1.26 vet failure in the previous round just kept CodeQL from
analysing these files until the fmt fix landed in this branch.

Added `sanitizeForLog(v any) string` in pkg/clouds/aws/helpers: JSON-
marshals the payload (json escapes embedded \r\n inside string fields
to literal \\n) and runs the result through a `strings.Replacer` that
strips any residual CR/LF — the latter is what CodeQL's
go/log-injection query recognises as the sanitisation sink, so the
taint trace from `event` to the logger no longer terminates in a
flagged call. Both call sites updated to use it.

govulncheck mitigation:

  govulncheck -mode=source ./... is intrinsically memory-heavy on this
  module — local benchmark: peak RSS **13.5 GiB**, wall 11:35, 9M+
  page faults building the full call graph across pulumi v3, k8s.io,
  aws-sdk-v2, langchaingo, ... (492 require lines post-#279).

  The GH-hosted ubuntu-24.04 runner has 16 GiB total RAM minus
  ~2-3 GiB for the OS + runner agent → ~13-14 GiB usable. Every
  PR-279 run died around 2m41s–4m57s with "the runner has received
  a shutdown signal" — kernel OOM-killer firing on the runner agent
  when govulncheck's RSS crossed the cliff. `cancelled_by` is null
  on every failed run, ruling out concurrency / API cancellation.

  Fix:
    GOMEMLIMIT=12GiB — soft heap cap; Go's GC throttles allocation
                       pressure as it approaches this number.
    GOGC=25         — collect 4x more often than default (100).
    timeout-minutes: 20 — extra headroom for the GC-paced scan
                          (local 11:35 → expect ~14-16 min on CI).

  No runner upgrade or `-mode=binary` downgrade — keeps coverage
  unchanged, trades wall time for memory safety.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
govulncheck's OOM mitigation in the previous commit let the scan
actually finish on CI for the first time (3m42s, ~12 GiB peak under
GOMEMLIMIT). The complete report flags 12 reachable stdlib
vulnerabilities, every one in go1.26.1, every one fixed in go1.26.2:

  GO-2026-4866  crypto/x509  excludedSubtrees case-sensitivity Auth Bypass
                             (reachable: mcp.Start → http.Server.Serve
                              → x509.Certificate.Verify)
  GO-2026-4869  archive/tar  unbounded allocation, old-GNU sparse
                             (reachable via pulumi.Context.RegisterResourceOutputs)
  GO-2026-4865  html/template  JsBraceDepth context-tracking XSS
                             (reachable: mcp.Start → http.Server.Serve)
  ... and 9 more, all stdlib, all fixed in 1.26.2

Per [feedback_sc_no_toolchain] only the `go` directive is bumped;
no `toolchain` line is added. setup-go reads go.mod and will install
go 1.26.2 (binary confirmed available on dl.google.com).

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
…CVEs

After landing 1.26.2 (which closed the 12 prior stdlib CVEs flagged
under 1.26.1) govulncheck now reports 6 fresh reachable CVEs against
go1.26.2, all fixed in 1.26.3:

  GO-2026-4986  net/mail
  GO-2026-4982  html/template
  GO-2026-4980  html/template
  GO-2026-4977  net/mail
  GO-2026-4971  net
  GO-2026-4918  net/http

The Go team is shipping security patches in rapid succession this
month; 1.26.3 is currently the latest stable release on go.dev. Per
[feedback_sc_no_toolchain] only the `go` directive is bumped — no
`toolchain` line. Binary confirmed available on dl.google.com.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
…robes

Two Scorecard warnings on PR #279 left after the deps consolidation:

1. **Pinned-Dependencies**: the sole `goCommand not pinned by hash`
   was `go install golang.org/x/vuln/cmd/govulncheck@latest` in
   govulncheck.yml. SHA-pin to v1.3.0:
   0782b76014f15f24e22a438f30f308df42899ba1. Bumps will be 1-line PRs
   going forward.

