feat(release): FTPS robustness — passive mode, TLS min, cert pinning, CA override, and optional insecure

scripts/release-push.js

@@ -132,10 +132,25 @@ const baseUrl = `${scheme}://${host}${port ? `:${port}` : ''}${remoteDir}`;
 
 // Prepare common curl flags
 const curlBase = ['curl', '--fail', '--ftp-create-dirs'];
+// Optional passive mode
+if (String(process.env.FTP_PASSIVE || '').toLowerCase() === 'true') {
+  curlBase.push('--ftp-pasv');
+}
+// Optional TLS min version
+const tlsMin = String(process.env.TLS_MIN || '').trim();
+if (tlsMin === '1.2') curlBase.push('--tlsv1.2');
+else if (tlsMin === '1.3') curlBase.push('--tlsv1.3');
 if (protocol === 'ftps' && useExplicitFtps) {
   // Explicit FTPS (FTPES): connect plain on port 21 and then upgrade to TLS
   // Modern curl prefers --ssl-reqd; keep compatibility with older --ftp-ssl-reqd if available
   curlBase.push('--ssl-reqd');
+  // Security knobs: either pin the server cert public key, supply a custom CA bundle, or allow insecure as last resort
+  const pinned = process.env.TLS_PINNED_PUBKEY;
+  const cacert = process.env.TLS_CACERT;
+  const insecure = String(process.env.TLS_INSECURE || '').toLowerCase() === 'true';
+  if (pinned) curlBase.push('--pinnedpubkey', JSON.stringify(pinned));
+  if (cacert) curlBase.push('--cacert', JSON.stringify(cacert));
+  if (insecure) curlBase.push('--insecure');
 }
 // Detect curl option support dynamically to stay compatible with older curl versions
 function curlSupports(opt) {