Skip to content

Revert make.com vendoring, download with SHA-256 verification#5684

Merged
compulim merged 6 commits intofeat/qol-improvementsfrom
copilot/revert-make-com-commit
Feb 3, 2026
Merged

Revert make.com vendoring, download with SHA-256 verification#5684
compulim merged 6 commits intofeat/qol-improvementsfrom
copilot/revert-make-com-commit

Conversation

Copy link
Contributor

Copilot AI commented Feb 3, 2026
edited
Loading

Revert make.com vendoring and add SHA verification ✓ COMPLETE

All Tasks Completed:

  • Explore repository structure and understand current state
  • Add make.com to .gitignore file
  • Update package.json scripts to download make.com with SHA verification
  • Add SHA-256 hash for verification (hardcoded in script)
  • Add documentation comment about source code location
  • Delete the vendored make.com file
  • Move chmod after SHA verification for security
  • Test the changes and verify implementation
  • Run code review and address feedback
  • Address review comment: Remove makeComSha256 field from package.json
  • Address review comment: Reorder build:pre to run local-dependencies before setup
  • Address review comment: Use more specific .gitignore patterns

Summary of Changes:

Files Modified (3):

  1. packages/test/test-assets/.gitignore - Added make.com to ignore list with specific patterns
  2. packages/test/test-assets/package.json - Added SHA verification download script and documentation
  3. packages/test/test-assets/make.com - Deleted (1.7MB binary removed)

Key Features:

  • ✓ SHA-256 verification hardcoded in script: 7b14377fbd6fff445abbf922583112c25a678b375eea624bd1765f74756f54fb
  • ✓ Automatic download from https://cosmo.zip/pub/cosmos/bin/make
  • ✓ Security: chmod only after SHA verification passes
  • ✓ Backwards compatible: Uses system make if available
  • ✓ Clear error messages on hash mismatch
  • ✓ Automatic cleanup on verification failure
  • ✓ Specific .gitignore patterns with leading/trailing slashes

Build Workflow:

  1. Build local dependencies first (build:pre:local-dependencies)
  2. Setup make.com if needed (build:pre:setup)
  3. Start watch process (build:pre:watch)
  4. Execute build with verified binary

Latest Changes (addressing review feedback):

  • Removed makeComSha256 field from package.json
  • Hardcoded SHA-256 hash directly in build:pre:setup script
  • Reordered build:pre to run build:pre:local-dependencies before build:pre:setup
  • Updated .gitignore patterns to use leading / and trailing / for more specific matching
  • Simplified package.json structure while maintaining security verification
Original prompt

Objective

Revert commit dbb466214aa5a524b015b5f39a7b0b933bb77822 (this commit only) to remove the vendored make.com file and instead download it from the Internet with SHA verification.

Specific Changes Required

1. Revert the commit changes:

Based on commit dbb466214aa5a524b015b5f39a7b0b933bb77822, you need to:

In packages/test/test-assets/.gitignore:

  • Add back make.com to the gitignore file (it was removed in the commit)

In packages/test/test-assets/package.json:

Current state (after the commit):

"build:pre": "npm run build:pre:local-dependencies && npm run build:pre:watch",
"build:pre:local-dependencies": "../../../scripts/npm/build-local-dependencies.sh",
"build:pre:watch": "../../../scripts/npm/build-watch.sh",
"build:run": "./make.com clean all",

Change it to download make.com from the Internet:

"build:pre": "npm run build:pre:setup && npm run build:pre:local-dependencies && npm run build:pre:watch",
"build:pre:local-dependencies": "../../../scripts/npm/build-local-dependencies.sh",
"build:pre:setup": "command -v make >/dev/null 2>&1 || { [ -x ./make.com ] || { curl -fsSL -o make.com https://cosmo.zip/pub/cosmos/bin/make && chmod +x make.com; }; }",
"build:pre:watch": "../../../scripts/npm/build-watch.sh",
"build:run": "MAKE_BIN=$(command -v make || echo ./make.com) && \"$MAKE_BIN\" clean all",

Delete the vendored file:

  • Remove packages/test/test-assets/make.com file (SHA: 78f9ae2104e65edd796820da072fde1205da828f)

2. Add SHA verification:

In packages/test/test-assets/package.json, add a new field to track the expected SHA-256 hash of the downloaded make.com file:

{
  "name": "@msinternal/test-assets",
  "version": "0.0.0-0",
  "description": "",
  "private": true,
  "author": "Microsoft Corporation",
  "license": "MIT",
  "engines": {
    "node": ">= 14.0.0"
  },
  "makeComSha256": "PLACEHOLDER_SHA256_TO_BE_CALCULATED",
  "scripts": {
    ...
  }
}

3. Implement SHA verification:

Modify the build:pre:setup script to verify the SHA-256 hash after downloading:

"build:pre:setup": "command -v make >/dev/null 2>&1 || { [ -x ./make.com ] || { curl -fsSL -o make.com https://cosmo.zip/pub/cosmos/bin/make && chmod +x make.com && EXPECTED_SHA=$(node -p 'require(\"./package.json\").makeComSha256') && ACTUAL_SHA=$(shasum -a 256 make.com | cut -d' ' -f1) && [ \"$EXPECTED_SHA\" = \"$ACTUAL_SHA\" ] || { echo \"ERROR: make.com SHA mismatch! Expected: $EXPECTED_SHA, Got: $ACTUAL_SHA\" >&2; rm make.com; exit 1; }; }; }",

4. Calculate and hardcode the actual SHA:

You need to:

  1. Download the file from https://cosmo.zip/pub/cosmos/bin/make
  2. Calculate its SHA-256 hash
  3. Replace PLACEHOLDER_SHA256_TO_BE_CALCULATED with the actual hash value

To calculate the SHA-256 hash, you can use:

curl -fsSL -o make.com https://cosmo.zip/pub/cosmos/bin/make
shasum -a 256 make.com

5. Add documentation:

Add a comment or note in the package.json file indicating the source code location:

{
  "name": "@msinternal/test-assets",
  "description": "Uses make.com from Cosmopolitan Libc. Source code available at: https://github.com/jart/cosmopolitan/tree/master/third_party/make",
  ...
}

Summary

This change will:

  1. Revert the vendoring of make.com
  2. Download it from https://cosmo.zip/pub/cosmos/bin/make instead
  3. Verify the downloaded file against a hardcoded SHA-256 hash
  4. Alert developers if the remote file changes (SHA mismatch)
  5. Document the source code location

The SHA verification ensures that if the remote make.com file changes, the build will fail with a clear error message, notifying developers of the change.

This pull request was created from Copilot chat.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits February 3, 2026 19:34
@compulim
Revert make.com vendoring, add SHA verification and download from Int…
625e443 
…ernet

Co-authored-by: compulim <1622400+compulim@users.noreply.github.com>
@compulim
Security: Move chmod after SHA verification
49021da 
Co-authored-by: compulim <1622400+compulim@users.noreply.github.com>
Copilot AI changed the title [WIP] Revert commit to restore make.com handling Revert make.com vendoring, download with SHA-256 verification Feb 3, 2026
Copilot AI requested a review from compulim February 3, 2026 19:39
compulim
compulim reviewed Feb 3, 2026
View reviewed changes
compulim
compulim reviewed Feb 3, 2026
View reviewed changes
packages/test/test-assets/package.json Outdated
"scripts": {
"build": "npm run --if-present build:pre && npm run build:run && npm run --if-present build:post",
"build:pre": "npm run build:pre:local-dependencies && npm run build:pre:watch",
"build:pre": "npm run build:pre:setup && npm run build:pre:local-dependencies && npm run build:pre:watch",
Copy link
Contributor

@compulim compulim Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot

Suggested change
"build:pre": "npm run build:pre:setup && npm run build:pre:local-dependencies && npm run build:pre:watch",
"build:pre": "npm run build:pre:local-dependencies && npm run build:pre:setup && npm run build:pre:watch",

Copy link
Contributor Author

Copilot AI Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Reordered to run build:pre:local-dependencies before build:pre:setup. (49fd6d2)

@compulim
Remove makeComSha256 field, hardcode SHA in build:pre:setup script
eda38a5 
Co-authored-by: compulim <1622400+compulim@users.noreply.github.com>
Copilot AI requested a review from compulim February 3, 2026 19:51
@compulim
Reorder build:pre script: local-dependencies before setup
49fd6d2 
Co-authored-by: compulim <1622400+compulim@users.noreply.github.com>
compulim
compulim reviewed Feb 3, 2026
View reviewed changes
packages/test/test-assets/.gitignore Outdated
Comment on lines 1 to 3
node_modules
out
make.com
Copy link
Contributor

@compulim compulim Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot

Suggested change
node_modules
out
make.com
/make.com
/node_modules/
/out/

Copy link
Contributor Author

Copilot AI Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Updated .gitignore to use leading / and trailing / for more specific pattern matching. (f1d8265)

@compulim
Use more specific .gitignore patterns with leading/trailing slashes
f1d8265 
Co-authored-by: compulim <1622400+compulim@users.noreply.github.com>
Copilot AI requested a review from compulim February 3, 2026 20:03
@compulim compulim marked this pull request as ready for review February 3, 2026 20:13
@compulim compulim merged commit c417014 into feat/qol-improvements Feb 3, 2026
1 check passed
@compulim compulim deleted the copilot/revert-make-com-commit branch February 3, 2026 20:13
compulim added a commit that referenced this pull request Feb 3, 2026
@OEvgeny @compulim
feat: copilot variant styling improvements (#5682)
e78ed2d 
* feat: copilot variant styling improvements

* Self review

* Vendor make

* Cleanup

* Fix permissions

* Revert make.com vendoring, download with SHA-256 verification (#5684)

* Initial plan

* Revert make.com vendoring, add SHA verification and download from Internet

Co-authored-by: compulim <1622400+compulim@users.noreply.github.com>

* Security: Move chmod after SHA verification

Co-authored-by: compulim <1622400+compulim@users.noreply.github.com>

* Remove makeComSha256 field, hardcode SHA in build:pre:setup script

Co-authored-by: compulim <1622400+compulim@users.noreply.github.com>

* Reorder build:pre script: local-dependencies before setup

Co-authored-by: compulim <1622400+compulim@users.noreply.github.com>

* Use more specific .gitignore patterns with leading/trailing slashes

Co-authored-by: compulim <1622400+compulim@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: compulim <1622400+compulim@users.noreply.github.com>

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: compulim <1622400+compulim@users.noreply.github.com>
Co-authored-by: William Wong <compulim@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@a-b-r-o-w-n a-b-r-o-w-n Awaiting requested review from a-b-r-o-w-n

@cwhitten cwhitten Awaiting requested review from cwhitten

@srinaath srinaath Awaiting requested review from srinaath

@tdurnford tdurnford Awaiting requested review from tdurnford

@beyackle2 beyackle2 Awaiting requested review from beyackle2

1 more reviewer

@compulim compulim compulim approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@compulim compulim

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@compulim