2. **Signed-Releases / releasesHaveProvenance**: the 5 most recent
   releases each carry a `.sigstore.json` SLSA build-provenance bundle
   (from actions/attest-build-provenance@v4) which Scorecard
   recognises as a *signature*, but its provenance-probe matches
   specifically on `.intoto.jsonl`. Dual-publish each `.sigstore.json`
   as a `.intoto.jsonl` alias from create-github-release.sh — same
   bytes, second name, so cosign/sigstore consumers keep the
   canonical name and Scorecard sees provenance on every future
   release. (Scorecard#3699 tracks the upstream rule extension.)

Other Scorecard warnings already handled in earlier commits of #279:

  - GHSA-crhj-59gh-8x96 / GHSA-m7cr-m3pv-hgrp (go-git ≤5.19.0) —
    bumped to v5.19.1 in the gomod-minor-and-patch group (#275).
  - GO-2022-0635 / GO-2022-0646 (aws-sdk-go v1 s3crypto) — transitive
    via Pulumi, no reachable call, already in vex/openvex.json.
  - PYSEC-2026-89 (Python markdown) — OSV record is incomplete
    (missing fixed-event); we already pin `markdown==3.9` which is
    past the 3.8.1 fix referenced in the advisory body.

Out-of-scope follow-ups (require repo-admin action, not file edits):

  - Branch protection: require ≥2 approving reviews + codeowners
    review + apply settings to admins on `main`.
  - SAST coverage 19/30 commits: historical, no retroactive fix.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
…mber empty args

push.yaml line 637 used single-quoted sed, so `${VERSION}` was written
literally into sc.sh instead of being expanded to the actual release tag.
Result: every downloaded sc.sh had `VERSION="${VERSION}"` → empty at
runtime → `semver_compare "" "$CURRENT"` → `$((2026 - ))` syntax error
for any user who already had sc installed (sc upgrade / curl | bash).

Root-cause fix (push.yaml): switch to double-quoted sed so the CI env var
expands before the sed script is built.

Belt-and-suspenders fix (sc.sh):
- compareNumber: guard one-empty-arg cases (previously only both-empty)
- version-compare block: skip semver_compare when VERSION is empty rather
  than crashing; empty VERSION = no specific target = always fetch latest

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
@Cre-eD

Cre-eD commented Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #342 (same fix, clean 1-commit branch off main)

@Cre-eD Cre-eD closed this Jun 24, 2026
Cre-eD added a commit that referenced this pull request Jun 25, 2026
## Root cause

`push.yaml` line 637 used a **single-quoted** `sed` script:

```bash
sed -i -e 's/VERSION="0\.0\.0"/VERSION="${VERSION}"/g' ...
```

Single quotes suppress shell expansion, so the literal string
`${VERSION}` was written into every distributed `sc.sh`. At runtime
(user's shell), `$VERSION` is unset → `VERSION=""`. Then:

```
semver_compare "" "2026.x.y"
  → compareNumber "" "2026"
  → $((2026 - ))   ← syntax error
```

Broke **everyone** doing `sc upgrade` or `curl … | bash` who already had
sc installed.

## Changes

**`push.yaml`** — switch to double-quoted sed so the CI env var expands
at build time:
```bash
sed -i -e "s/VERSION=\"0\\.0\\.0\"/VERSION=\"${VERSION}\"/" ...
```

**`sc.sh`** — two belt-and-suspenders guards so the script never crashes
even if `VERSION` is empty for any other reason:
- `compareNumber`: handle one-empty-arg cases (was only guarding
both-empty)
- version-compare block: skip `semver_compare` when `VERSION` is empty;
an empty target version means "fetch latest", so the default
`VERSION_COMPARE="1"` is correct

## Test plan

- [x] Preview build passed:
https://github.com/simple-container-com/api/actions/runs/28106034257
- [ ] After next release: `curl -s
https://dist.simple-container.com/sc.sh | grep ^VERSION=` should show
the baked version, not `${VERSION}`
- [ ] `sc upgrade` on an already-installed sc completes without syntax
error

Closes #341

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants