feat: add SHA-256 checksum to release assets and verify in install script

[23prime]

Checklist

• Target branch is main
• Status checks are passing

Summary

• release.yml generates bl-x86_64-unknown-linux-gnu.tar.gz.sha256 via sha256sum after packaging and uploads both files as release assets
• install.sh downloads the .sha256 file alongside the tarball, runs sha256sum -c to verify before extracting, and fails fast on mismatch
• docs/user-guide.md updated to note sha256sum requirement and describe checksum verification

Reason for change

Downloaded binaries should be verifiable by users and scripts. Generating a checksum at release time and verifying it at install time closes the integrity gap without requiring additional tooling (GPG keys, SLSA, etc.).

Changes

• .github/workflows/release.yml: add "Generate checksum" step; include .sha256 in release assets
• install.sh: add sha256sum to required-commands check; download and verify checksum before extraction
• docs/user-guide.md: document sha256sum prerequisite and verification behavior
• .cspell/dicts/project.txt: add coreutils

Summary by CodeRabbit

• New Features

  • Release artifacts now include SHA-256 checksum files alongside tarball packages.
  • Installer now verifies SHA-256 checksums before extracting downloaded packages.

• Documentation

  • User guide updated with prerequisites, checksum verification steps, and example for custom install directory.

• Chores

  • Spell checker dictionary updated with an additional term.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 417ba112-7b8f-410c-94fc-4ddd91aa0f37

📥 Commits

Reviewing files that changed from the base of the PR and between bbacd6a and 013e51d.

📒 Files selected for processing (2)

• docs/user-guide.md
• install.sh

🚧 Files skipped from review as they are similar to previous changes (2)

• docs/user-guide.md
• install.sh

---

📝 Walkthrough

Walkthrough

Adds SHA-256 checksum generation to the release workflow, updates the installer to download and verify checksum files before extracting binaries, and documents the verification prerequisites and install steps; also adds "coreutils" to the spell-check dictionary.

Changes

Cohort / File(s)	Summary
Spell Checker Dictionary .cspell/dicts/project.txt	Added the word coreutils to the project spell-check dictionary.
Release Workflow .github/workflows/release.yml	Adds a step to generate a SHA-256 checksum for the built tarball and updates the release action to include the checksum file in uploaded artifacts.
Installer & Docs install.sh, docs/user-guide.md	Installer now detects SHA-256 tooling (sha256sum / shasum -a 256), downloads .sha256 alongside the tarball, verifies checksum before extraction, and aborts on mismatch; docs updated with prerequisites (curl, tar, sha256 tool) and install workflow details.

Sequence Diagram(s)

sequenceDiagram
    participant CI as CI Workflow
    participant GH as GitHub Release
    participant User as User
    participant Installer as install.sh
    participant Artifact as Tarball+Sha256

    CI->>Artifact: Build tarball
    CI->>Artifact: Generate SHA-256 checksum
    CI->>GH: Upload tarball and .sha256
    GH-->>User: Release artifacts available
    User->>Installer: Run install script
    Installer->>User: Check prerequisites (curl, tar, sha256 tool)
    Installer->>GH: Download tarball
    Installer->>GH: Download .sha256
    Installer->>Installer: Verify tarball matches checksum
    alt Verification successful
        Installer->>Artifact: Extract and install binary
    else Verification failed
        Installer->>User: Abort with error
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through builds with tiny paws,
I saved each file with careful laws,
A SHA-256 twirl, verified and true,
Now installs bounce safe — hop, hop, woo-hoo! 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main objective of the PR: adding SHA-256 checksums to release assets and verifying them in the install script, which aligns with all the key changes across the workflow, documentation, and installation script.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/release-checksum

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds SHA-256 checksums to published release artifacts and enforces checksum verification in the installer to improve download integrity.

Changes:

• Generate and upload a .sha256 file alongside the Linux tarball in the release workflow.
• Update install.sh to download the checksum and verify it with sha256sum -c before extracting/installing.
• Document the new checksum verification behavior and sha256sum prerequisite.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
install.sh	Downloads .sha256 and verifies the tarball checksum before extraction.
docs/user-guide.md	Documents checksum verification and required tooling.
.github/workflows/release.yml	Produces and uploads the .sha256 release asset.
.cspell/dicts/project.txt	Adds coreutils to project dictionary.

[23prime]

@coderabbitai please review

[coderabbitai]

@23prime Sure! I'll start reviewing the changes in PR #3 now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.