chore: replace chocolatey with native binaries by mihaibuzgau · Pull Request #6639 · snyk/cli

mihaibuzgau · 2026-03-12T15:22:57Z

Pull Request Submission Checklist

Follows CONTRIBUTING guidelines
Commit messages
are release-note ready, emphasizing
what was changed, not how.
Includes detailed description of changes
Contains risk assessment (Low | Medium | High)
Highlights breaking API changes (if applicable)
Links to automated tests covering new functionality
Includes manual testing instructions (if necessary)
Updates relevant GitBook documentation (PR link: ___)
Includes product update to be announced in the next stable release notes

What does this PR do?

Migrates Windows CI from Chocolatey to native installers for Node.js, Python 3.12.8, .NET SDK 8, Maven, Gradle, and GNU Make, each with pinned versions and SHA256 verification.
Centralizes Windows PATH management via C:\tools-cache\snyk-env.ps1, making installed tools consistently available across CircleCI steps and jobs.

Where should the reviewer start?

.circleci/config.yml
.circleci/windows/*.ps1

How should this be manually tested?

In CircleCI, run the full Windows pipeline on a test branch:

Confirm build windows amd64 and sign windows amd64 pass and produce expected artifacts.
Confirm acceptance-tests windows amd64 pass, including SBOM tests that rely on Maven and Python.

What's the product update that needs to be communicated to CLI users?

There is no functional CLI behavior change for end users; this PR only changes how Windows CI builds and tests the CLI.

snyk-io · 2026-03-12T16:44:59Z

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

mihaibuzgau · 2026-03-16T12:13:23Z

/review

mihaibuzgau · 2026-03-16T12:25:08Z

/review

mihaibuzgau · 2026-03-16T12:46:33Z

/review

mihaibuzgau · 2026-03-16T12:57:31Z

/review

mihaibuzgau · 2026-03-16T13:11:21Z

/review

mihaibuzgau · 2026-03-16T13:31:16Z

/review

mihaibuzgau · 2026-03-17T07:37:32Z

/review

mihaibuzgau · 2026-03-17T07:54:16Z

/review

snyk-pr-review-bot · 2026-03-17T08:51:35Z

PR Reviewer Guide 🔍

🧪 PR contains tests
🔒 No security concerns identified
⚡ Recommended focus areas for review Potential Path Mismatch 🟠 [major] The script hardcodes several candidate directories for Python 3.12 (e.g., `C:\Program Files\Python312`). However, the installer version is set to `3.12.8`. If the native Python installer changes its default installation path pattern in future 3.12.x releases, or if it installs to a version-specific subdirectory not covered by the `candidateDirs` list, the script will fail to find the installation and will not update the `snyk-env.ps1` script, leading to missing `python` commands in subsequent CI steps. $candidateDirs = @( "C:\Program Files\Python312", "C:\Python312", (Join-Path $Env:LOCALAPPDATA 'Programs\Python\Python312') ) Ambiguous File Resolution 🟠 [major] The search logic for `make.exe` uses `Get-ChildItem -Recurse` and throws an error if more than one `make.exe` is found. If the downloaded archive contains multiple copies of the binary (e.g., in different architecture folders or debug/release folders) or if a previous failed run left artifacts behind, the build will fail with an "Ambiguous make.exe location" error. if ($candidates.Count -gt 1) { $paths = ($candidates \| Select-Object -ExpandProperty FullName) -join ', ' throw "Ambiguous make.exe location after extraction; found multiple candidates: $paths" } Version Coupling Risk 🟡 [minor] The `expectedNodeVersion` is hardcoded to `20.11.1` and the script throws an error if it doesn't match `.nvmrc`. This creates a maintenance burden where developers must remember to update this PowerShell script every time the Node version is bumped in `.nvmrc`, otherwise the Windows CI will fail immediately. $expectedNodeVersion = '20.11.1' $expectedSha256 = 'c54f5f7e2416e826fd84e878f28e3b53363ae9c3f60a140af4434b2453b5ae89' # Resolve repo root from script location (script is in .circleci/windows) $repoRoot = Resolve-Path (Join-Path $PSScriptRoot '..\..') $nvmrcPath = Join-Path $repoRoot '.nvmrc' if (-not (Test-Path $nvmrcPath)) { throw ".nvmrc not found at $nvmrcPath" } $nvmVersion = (Get-Content $nvmrcPath -Raw).Trim() if ([string]::IsNullOrWhiteSpace($nvmVersion)) { throw ".nvmrc is empty at $nvmrcPath" } if ($nvmVersion -ne $expectedNodeVersion) { throw ".nvmrc version '$nvmVersion' does not match expected Node.js version '$expectedNodeVersion' used by Windows CI." }
📚 Repository Context Analyzed This review considered 23 relevant code sections from 14 files (average relevance: 0.85) cliv2/scripts/sign_windows.ps1 (lines 1-55) scripts/install-snyk.py (lines 1-205) release-scripts/upload-artifacts.sh (lines 1-328) scripts/download_go.py (lines 1-151) CONTRIBUTING.md (2 segments, lines 1-100) scripts/build-ts-binary-wrapper-locally.go (lines 1-261) scripts/jvm-install.sh (lines 1-10) ... and 7 more file(s)

PeterSchafer · 2026-03-18T11:29:10Z

.circleci/config.yml

-                  CC: << parameters.c_compiler >>
-                  MACOSX_DEPLOYMENT_TARGET: 13.0
-                command: make << parameters.make_target >> GOOS=<< parameters.go_target_os >> GOARCH=<< parameters.go_arch >> STATIC_NODE_BINARY=true CGO_ENABLED=0
+            # Windows static build (use PowerShell and ensure GNU make is on PATH)


Question: This block adds quite some duplication which is difficult to maintain just to load environment variables, is there a way to avoid this?

Suggestion: maybe re-use this approach.

mihaibuzgau requested review from a team as code owners March 12, 2026 15:22

mihaibuzgau marked this pull request as draft March 12, 2026 15:23