Supply-chain hardening, CI, and test hermeticity from the system critique#3
Merged
Merged
Conversation
Track uv.lock so the monitor-manager's dependencies are pinned like everything else (the venv bspwmrc runs at every login was the one unpinned artifact in the repo). Provisioning now syncs with --locked. test_resolve_laptop_by_edid_when_output_name_differs assumed the tracked profiles pin the fixture's synthetic EDID hash, but they pin real hardware hashes, so the test failed deterministically. It now re-pins a profile copy to the fixture's hash at runtime, and the fixture's stale header comment is corrected.
Replace the >=-floor version checks with exact pins: any deviation (missing, older, newer, unparseable) reinstalls the pinned artifact so every machine converges to the same binary. Release tarballs (uv, glab, lazygit, starship, fzf) and the nvm installer are now verified against recorded sha256s from the upstream releases' published checksums before anything is installed - a version pin alone still trusts whatever the release URL serves. Both scripts now run set -euo pipefail and every failure path is fatal (die) instead of warn-and-continue; previously they exited 0 even when a download or the bspwm venv build failed, and the failure surfaced later as a broken graphical login. Shared helpers move to provision-lib.sh so the two scripts can't drift apart; each remains independently runnable. Also fixes NVM_DIR: provisioning hardcoded ~/.nvm while bashrc prefers $XDG_CONFIG_HOME/nvm when set, so on XDG machines node was installed where the shell never looks. The nvm installer now also runs with PROFILE=/dev/null so it can never append to the repo-symlinked bashrc. The desktop venv build uses uv sync --locked against the now-tracked lockfile.
The field was parsed out of the jq array but never rendered (shellcheck SC2034).
The menu-option variables contain spaces and glyphs; unquoted case patterns match them as globs (shellcheck SC2254).
The 198-test pytest suite previously had nothing running it; a deterministically failing test on main went unnoticed. Tests run on ubuntu-24.04 (the newest machine this repo targets) under xvfb, since one safety-snapshot test shells out to real xrandr. uv is installed through provision-lib.sh's pinned, sha256-verified installer, which also exercises the supply-chain path on every run. shellcheck -S warning covers every tracked file with a sh/bash shebang, so new scripts are picked up automatically.
git-prompt.sh and bazel_completions.bash are symlinked by ./install; sourcing them unguarded made every shell opened between provisioning and install error out. They now follow the same existence-guard pattern as every other integration in the file. The stock Ubuntu ls/ll/la/l aliases were dead weight: the lsd aliases further down always overrode them. Also document that the __git_ps1 prompt is the deliberate fallback for shells where starship is skipped (dumb terminals, agentic CLIs).
force/create/relink move into the link defaults instead of being sprinkled per-entry. Previously about half the links were forced and half were not, so on a machine with pre-existing files install failed partway through with no pattern to which links survived. Now the repo is uniformly authoritative for every linked path and each entry collapses to the short form. Also documents the redshift.conf seed-by-copy intent (machines tune lat/lon locally; repo updates deliberately don't propagate) and switches the venv build to uv sync --locked.
Record that provisioning targets Ubuntu 22.04+ on x86_64 only, and update the supply-chain section for the exact-pin + sha256 model: version pins converge in both directions, artifacts are verified before install, and the monitor-manager venv is covered by the committed uv.lock. Also mention provision-lib.sh and the CI workflow in the layout descriptions.
Seven test files loaded profiles/ (production config whose EDID pins are real-hardware hashes) as test input. Most only depended on the profiles' shape, but the coordinator EDID test depended on a pin value matching the synthetic xrandr fixture, and broke silently when the pins were updated to real hashes. Tests now run against synthetic profiles in tests/fixtures/profiles/, whose laptop edid is pinned to the xrandr fixture's hash by construction; the coordinator test asserts that invariant with a message pointing at both files, replacing the runtime re-pinning workaround. Verified hermetic: with profiles/ removed, everything passes except the new test_tracked_profiles.py, which deliberately loads the real profiles to keep the parse/merge/validate guarantee the suite used to provide implicitly, and additionally checks every pin is a 16-char truncated hash so a raw EDID can never leak into a public file.
64a8010 to
9b221f2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements the fixes agreed on from the dotfile-system critique. Nine scoped commits, each independently reviewable.
Supply-chain hardening
install.shat the pinnedv0.40.3tag.set -euo pipefailand every failure path is fatal. Previously they exited 0 even when a download or the bspwm venv build failed, deferring the failure to the next graphical login.provision-lib.sh; both scripts remain independently runnable.~/.nvmwhile bashrc prefers$XDG_CONFIG_HOME/nvmwhen set. The nvm installer also runs withPROFILE=/dev/nullso it can never append to the repo-symlinked bashrc.Lockfile and CI
uv.lockis committed and all syncs use--locked, closing the gap where the venv bspwmrc runs at every login was the one unpinned artifact in the repo.shellcheck -S warningover every tracked script with a sh/bash shebang (detected automatically). CI installs uv throughprovision-lib.sh, exercising the verified-download path on every run.Bugs found and fixed along the way
test_resolve_laptop_by_edid_when_output_name_differshad been failing deterministically: it depended on the tracked profiles pinning the synthetic fixture's EDID hash, but they pin real hardware hashes. Exactly the class of failure the missing CI would have caught.profiles/directory at all. They use synthetic profiles intests/fixtures/profiles/, and the newtest_tracked_profiles.pyis the one deliberate exception, validating that the real profiles parse, merge, and validate, plus asserting every EDID pin is a 16-char truncated hash so a raw EDID can never leak into this public repo. Verified hermetic by running the suite withprofiles/removed: only the tracked-profiles test fails.Robustness and docs
sourcelines (shells opened between provisioning and install no longer error), drops the dead stock ls aliases, and documents the starship-fallback prompt layering.install.conf.yamlmovesforce/create/relinkinto the link defaults so all 25 links converge uniformly instead of roughly half being forced. Documents the redshift.conf seed-by-copy intent.Test plan
xvfb-run -a uv run pytest: 200 passed, 20 subtests passed.shellcheck -S warningover all 23 tracked scripts: clean../install(dotbot submodule clone blocked);install.conf.yamlwas validated statically. Worth one./installrun on a real machine.🤖 Generated with Claude Code
https://claude.ai/code/session_01SnU9EQrAZfjjhTTTt1PFAr
Generated by Claude Code