bips icon indicating copy to clipboard operation
bips copied to clipboard
verified publisher icon bitcoin

scripts/diffcheck.sh: Use secure temp files and git archive for better safety

Open maradini77 opened this issue 5 months ago • 2 comments

Summary

Refactor scripts/diffcheck.sh to improve security and reliability by replacing fixed /tmp paths with secure temporary directories and avoiding destructive git checkout.

Changes

  • Secure temp files: Use mktemp -d with automatic cleanup via trap instead of hardcoded /tmp paths
  • Non-destructive git operations: Replace git checkout HEAD^ with git archive to avoid modifying working tree state

maradini77 avatar Aug 10 '25 09:08 maradini77

I didn't really write that code. The reason I'm on blame is because of the move that happened in #1432.

That said, this PR seems to unnecessarily complicate things. This script is meant to be run in Github Actions. It's not meant to be run by users, and doesn't need "better safety". I have no strong opinion on the subject though so if others think this is useful, go ahead.

kallewoof avatar Aug 12 '25 23:08 kallewoof

Thank you for the feedback @kallewoof.

jonatack avatar Aug 13 '25 14:08 jonatack