feat: add --trust CLI and remote.trust config for remote tasks #2491
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Maciej Lech <[email protected]>
|
Looking forward to this feature! |
SamK
reviewed
Nov 27, 2025
| // Extract host from server URL for trust testing | ||
| parsedURL, err := url.Parse(srv.URL) | ||
| require.NoError(t, err) | ||
| trustedHost := parsedURL.Host |
Contributor
There was a problem hiding this comment.
Can't I trust URLs? I trust github.com/myself but I don't trust github.com/shady.
Author
There was a problem hiding this comment.
I was thinking about that, but using URLs requires more assumptions how to compare provided URL with the trust config.
- Exact match, so full URL comparison. In my case it would require configuring every single remote taskfiles (more than dozen now) which is not a big deal, but may not be a best DX.
- Prefix match. A problem: I want to trust
https://github.com/myselfbut nothttps://github.com/myselfHackedByShady- which could be easily solved by settinghttps://github.com/myself/and nothttps://github.com/myself. So maybe this is the best way. - Glob-like style:
https://github.com/myself/*or extended versionhttps://github.com/myself/**/* - Regex:
https:\/\/github\.com\/myself\/.*
vmaerten
reviewed
Nov 29, 2025
Member
vmaerten
left a comment
vmaerten
left a comment
There was a problem hiding this comment.
Thanks for your PR!
I would prefer using trusted-hosts instead of trust (both in the CLI and in the config file).
- It's more explicit, even if it's longer
- Tools like pip already use this flag (see: https://pip.pypa.io/en/stable/cli/pip/#cmdoption-trusted-host)
- Using the CLI with comma-separated values (
--trusted-hosts a.com,b.com) avoids repeating the flag name
Comment on lines
+47
to
+71
| // Merge Trust lists - combine both lists with other's entries taking precedence | ||
| // Remove duplicates by using a map | ||
| if len(other.Remote.Trust) > 0 { | ||
| seen := make(map[string]bool) | ||
| merged := []string{} | ||
|
|
||
| // Add other's hosts first | ||
| for _, host := range other.Remote.Trust { | ||
| if !seen[host] { | ||
| seen[host] = true | ||
| merged = append(merged, host) | ||
| } | ||
| } | ||
|
|
||
| // Then add base's hosts that aren't duplicates | ||
| for _, host := range t.Remote.Trust { | ||
| if !seen[host] { | ||
| seen[host] = true | ||
| merged = append(merged, host) | ||
| } | ||
| } | ||
|
|
||
| t.Remote.Trust = merged | ||
| } | ||
|
|
Member
There was a problem hiding this comment.
Since the order doesn’t matter (a host is trusted regardless of its position in the slice), we can simplify it to:
Suggested change
| // Merge Trust lists - combine both lists with other's entries taking precedence | |
| // Remove duplicates by using a map | |
| if len(other.Remote.Trust) > 0 { | |
| seen := make(map[string]bool) | |
| merged := []string{} | |
| // Add other's hosts first | |
| for _, host := range other.Remote.Trust { | |
| if !seen[host] { | |
| seen[host] = true | |
| merged = append(merged, host) | |
| } | |
| } | |
| // Then add base's hosts that aren't duplicates | |
| for _, host := range t.Remote.Trust { | |
| if !seen[host] { | |
| seen[host] = true | |
| merged = append(merged, host) | |
| } | |
| } | |
| t.Remote.Trust = merged | |
| } | |
| if len(other.Remote.Trust) > 0 { | |
| merged := slices.Concat(other.Remote.Trust, t.Remote.Trust) | |
| slices.Sort(merged) | |
| t.Remote.Trust = slices.Compact(merged) | |
| } | |
Comment on lines
+392
to
+393
| task --trust github.com --trust gitlab.com -t https://github.com/user/repo.git//Taskfile.yml | ||
Member
There was a problem hiding this comment.
Suggested change
| task --trust github.com --trust gitlab.com -t https://github.com/user/repo.git//Taskfile.yml | |
| task --trust github.com --trust gitlab.com -t https://github.com/user/repo.git//Taskfile.yml | |
| task --trust github.com,gitlab.com -t https://github.com/user/repo.git//Taskfile.yml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements the feature discussed in #2473.
It introduces a new --trust CLI flag and a corresponding remote.trust configuration option in taskrc. These options are available when the Remote Taskfiles experiment is enabled.
The --trust flag can be specified multiple times to define trusted hosts (optionally including ports). Any remote Taskfiles fetched from these trusted hosts will not prompt for confirmation on their initial download or when their checksums change.
Closes #2473