ci(lint): Harden curl usage in 01_install.sh with fail-safe flags #33456

1. 
   viktorking7 commented at 2:49 pm on September 22, 2025: none

   • Description:
     • What: Use stricter curl flags when fetching ShellCheck and MLC in ci/lint/01_install.sh.
     • Why: Prevent silent installs on HTTP errors and disallow non-HTTPS protocols, improving supply-chain safety.
     • Changes:
       • Replace -sL with --fail --location --proto '=https' --tlsv1.2 --silent --show-error for both downloads.
     • Impact: CI now fails explicitly on 4xx/5xx and protocol downgrades; no behavioral changes otherwise.
2. Update 01_install.sh 59365d61de
3. 
   DrahtBot commented at 2:49 pm on September 22, 2025: contributor

   The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

   Code Coverage & Benchmarks

   For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/33456.

   Reviews

   See the guideline for information on the review process. A summary of reviews will appear here.

   LLM Linter (✨ experimental)

   Possible typos and grammar issues:

   • url -> curl [invalid command name; should be ‘curl’ to download from the URL]

   drahtbot_id_5_m

4. 
   maflcko commented at 3:08 pm on September 22, 2025: member

   Thanks, but closing for now:

   • The patch is obviously wrong, as can be seen by the failing CI and the LLM linter.
   • https does not add any meaningful supply-chain safety here for GitHub release downloads, so the benefit is unclear.
   • If supply-chain safety was needed, it would be better to pin by a hash or commit id (and compile from source).

   Adding --fail seems fine, but I doubt it matters much in practise. Also, there are plenty of other places where it should be added for consistency, if it was added here.

5. maflcko closed this on Sep 22, 2025

   ---

Contributors
viktorking7 DrahtBot maflcko