Address PR review feedback

Pin all 7 third-party GitHub Actions to commit SHAs for supply-chain
hardening (cosign-installer, sbom-action, goreleaser-action,
gitleaks-action, trivy-action, gosec, golangci-lint-action).

Fix install.sh checksum grep to use exact filename match via awk
instead of substring grep. Fix publish-aur.sh to use curl -f for
fail-fast on HTTP errors and skip commit/push when AUR is already
up to date. Handle completion generator errors via RunE instead of
silently ignoring them.

Author: jeremy

.github/workflows/release.yml

@@ -67,19 +67,22 @@ jobs:
           repositories: homebrew-tap
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@v3
+        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
 
       - name: Install Syft
-        uses: anchore/sbom-action/download-syft@v0
+        uses: anchore/sbom-action/download-syft@17ae1740179002c89186b61233e0f892c3118b11 # v0
 
       - name: Generate shell completions
         run: |
-          VERSION=${GITHUB_REF_NAME#v}
-          curl -sL "https://github.com/basecamp/fizzy-cli/releases/download/v${VERSION}/fizzy-linux-${{ matrix.goarch }}" -o fizzy
-          chmod +x fizzy
+          go build -o fizzy-tmp ./cmd/fizzy
+          mkdir -p completions
+          ./fizzy-tmp completion bash > completions/fizzy.bash
+          ./fizzy-tmp completion zsh > completions/fizzy.zsh
+          ./fizzy-tmp completion fish > completions/fizzy.fish
+          rm fizzy-tmp
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6
         with:
           version: '~> v2'
           args: release --clean
@@ -104,108 +107,14 @@ jobs:
         env:
           AUR_KEY: ${{ secrets.AUR_KEY }}
         run: |
-          VERSION=${GITHUB_REF_NAME#v}
-
-          # Download source tarball and calculate checksum
-          curl -sL "https://github.com/basecamp/fizzy-cli/archive/v${VERSION}.tar.gz" -o source.tar.gz
-          SHA256=$(sha256sum source.tar.gz | cut -d' ' -f1)
-
-          # Generate PKGBUILD
-          cat > PKGBUILD << 'EOF'
-          # Maintainer: 37signals <support@37signals.com>
-          pkgname=fizzy-cli
-          pkgver=VERSION_PLACEHOLDER
-          pkgrel=1
-          pkgdesc="CLI for managing Fizzy boards, cards, and tasks"
-          arch=('x86_64' 'aarch64')
-          url="https://github.com/basecamp/fizzy-cli"
-          license=('MIT')
-          depends=('glibc')
-          makedepends=('go')
-          source=("$pkgname-$pkgver.tar.gz::https://github.com/basecamp/fizzy-cli/archive/v$pkgver.tar.gz")
-          sha256sums=('SHA256_PLACEHOLDER')
-          options=('!debug')
-
-          build() {
-              cd "$pkgname-$pkgver"
-              export CGO_CPPFLAGS="${CPPFLAGS}"
-              export CGO_CFLAGS="${CFLAGS}"
-              export CGO_CXXFLAGS="${CXXFLAGS}"
-              export CGO_LDFLAGS="${LDFLAGS}"
-              export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
-              go build -ldflags "-s -w -X main.version=${pkgver}" -o fizzy ./cmd/fizzy
-          }
-
-          package() {
-              cd "$pkgname-$pkgver"
-              install -Dm755 fizzy "$pkgdir/usr/bin/fizzy"
-              install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
-          }
-          EOF
-
-          # Remove leading whitespace from PKGBUILD
-          sed -i 's/^          //' PKGBUILD
-
-          # Replace placeholders
-          sed -i "s/VERSION_PLACEHOLDER/$VERSION/" PKGBUILD
-          sed -i "s/SHA256_PLACEHOLDER/$SHA256/" PKGBUILD
+          if [ -n "$AUR_KEY" ]; then
+            echo "available=true" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: Publish to AUR
         if: steps.check.outputs.available == 'true'
         run: |
-          VERSION=${GITHUB_REF_NAME#v}
-
-          # Download SHA256 files
-          curl -sL "https://github.com/basecamp/fizzy-cli/releases/download/v${VERSION}/SHA256SUMS-darwin-amd64.txt" -o sha256-amd64.txt
-          curl -sL "https://github.com/basecamp/fizzy-cli/releases/download/v${VERSION}/SHA256SUMS-darwin-arm64.txt" -o sha256-arm64.txt
-
-          SHA256_AMD64=$(cut -d' ' -f1 sha256-amd64.txt)
-          SHA256_ARM64=$(cut -d' ' -f1 sha256-arm64.txt)
-
-          # Generate formula
-          cat > fizzy-cli.rb << 'FORMULA'
-          class FizzyCli < Formula
-            desc "CLI for managing Fizzy boards, cards, and tasks"
-            homepage "https://github.com/basecamp/fizzy-cli"
-            version "VERSION_PLACEHOLDER"
-            license "MIT"
-
-            on_macos do
-              if Hardware::CPU.arm?
-                url "https://github.com/basecamp/fizzy-cli/releases/download/v#{version}/fizzy-darwin-arm64"
-                sha256 "SHA256_ARM64_PLACEHOLDER"
-              else
-                url "https://github.com/basecamp/fizzy-cli/releases/download/v#{version}/fizzy-darwin-amd64"
-                sha256 "SHA256_AMD64_PLACEHOLDER"
-              end
-            end
-
-            def install
-              binary_name = Hardware::CPU.arm? ? "fizzy-darwin-arm64" : "fizzy-darwin-amd64"
-              bin.install binary_name => "fizzy"
-            end
-
-            test do
-              assert_match version.to_s, shell_output("#{bin}/fizzy --version")
-            end
-          end
-          FORMULA
-
-          # Remove leading whitespace and replace placeholders
-          sed -i 's/^          //' fizzy-cli.rb
-          sed -i "s/VERSION_PLACEHOLDER/${VERSION}/" fizzy-cli.rb
-          sed -i "s/SHA256_ARM64_PLACEHOLDER/${SHA256_ARM64}/" fizzy-cli.rb
-          sed -i "s/SHA256_AMD64_PLACEHOLDER/${SHA256_AMD64}/" fizzy-cli.rb
-
-          # Clone tap repo, update formula, push
-          git clone https://x-access-token:${GH_TOKEN}@github.com/robzolkos/homebrew-fizzy-cli.git
-          cd homebrew-fizzy-cli
-          cp ../fizzy-cli.rb Formula/fizzy-cli.rb
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add Formula/fizzy-cli.rb
-          git commit -m "Update fizzy-cli to ${VERSION}"
-          git push
+          scripts/publish-aur.sh
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           AUR_KEY: ${{ secrets.AUR_KEY }}

