[Artifacts] Save md5 hash for each artifact upload #1494
Conversation
|
Failing tests are unrelated, just like on my last PR. See #1488 (comment) |
|
|
||
| hashStream.end() | ||
| md5Hash = hashStream.read() as string | ||
| core.info(`MD5 hash of uploaded artifact zip is ${md5Hash}`) |
There was a problem hiding this comment.
Out of curiosity, will printing the hash get a little noisy? Maybe we could make this a debug log?
There was a problem hiding this comment.
I'd prefer to at last initially keep this in the logs. We're not going to immediately expose the hash via our REST APIs for artifacts unless we do more work so there is no real way for users to get this information unless we log it. When we expose this potentially in our APIs then we could make this debug but for now it's good information to display
* Hash artifact upload using md5 * Add imports * Small tweaks * PR feedback * PR Feedback
|
@konradpabjan Sorry for commenting here, but I found out that this pr introduced a new dependency "crypto" in https://github.com/actions/toolkit/pull/1494/files#diff-3a2287638a98ab8c93525fe63e6e7e35a2e3be09bd2e4db80173c68ed83c72f8R47, which is marked as deprecated and hold nothing for use. Maybe this dependency can be removed? |
Tracking: https://github.com/github/c2c-actions-checks/issues/1699
This builds up on the work that was done in #1479, #1481, #1486 and #1487 and #1488
We want to save a hash of the artifact upload for integrity. Unfortunately the response from
uploadStreamdoes not have an MD5 hash value. There is a crc64 value in the raw headers but it doesn't appear to be officially documented in the azure blob NPM package so we're not going to try to use it as a result.We can't also call
blobClient.propertiesto get a hash after the upload finished since the token only has permissions to create and write, not read.I'm using a solution that I found here. We pipe the zip stream to a crypto stream on the side and after the upload finishes we can read the hash and save if with the finalize call. When we get to download artifact we can then return this value and do integrity checks and a host of other things.
Here is an example run with the code running E2E after doing
npm linkand setting everything up with a fork that I've been using for testing: https://github.com/bbq-beets/testing-artifacts-v4/actions/runs/5869253502/job/15913849975I verified afterwards if the hash of the zip is correct by downloading the artifact and manually inspecting it and things work 馃憤