Skip to content

Conversation

@maciej-lech
Copy link

This PR implements the feature discussed in #2473.

It introduces a new --trust CLI flag and a corresponding remote.trust configuration option in taskrc. These options are available when the Remote Taskfiles experiment is enabled.

The --trust flag can be specified multiple times to define trusted hosts (optionally including ports). Any remote Taskfiles fetched from these trusted hosts will not prompt for confirmation on their initial download or when their checksums change.

Closes #2473

@curtbushko
Copy link

Looking forward to this feature!

// Extract host from server URL for trust testing
parsedURL, err := url.Parse(srv.URL)
require.NoError(t, err)
trustedHost := parsedURL.Host
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't I trust URLs? I trust github.com/myself but I don't trust github.com/shady.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking about that, but using URLs requires more assumptions how to compare provided URL with the trust config.

  1. Exact match, so full URL comparison. In my case it would require configuring every single remote taskfiles (more than dozen now) which is not a big deal, but may not be a best DX.
  2. Prefix match. A problem: I want to trust https://github.com/myself but not https://github.com/myselfHackedByShady - which could be easily solved by setting https://github.com/myself/ and not https://github.com/myself. So maybe this is the best way.
  3. Glob-like style: https://github.com/myself/* or extended version https://github.com/myself/**/*
  4. Regex: https:\/\/github\.com\/myself\/.*

@vmaerten vmaerten self-requested a review November 29, 2025 10:05
Copy link
Member

@vmaerten vmaerten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your PR!
I would prefer using trusted-hosts instead of trust (both in the CLI and in the config file).

Comment on lines +47 to +71
// Merge Trust lists - combine both lists with other's entries taking precedence
// Remove duplicates by using a map
if len(other.Remote.Trust) > 0 {
seen := make(map[string]bool)
merged := []string{}

// Add other's hosts first
for _, host := range other.Remote.Trust {
if !seen[host] {
seen[host] = true
merged = append(merged, host)
}
}

// Then add base's hosts that aren't duplicates
for _, host := range t.Remote.Trust {
if !seen[host] {
seen[host] = true
merged = append(merged, host)
}
}

t.Remote.Trust = merged
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the order doesn’t matter (a host is trusted regardless of its position in the slice), we can simplify it to:

Suggested change
// Merge Trust lists - combine both lists with other's entries taking precedence
// Remove duplicates by using a map
if len(other.Remote.Trust) > 0 {
seen := make(map[string]bool)
merged := []string{}
// Add other's hosts first
for _, host := range other.Remote.Trust {
if !seen[host] {
seen[host] = true
merged = append(merged, host)
}
}
// Then add base's hosts that aren't duplicates
for _, host := range t.Remote.Trust {
if !seen[host] {
seen[host] = true
merged = append(merged, host)
}
}
t.Remote.Trust = merged
}
if len(other.Remote.Trust) > 0 {
merged := slices.Concat(other.Remote.Trust, t.Remote.Trust)
slices.Sort(merged)
t.Remote.Trust = slices.Compact(merged)
}

Comment on lines +392 to +393
task --trust github.com --trust gitlab.com -t https://github.com/user/repo.git//Taskfile.yml
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
task --trust github.com --trust gitlab.com -t https://github.com/user/repo.git//Taskfile.yml
task --trust github.com --trust gitlab.com -t https://github.com/user/repo.git//Taskfile.yml
task --trust github.com,gitlab.com -t https://github.com/user/repo.git//Taskfile.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Remote Taskfiles: add a new trust mechanism

4 participants