Skip to content

Supply-chain hardening, CI, and test hermeticity from the system critique#3

Merged
krishna-bala merged 9 commits into
mainfrom
claude/dotfile-system-critique-0hpl5e
Jul 2, 2026
Merged

Supply-chain hardening, CI, and test hermeticity from the system critique#3
krishna-bala merged 9 commits into
mainfrom
claude/dotfile-system-critique-0hpl5e

Conversation

@krishna-bala

Copy link
Copy Markdown
Owner

Implements the fixes agreed on from the dotfile-system critique. Nine scoped commits, each independently reviewable.

Supply-chain hardening

  • Version pins are now exact: an installed version that differs from its pin in either direction is reinstalled at the pin, so machines converge on identical binaries.
  • Every release tarball (uv, glab, lazygit, starship, fzf) and the nvm installer is verified against a recorded sha256 before install. Hashes were taken from each upstream release's published checksum files; the glab tarball was additionally downloaded and hashed directly to confirm. nvm publishes no checksums, so its hash was computed from install.sh at the pinned v0.40.3 tag.
  • Both provision scripts run set -euo pipefail and every failure path is fatal. Previously they exited 0 even when a download or the bspwm venv build failed, deferring the failure to the next graphical login.
  • Shared helpers live in provision-lib.sh; both scripts remain independently runnable.
  • Fixes NVM_DIR: provisioning hardcoded ~/.nvm while bashrc prefers $XDG_CONFIG_HOME/nvm when set. The nvm installer also runs with PROFILE=/dev/null so it can never append to the repo-symlinked bashrc.

Lockfile and CI

  • uv.lock is committed and all syncs use --locked, closing the gap where the venv bspwmrc runs at every login was the one unpinned artifact in the repo.
  • New CI workflow runs the test suite under xvfb on ubuntu-24.04 and shellcheck -S warning over every tracked script with a sh/bash shebang (detected automatically). CI installs uv through provision-lib.sh, exercising the verified-download path on every run.

Bugs found and fixed along the way

  • test_resolve_laptop_by_edid_when_output_name_differs had been failing deterministically: it depended on the tracked profiles pinning the synthetic fixture's EDID hash, but they pin real hardware hashes. Exactly the class of failure the missing CI would have caught.
  • Follow-up refactor: tests no longer read the tracked profiles/ directory at all. They use synthetic profiles in tests/fixtures/profiles/, and the new test_tracked_profiles.py is the one deliberate exception, validating that the real profiles parse, merge, and validate, plus asserting every EDID pin is a 16-char truncated hash so a raw EDID can never leak into this public repo. Verified hermetic by running the suite with profiles/ removed: only the tracked-profiles test fails.
  • Two shellcheck warnings fixed (unused status-line field, unquoted case patterns in powermenu.sh).

Robustness and docs

  • bashrc guards the two unguarded source lines (shells opened between provisioning and install no longer error), drops the dead stock ls aliases, and documents the starship-fallback prompt layering.
  • install.conf.yaml moves force/create/relink into the link defaults so all 25 links converge uniformly instead of roughly half being forced. Documents the redshift.conf seed-by-copy intent.
  • README/CLAUDE.md state the Ubuntu 22.04+ x86_64 assumption and the updated exact-pin + sha256 policy, including the bump workflow (update version and hash from upstream checksums, review, re-run).

Test plan

  • xvfb-run -a uv run pytest: 200 passed, 20 subtests passed.
  • shellcheck -S warning over all 23 tracked scripts: clean.
  • Provision helpers exercised against a real tarball (verified install, exact-pin match/reject, fatal abort with nonzero exit on hash mismatch).
  • Not runnable in this sandbox: a full ./install (dotbot submodule clone blocked); install.conf.yaml was validated statically. Worth one ./install run on a real machine.

