chore: replace chocolatey with native binaries by mihaibuzgau · Pull Request #6639 · snyk/cli

mihaibuzgau · 2026-03-12T15:22:57Z

Pull Request Submission Checklist

Follows CONTRIBUTING guidelines
Commit messages
are release-note ready, emphasizing
what was changed, not how.
Includes detailed description of changes
Contains risk assessment (Low | Medium | High)
Highlights breaking API changes (if applicable)
Links to automated tests covering new functionality
Includes manual testing instructions (if necessary)
Updates relevant GitBook documentation (PR link: ___)
Includes product update to be announced in the next stable release notes

What does this PR do?

Migrates Windows CI from Chocolatey to native installers for Node.js, Python 3.12.8, .NET SDK 8, Maven, Gradle, and GNU Make, each with pinned versions and SHA256 verification.
Centralizes Windows PATH management via C:\tools-cache\snyk-env.ps1, making installed tools consistently available across CircleCI steps and jobs.

Where should the reviewer start?

.circleci/config.yml
.circleci/windows/*.ps1

How should this be manually tested?

In CircleCI, run the full Windows pipeline on a test branch:

Confirm build windows amd64 and sign windows amd64 pass and produce expected artifacts.
Confirm acceptance-tests windows amd64 pass, including SBOM tests that rely on Maven and Python.

What's the product update that needs to be communicated to CLI users?

There is no functional CLI behavior change for end users; this PR only changes how Windows CI builds and tests the CLI.

snyk-io · 2026-03-12T16:44:59Z

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

mihaibuzgau · 2026-03-16T12:13:23Z

/review

mihaibuzgau · 2026-03-16T12:25:08Z

/review

mihaibuzgau · 2026-03-16T12:46:33Z

/review

mihaibuzgau · 2026-03-16T12:57:31Z

/review

mihaibuzgau · 2026-03-16T13:11:21Z

/review

mihaibuzgau · 2026-03-16T13:31:16Z

/review

PeterSchafer · 2026-03-18T11:29:10Z

.circleci/config.yml

-                  CC: << parameters.c_compiler >>
-                  MACOSX_DEPLOYMENT_TARGET: 13.0
-                command: make << parameters.make_target >> GOOS=<< parameters.go_target_os >> GOARCH=<< parameters.go_arch >> STATIC_NODE_BINARY=true CGO_ENABLED=0
+            # Windows static build (use PowerShell and ensure GNU make is on PATH)


Question: This block adds quite some duplication which is difficult to maintain just to load environment variables, is there a way to avoid this?

Suggestion: maybe re-use this approach.

using a similar concept like for tests pre_test_cmds

PeterSchafer · 2026-03-19T13:37:31Z

scripts/windows/ensure-python-uv.ps1

@@ -0,0 +1,30 @@
+Param()


Suggestion: Let's move the whole folder into scripts, since there are already existing install scripts.

PeterSchafer · 2026-03-19T13:38:23Z

scripts/windows/install-dotnet-sdk.ps1

+
+try {
+  $dotnetVersion = '8.0.100'
+  $cacheDir = 'C:\tools-cache'


Suggestion/Question: Is there a reason why we don't inject the cachedir as a parameter. This would enable to have a single source of truth.

PeterSchafer · 2026-03-19T13:48:40Z

.circleci/config.yml

+          name: Restoring Windows tools cache
          keys:
-            - chocolatey-cache-full-v5-{{ arch }}-{{ checksum ".circleci/chocolatey.config" }}
+            - windows-tools-cache-v1-{{ arch }}


Issue: Based on the logs it seems the cache is not working and the dependencies are downloaded each team. This could be due to an older cache being used. Probably worth increasing to v2 to get all deps in the cache.

github-actions · 2026-03-19T16:38:34Z

	Warnings
⚠️	There are multiple commits on your branch, please squash them locally before merging!

Generated by 🚫 dangerJS against 1720659

snyk-pr-review-bot · 2026-03-20T09:17:10Z

PR Reviewer Guide 🔍

🧪 PR contains tests
🔒 No security concerns identified
⚡ Recommended focus areas for review Brittle Version Lock 🟠 [major] The script hard-pins `expectedNodeVersion` to '20.11.1' and throws an error if it does not exactly match `.nvmrc`. This tightly couples the CI infrastructure to the application config. If a developer updates `.nvmrc` to a newer security patch (e.g., 20.12.0) without also finding and updating this PowerShell script, the entire Windows build pipeline will break immediately. if ($nvmVersion -ne $expectedNodeVersion) { throw ".nvmrc version '$nvmVersion' does not match expected Node.js version '$expectedNodeVersion' used by Windows CI." } Possible Missing PATH Update 🟡 [minor] If the Python installer places the binary in a path not included in `candidateDirs` (e.g. a different drive or a version-specific subpath not anticipated), `$selectedDir` remains `$null`. The script does not throw or signal a failure in this case, meaning Python will not be added to the persistent `snyk-env.ps1`, likely causing subsequent CI steps to fail with 'python: command not found' errors that are harder to debug than an explicit installer error. $selectedDir = $null foreach ($dir in $candidateDirs) { if ($null -ne $dir -and (Test-Path $dir)) { $selectedDir = $dir break } } if ($selectedDir) {
📚 Repository Context Analyzed This review considered 28 relevant code sections from 11 files (average relevance: 0.52) CONTRIBUTING.md (5 segments, lines 1-100) scripts/install-snyk.py (lines 1-205) dangerfile.js (lines 1-111) help/cli-commands/test.md (lines 401-500) help/cli-commands/sbom.md (lines 201-300) cliv2/scripts/sign_windows.ps1 (lines 1-55) scripts/download_go.py (lines 1-151) ... and 4 more file(s)

mihaibuzgau requested review from a team as code owners March 12, 2026 15:22

mihaibuzgau marked this pull request as draft March 12, 2026 15:23

This comment has been minimized.