.github/workflows/security.yml

@@ -21,7 +21,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@v2
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -31,7 +31,7 @@ jobs:
     if: github.event_name != 'pull_request'
     steps:
       - uses: actions/checkout@v4
-      - uses: aquasecurity/trivy-action@master
+      - uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
         with:
           scan-type: fs
           format: sarif
@@ -47,7 +47,7 @@ jobs:
     if: github.event_name != 'pull_request'
     steps:
       - uses: actions/checkout@v4
-      - uses: securego/gosec@master
+      - uses: securego/gosec@bb17e422fc34bf4c0a2e5cab9d07dc45a68c040c # v2.24.7
         with:
           args: -fmt sarif -out gosec-results.sarif ./...
       - uses: github/codeql-action/upload-sarif@v3

.github/workflows/test.yml

@@ -53,7 +53,7 @@ jobs:
         run: go vet ./...
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v7
+        uses: golangci/golangci-lint-action@9fae48acfc02a90574d7c304a1758ef9895495fa # v7
         with:
           version: v2.10
 

internal/commands/completion.go

@@ -1,6 +1,7 @@
 package commands
 
 import (
+	"fmt"
 	"os"
 
 	"github.com/spf13/cobra"
@@ -39,17 +40,22 @@ PowerShell:
 	DisableFlagsInUseLine: true,
 	ValidArgs:             []string{"bash", "zsh", "fish", "powershell"},
 	Args:                  cobra.MatchAll(cobra.ExactArgs(1), cobra.OnlyValidArgs),
-	Run: func(cmd *cobra.Command, args []string) {
+	RunE: func(cmd *cobra.Command, args []string) error {
+		var err error
 		switch args[0] {
 		case "bash":
-			_ = cmd.Root().GenBashCompletion(os.Stdout)
+			err = cmd.Root().GenBashCompletion(os.Stdout)
 		case "zsh":
-			_ = cmd.Root().GenZshCompletion(os.Stdout)
+			err = cmd.Root().GenZshCompletion(os.Stdout)
 		case "fish":
-			_ = cmd.Root().GenFishCompletion(os.Stdout, true)
+			err = cmd.Root().GenFishCompletion(os.Stdout, true)
 		case "powershell":
-			_ = cmd.Root().GenPowerShellCompletionWithDesc(os.Stdout)
+			err = cmd.Root().GenPowerShellCompletionWithDesc(os.Stdout)
 		}
+		if err != nil {
+			return fmt.Errorf("generating %s completions: %w", args[0], err)
+		}
+		return nil
 	},
 }
 

scripts/install.sh

@@ -49,7 +49,7 @@ curl -fsSL "$CHECKSUMS_URL" -o "$TMPDIR/checksums.txt"
 # Verify SHA256
 echo "Verifying checksum..."
 cd "$TMPDIR"
-EXPECTED=$(grep "$ARCHIVE" checksums.txt | awk '{print $1}')
+EXPECTED=$(awk -v f="$ARCHIVE" '$2 == f {print $1}' checksums.txt)
 if [ -z "$EXPECTED" ]; then
   echo "WARNING: Archive not found in checksums file"
 else

scripts/publish-aur.sh

@@ -11,11 +11,11 @@ echo "Publishing fizzy-cli $VERSION to AUR..."
 
 # Download checksums from release
 CHECKSUM_URL="https://github.com/$REPO/releases/download/v${VERSION}/checksums.txt"
-curl -sL "$CHECKSUM_URL" -o checksums.txt
+curl -fsSL "$CHECKSUM_URL" -o checksums.txt
 
 # Get source tarball checksum
 SOURCE_URL="https://github.com/$REPO/archive/v${VERSION}.tar.gz"
-curl -sL "$SOURCE_URL" -o source.tar.gz
+curl -fsSL "$SOURCE_URL" -o source.tar.gz
 SHA256=$(sha256sum source.tar.gz | cut -d' ' -f1)
 rm source.tar.gz
 
@@ -101,8 +101,12 @@ cd aur-repo
 git config user.name "fizzy-release-bot"
 git config user.email "fizzy-release-bot@users.noreply.github.com"
 git add PKGBUILD .SRCINFO
-git commit -m "Update to $VERSION"
-git push
+if git diff --cached --quiet; then
+  echo "AUR package already up to date for $VERSION"
+else
+  git commit -m "Update to $VERSION"
+  git push
+fi
 
 echo "Published fizzy-cli $VERSION to AUR"
 rm -f checksums.txt