🤖 Generated with Claude Code

https://claude.ai/code/session_01SnU9EQrAZfjjhTTTt1PFAr


Generated by Claude Code

claude added 9 commits July 2, 2026 18:59
Track uv.lock so the monitor-manager's dependencies are pinned like
everything else (the venv bspwmrc runs at every login was the one
unpinned artifact in the repo). Provisioning now syncs with --locked.

test_resolve_laptop_by_edid_when_output_name_differs assumed the
tracked profiles pin the fixture's synthetic EDID hash, but they pin
real hardware hashes, so the test failed deterministically. It now
re-pins a profile copy to the fixture's hash at runtime, and the
fixture's stale header comment is corrected.
Replace the >=-floor version checks with exact pins: any deviation
(missing, older, newer, unparseable) reinstalls the pinned artifact so
every machine converges to the same binary. Release tarballs (uv, glab,
lazygit, starship, fzf) and the nvm installer are now verified against
recorded sha256s from the upstream releases' published checksums before
anything is installed - a version pin alone still trusts whatever the
release URL serves.

Both scripts now run set -euo pipefail and every failure path is fatal
(die) instead of warn-and-continue; previously they exited 0 even when
a download or the bspwm venv build failed, and the failure surfaced
later as a broken graphical login. Shared helpers move to
provision-lib.sh so the two scripts can't drift apart; each remains
independently runnable.

Also fixes NVM_DIR: provisioning hardcoded ~/.nvm while bashrc prefers
$XDG_CONFIG_HOME/nvm when set, so on XDG machines node was installed
where the shell never looks. The nvm installer now also runs with
PROFILE=/dev/null so it can never append to the repo-symlinked bashrc.
The desktop venv build uses uv sync --locked against the now-tracked
lockfile.
The field was parsed out of the jq array but never rendered
(shellcheck SC2034).
The menu-option variables contain spaces and glyphs; unquoted case
patterns match them as globs (shellcheck SC2254).
The 198-test pytest suite previously had nothing running it; a
deterministically failing test on main went unnoticed. Tests run on
ubuntu-24.04 (the newest machine this repo targets) under xvfb, since
one safety-snapshot test shells out to real xrandr. uv is installed
through provision-lib.sh's pinned, sha256-verified installer, which
also exercises the supply-chain path on every run.

shellcheck -S warning covers every tracked file with a sh/bash
shebang, so new scripts are picked up automatically.
git-prompt.sh and bazel_completions.bash are symlinked by ./install;
sourcing them unguarded made every shell opened between provisioning
and install error out. They now follow the same existence-guard
pattern as every other integration in the file.

The stock Ubuntu ls/ll/la/l aliases were dead weight: the lsd aliases
further down always overrode them. Also document that the __git_ps1
prompt is the deliberate fallback for shells where starship is
skipped (dumb terminals, agentic CLIs).
force/create/relink move into the link defaults instead of being
sprinkled per-entry. Previously about half the links were forced and
half were not, so on a machine with pre-existing files install failed
partway through with no pattern to which links survived. Now the repo
is uniformly authoritative for every linked path and each entry
collapses to the short form.

Also documents the redshift.conf seed-by-copy intent (machines tune
lat/lon locally; repo updates deliberately don't propagate) and
switches the venv build to uv sync --locked.
Record that provisioning targets Ubuntu 22.04+ on x86_64 only, and
update the supply-chain section for the exact-pin + sha256 model:
version pins converge in both directions, artifacts are verified
before install, and the monitor-manager venv is covered by the
committed uv.lock. Also mention provision-lib.sh and the CI workflow
in the layout descriptions.
Seven test files loaded profiles/ (production config whose EDID pins
are real-hardware hashes) as test input. Most only depended on the
profiles' shape, but the coordinator EDID test depended on a pin value
matching the synthetic xrandr fixture, and broke silently when the
pins were updated to real hashes.

Tests now run against synthetic profiles in tests/fixtures/profiles/,
whose laptop edid is pinned to the xrandr fixture's hash by
construction; the coordinator test asserts that invariant with a
message pointing at both files, replacing the runtime re-pinning
workaround. Verified hermetic: with profiles/ removed, everything
passes except the new test_tracked_profiles.py, which deliberately
loads the real profiles to keep the parse/merge/validate guarantee
the suite used to provide implicitly, and additionally checks every
pin is a 16-char truncated hash so a raw EDID can never leak into a
public file.
@krishna-bala krishna-bala force-pushed the claude/dotfile-system-critique-0hpl5e branch from 64a8010 to 9b221f2 Compare July 2, 2026 19:01
@krishna-bala krishna-bala merged commit d824e79 into main Jul 2, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants