From 058704e644ca53ab8b7c4abba25866d0483ca4a3 Mon Sep 17 00:00:00 2001
From: Jay Gowdy <jay@gowdy.me>
Date: Wed, 4 Mar 2026 10:41:43 -0800
Subject: [PATCH 1/2] Replace curl|bash Bun install with oven-sh/setup-bun
 action

Replaces manual curl|bash installation and path wrangling with the
official oven-sh/setup-bun@v2 GitHub Action in both test and publish
workflows.
---
 .github/workflows/publish.yml | 32 +-------------------------------
 .github/workflows/test.yml    | 25 +------------------------
 2 files changed, 2 insertions(+), 55 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index cd253b4..0e071fa 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -13,39 +13,9 @@ jobs:
       options: --ulimit core=-1 --ulimit memlock=-1:-1
     steps:
     - uses: actions/checkout@v4
-    - name: Install Bun
-      run: |
-        set -e  # Exit on error
-        # GitHub Actions containers set HOME=/github/home
-        export BUN_INSTALL="/github/home/.bun"
-        echo "Installing Bun to $BUN_INSTALL..."
-        curl -fsSL https://bun.sh/install | bash
-        echo "Checking if Bun was installed..."
-        ls -la /github/home/.bun/bin/ || echo "Bun directory not found at /github/home/.bun/bin/"
-        # Try alternative location if primary fails
-        if [ ! -f "/github/home/.bun/bin/bun" ]; then
-          echo "Bun not at /github/home/.bun/bin/bun, checking $HOME/.bun/bin/bun..."
-          ls -la $HOME/.bun/bin/ || echo "Bun not at $HOME/.bun/bin/ either"
-          if [ -f "$HOME/.bun/bin/bun" ]; then
-            cp $HOME/.bun/bin/bun /usr/local/bin/bun
-          else
-            echo "ERROR: Could not find Bun binary after installation"
-            exit 1
-          fi
-        else
-          cp /github/home/.bun/bin/bun /usr/local/bin/bun
-        fi
-        chmod +x /usr/local/bin/bun
-        /usr/local/bin/bun --version
+    - uses: oven-sh/setup-bun@v2
     - name: Install packages
       run: npm install
-    - name: Verify Bun is available
-      run: |
-        echo "Checking Bun availability..."
-        ls -la /usr/local/bin/bun || echo "/usr/local/bin/bun not found"
-        which bun || echo "bun not in PATH"
-        /usr/local/bin/bun --version || echo "Cannot run /usr/local/bin/bun"
-        bun --version || echo "Cannot run bun directly"
     - name: Test
       run: npm test
     - name: Set version to match tag
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 4d55b5c..9b6bb35 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -30,30 +30,7 @@ jobs:
       options: --ulimit core=-1 --ulimit memlock=-1:-1
     steps:
     - uses: actions/checkout@v4
-    - name: Install Bun
-      run: |
-        set -e  # Exit on error
-        # GitHub Actions containers set HOME=/github/home
-        export BUN_INSTALL="/github/home/.bun"
-        echo "Installing Bun to $BUN_INSTALL..."
-        curl -fsSL https://bun.sh/install | bash
-        echo "Checking if Bun was installed..."
-        ls -la /github/home/.bun/bin/ || echo "Bun directory not found at /github/home/.bun/bin/"
-        # Try alternative location if primary fails
-        if [ ! -f "/github/home/.bun/bin/bun" ]; then
-          echo "Bun not at /github/home/.bun/bin/bun, checking $HOME/.bun/bin/bun..."
-          ls -la $HOME/.bun/bin/ || echo "Bun not at $HOME/.bun/bin/ either"
-          if [ -f "$HOME/.bun/bin/bun" ]; then
-            cp $HOME/.bun/bin/bun /usr/local/bin/bun
-          else
-            echo "ERROR: Could not find Bun binary after installation"
-            exit 1
-          fi
-        else
-          cp /github/home/.bun/bin/bun /usr/local/bin/bun
-        fi
-        chmod +x /usr/local/bin/bun
-        /usr/local/bin/bun --version
+    - uses: oven-sh/setup-bun@v2
     - name: Install npm packages
       run: npm install
     - name: Unit Test (includes Bun test via posttest)

From eff2206154e021efdd5bf11d59960c6a5d2afdb0 Mon Sep 17 00:00:00 2001
From: Jay Gowdy <jay@gowdy.me>
Date: Wed, 4 Mar 2026 10:44:24 -0800
Subject: [PATCH 2/2] Pin oven-sh/setup-bun to commit SHA

Pin to ecf28ddc73e819eb6fa29df6b34ef8921c743461 (v2) to prevent a
compromised upstream tag from injecting code into CI.
---
 .github/workflows/publish.yml | 2 +-
 .github/workflows/test.yml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 0e071fa..ec0e9cb 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -13,7 +13,7 @@ jobs:
       options: --ulimit core=-1 --ulimit memlock=-1:-1
     steps:
     - uses: actions/checkout@v4
-    - uses: oven-sh/setup-bun@v2
+    - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2
     - name: Install packages
       run: npm install
     - name: Test
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 9b6bb35..636c598 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -30,7 +30,7 @@ jobs:
       options: --ulimit core=-1 --ulimit memlock=-1:-1
     steps:
     - uses: actions/checkout@v4
-    - uses: oven-sh/setup-bun@v2
+    - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2
     - name: Install npm packages
       run: npm install
     - name: Unit Test (includes Bun test via posttest)