Sign in to view

mihaibuzgau force-pushed the chore/cli-1379_useNativeWinDeps branch 3 times, most recently from 821cecc to bdef5ed Compare March 12, 2026 16:31

mihaibuzgau force-pushed the chore/cli-1379_useNativeWinDeps branch 2 times, most recently from cdd8b29 to 69056fa Compare March 16, 2026 08:44

This comment has been minimized.

Sign in to view

mihaibuzgau force-pushed the chore/cli-1379_useNativeWinDeps branch from 110e69f to 765b462 Compare March 16, 2026 12:40

This comment has been minimized.

Sign in to view

mihaibuzgau force-pushed the chore/cli-1379_useNativeWinDeps branch from 765b462 to 42b39b5 Compare March 16, 2026 12:56

This comment has been minimized.

Sign in to view

mihaibuzgau force-pushed the chore/cli-1379_useNativeWinDeps branch from 42b39b5 to aa336dc Compare March 16, 2026 13:10

This comment has been minimized.

Sign in to view

mihaibuzgau force-pushed the chore/cli-1379_useNativeWinDeps branch from aa336dc to 9d7b8ac Compare March 16, 2026 13:26

This comment has been minimized.

Sign in to view

mihaibuzgau force-pushed the chore/cli-1379_useNativeWinDeps branch 4 times, most recently from 48e9b8d to 87bc5f9 Compare March 16, 2026 15:32

PeterSchafer reviewed Mar 18, 2026

View reviewed changes

PeterSchafer reviewed Mar 19, 2026

View reviewed changes

j-luong force-pushed the chore/cli-1379_useNativeWinDeps branch from f606343 to 11f1ba1 Compare March 19, 2026 16:35

This comment has been minimized.

Sign in to view

j-luong force-pushed the chore/cli-1379_useNativeWinDeps branch 2 times, most recently from 669be61 to a31cc6f Compare March 19, 2026 18:56

This comment has been minimized.

Sign in to view

j-luong force-pushed the chore/cli-1379_useNativeWinDeps branch from a31cc6f to 1837732 Compare March 19, 2026 19:25

This comment has been minimized.

Sign in to view

j-luong force-pushed the chore/cli-1379_useNativeWinDeps branch from 1837732 to 8dcc308 Compare March 20, 2026 07:56

This comment has been minimized.

Sign in to view

j-luong force-pushed the chore/cli-1379_useNativeWinDeps branch from 8dcc308 to b626996 Compare March 20, 2026 08:49

mihaibuzgau and others added 3 commits March 20, 2026 08:49

chore: replace choco with native binaries

8a7925b

chore: move windows scripts

a3ac3f5

chore: refactor windows CICD installs

1eef243

j-luong force-pushed the chore/cli-1379_useNativeWinDeps branch from b626996 to 7e2f571 Compare March 20, 2026 08:49

This comment has been minimized.

Sign in to view

j-luong force-pushed the chore/cli-1379_useNativeWinDeps branch from 7e2f571 to 484e989 Compare March 20, 2026 09:07

This comment has been minimized.

Sign in to view

chore: use correct windows toold cache version

1720659

j-luong force-pushed the chore/cli-1379_useNativeWinDeps branch from 484e989 to 1720659 Compare March 20, 2026 09:15

Conversation

mihaibuzgau commented Mar 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Pull Request Submission Checklist

What does this PR do?

Where should the reviewer start?

How should this be manually tested?

What's the product update that needs to be communicated to CLI users?

Uh oh!

This comment has been minimized.

snyk-io bot commented Mar 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Snyk checks have passed. No issues have been found so far.

Uh oh!

mihaibuzgau commented Mar 16, 2026

Uh oh!

This comment has been minimized.

mihaibuzgau commented Mar 16, 2026

Uh oh!

This comment has been minimized.

mihaibuzgau commented Mar 16, 2026

Uh oh!

This comment has been minimized.

mihaibuzgau commented Mar 16, 2026

Uh oh!

This comment has been minimized.

mihaibuzgau commented Mar 16, 2026

Uh oh!

This comment has been minimized.

mihaibuzgau commented Mar 16, 2026

Uh oh!

This comment has been minimized.

PeterSchafer Mar 18, 2026

Choose a reason for hiding this comment

Uh oh!

PeterSchafer Mar 18, 2026

Choose a reason for hiding this comment

Uh oh!

PeterSchafer Mar 19, 2026

Choose a reason for hiding this comment

Uh oh!

PeterSchafer Mar 19, 2026

Choose a reason for hiding this comment

Uh oh!

PeterSchafer Mar 19, 2026

Choose a reason for hiding this comment

Uh oh!

PeterSchafer Mar 19, 2026

Choose a reason for hiding this comment

Uh oh!

This comment has been minimized.

github-actions bot commented Mar 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

snyk-pr-review-bot bot commented Mar 20, 2026

PR Reviewer Guide 🔍

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

mihaibuzgau commented Mar 12, 2026 •

edited

Loading

snyk-io bot commented Mar 12, 2026 •

edited

Loading

github-actions bot commented Mar 19, 2026 •

edited

Loading