From a7601f0e53eb1e85254265f51fbf638cfffceb4f Mon Sep 17 00:00:00 2001
From: fullstackjam <fullstackjam@outlook.com>
Date: Mon, 22 Jun 2026 21:28:06 +0800
Subject: [PATCH 1/3] ci: make L4 vm-e2e robust to Homebrew tap-trust
 enforcement
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Recent Homebrew refuses to load formulae/casks from untrusted third-party
taps ('Refusing to load formula ... from untrusted tap'). This broke the
L4 suite two ways on the macos-14 runner:

- TestVM_Interactive_InstallScript: 'brew install openboot' from the
  openbootdotdev/tap tap is refused.
- The runner ships aws/tap, azure/bicep and hashicorp/tap pre-tapped and
  untrusted, so brew operations the suite drives emit trust errors.

Trust all pre-existing taps in the workflow and trust openbootdotdev/tap
in the install helper. Also log the install output in
TestVM_Edge_ShellActuallyWorks on failure — it previously discarded the
dev-binary output, making its fast exit impossible to diagnose.
---
 .github/workflows/vm-e2e-spike.yml | 11 +++++++++++
 test/e2e/vm_edge_cases_test.go     |  4 ++--
 test/e2e/vm_helpers_test.go        |  2 ++
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/vm-e2e-spike.yml b/.github/workflows/vm-e2e-spike.yml
index 2717f76..5b5df47 100644
--- a/.github/workflows/vm-e2e-spike.yml
+++ b/.github/workflows/vm-e2e-spike.yml
@@ -20,6 +20,17 @@ jobs:
       - name: Build binary
         run: make build
 
+      # GitHub's macos-14 image ships with third-party taps (aws/tap,
+      # azure/bicep, hashicorp/tap) pre-installed. Recent Homebrew refuses
+      # to load formulae/casks from untrusted taps, which breaks `brew`
+      # operations the L4 suite drives. Trust everything already tapped so
+      # the runner behaves like a normal dev machine.
+      - name: Trust pre-existing Homebrew taps
+        run: |
+          brew tap | while read -r t; do
+            [ -n "$t" ] && brew trust "$t" 2>/dev/null || true
+          done
+
       - name: Run L4 vm tests
         run: |
           go test -v -timeout 55m -tags="e2e,vm" \
diff --git a/test/e2e/vm_edge_cases_test.go b/test/e2e/vm_edge_cases_test.go
index a0caecf..632e7c9 100644
--- a/test/e2e/vm_edge_cases_test.go
+++ b/test/e2e/vm_edge_cases_test.go
@@ -36,8 +36,8 @@ func TestVM_Edge_ShellActuallyWorks(t *testing.T) {
 	bin := vmCopyDevBinary(t, vm)
 
 	// Install with shell setup
-	_, err := vmRunDevBinaryWithGit(t, vm, bin, "install --preset minimal --silent --shell install --dotfiles skip --macos skip")
-	require.NoError(t, err)
+	out, err := vmRunDevBinaryWithGit(t, vm, bin, "install --preset minimal --silent --shell install --dotfiles skip --macos skip")
+	require.NoError(t, err, "install failed, output:\n%s", out)
 
 	t.Run("zsh_login_shell_starts", func(t *testing.T) {
 		// Run a command through a login zsh — this sources .zshrc
diff --git a/test/e2e/vm_helpers_test.go b/test/e2e/vm_helpers_test.go
index 522f208..ed75bc4 100644
--- a/test/e2e/vm_helpers_test.go
+++ b/test/e2e/vm_helpers_test.go
@@ -25,6 +25,8 @@ func vmInstallViaBrew(t *testing.T, vm *testutil.MacHost) string {
 	script := strings.Join([]string{
 		fmt.Sprintf("export PATH=%q", brewPath),
 		"brew tap openbootdotdev/tap 2>/dev/null || true",
+		// Recent Homebrew refuses to install from untrusted third-party taps.
+		"brew trust openbootdotdev/tap 2>/dev/null || true",
 		"brew install openboot",
 	}, " && ")
 

From 4c73aa7c89a860f662620412707f582846a534c9 Mon Sep 17 00:00:00 2001
From: fullstackjam <fullstackjam@outlook.com>
Date: Mon, 22 Jun 2026 21:36:13 +0800
Subject: [PATCH 2/3] fix(shell): pin Oh-My-Zsh installer to immutable commit,
 refresh stale hash
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

InstallOhMyZsh fetched the installer from the ohmyzsh master branch but
verified it against a hash pinned on 2026-04-19. Upstream rewrote
tools/install.sh on 2026-06-15, so every 'openboot install --shell install'
now aborts with 'hash mismatch: download may be compromised' — a real
user-facing break, not just a test failure.

Pin the URL to commit 96ea17080a7addd1cd8b6253422776bc237fc6b1 and refresh
the hash to that commit's script (verified independently:
4534045f...77bb). Pinning URL + hash to the same immutable commit keeps
them consistent so a future upstream edit can't silently break the
installer again.
---
 internal/shell/shell.go | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/internal/shell/shell.go b/internal/shell/shell.go
index ad009de..16be634 100644
--- a/internal/shell/shell.go
+++ b/internal/shell/shell.go
@@ -20,15 +20,21 @@ import (
 	"github.com/openbootdotdev/openboot/internal/ui"
 )
 
-// knownOMZInstallHash is the SHA256 of the Oh-My-Zsh install script pinned on
-// 2026-04-19 (ohmyzsh/ohmyzsh master, commit circa that date). Update this
-// constant whenever the installer script changes upstream.
-const knownOMZInstallHash = "21043aec5b791ce4835479dc33ba2f92155946aeafd54604a8c83522627cc803"
+// knownOMZInstallHash is the SHA256 of the Oh-My-Zsh install script that
+// omzInstallURL points at. Both are pinned to ohmyzsh/ohmyzsh commit
+// 96ea17080a7addd1cd8b6253422776bc237fc6b1 (2026-06-15). Pinning to an
+// immutable commit (rather than a moving branch like master) keeps the URL
+// and this hash consistent — otherwise any upstream edit to the script
+// invalidates the hash and breaks `openboot install --shell install`.
+// To bump: pick a newer commit, update the URL below, and set this to the
+// SHA256 of that commit's tools/install.sh.
+const knownOMZInstallHash = "4534045f4d983abd9716cd2f515bbe3c2b31ba5b8fd1fef147838778427477bb"
 
 const omzInstallTimeout = 10 * time.Minute
 
-// omzInstallURL is a var so tests can redirect it without a real server.
-var omzInstallURL = "https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh"
+// omzInstallURL is pinned to an immutable commit (see knownOMZInstallHash).
+// It is a var so tests can redirect it without a real server.
+var omzInstallURL = "https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/96ea17080a7addd1cd8b6253422776bc237fc6b1/tools/install.sh"
 
 // omzHTTPClient is a var so tests can inject a mock transport.
 var omzHTTPClient = &http.Client{Timeout: 30 * time.Second}

From dee42874664946032b1166438d1c86148285d678 Mon Sep 17 00:00:00 2001
From: fullstackjam <fullstackjam@outlook.com>
Date: Mon, 22 Jun 2026 21:43:40 +0800
Subject: [PATCH 3/3] chore(archtest): rebaseline no-direct-exec after shell.go
 comment shift

The OMZ pin comment added 6 lines, shifting the pre-existing exec.Command
in InstallOhMyZsh from line 178 to 184. Same call, no new violation.
---
 internal/archtest/baseline/no-direct-exec.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/archtest/baseline/no-direct-exec.txt b/internal/archtest/baseline/no-direct-exec.txt
index e573f3a..7de4d42 100644
--- a/internal/archtest/baseline/no-direct-exec.txt
+++ b/internal/archtest/baseline/no-direct-exec.txt
@@ -14,7 +14,7 @@ internal/dotfiles/dotfiles.go:449
 internal/installer/step_system.go:132
 internal/npm/npm.go:22
 internal/permissions/screen_recording_cgo.go:21
-internal/shell/shell.go:178
+internal/shell/shell.go:184
 internal/updater/updater.go:205
 internal/updater/updater.go:212
 internal/updater/updater.go:219