ci: verify changie download against pinned SHA256 before executing#245
Merged
Conversation
Both the check-changelog CI job and task install-changie were fetching the changie release tarball and executing it with no integrity check, so a replaced or tampered upstream asset would run unchallenged. - CI: pin the linux_amd64 tarball SHA256 directly, download to a temp file, sha256sum -c before extracting, extract to RUNNER_TEMP/bin (no sudo into /usr/local/bin), append to GITHUB_PATH. - Taskfile: pin the SHA256 of the upstream checksums.txt (one hash covers all four supported OS/arch tarballs), download tarball + checksums.txt, verify checksums.txt against the pin then the tarball against checksums.txt. Uses shasum -a 256 for Linux/macOS portability. Bumping CHANGIE_VERSION now requires updating the adjacent pin in both files; comments cross-reference each other. install-protoc has the same gap and predates this PR; not touched here.
|
All contributors have signed the CLA ✍️ ✅ |
iainmcgin
changed the title
azdagron
approved these changes
Jun 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #230. Both changie install paths fetched the upstream release tarball and executed it with no integrity check, so a replaced or tampered upstream asset would run unchallenged in CI (with the job's
GITHUB_TOKEN) and on developer machines.check-changelog): pin thelinux_amd64tarball's SHA256 directly; download to a temp file,sha256sum -cbefore extracting, extract to$RUNNER_TEMP/binand append to$GITHUB_PATH(no moresudointo/usr/local/bin).install-changie): pin the SHA256 of the upstreamchecksums.txt(one in-repo hash covers all four supported OS/arch tarballs); download tarball +checksums.txt, verifychecksums.txtagainst the pin, then verify the tarball againstchecksums.txt. Usesshasum -a 256so it works on both Linux and macOS.Bumping
CHANGIE_VERSIONnow requires updating the adjacent pin in both files; the comments cross-reference each other.install-protochas the identical gap (no checksum on the protoc zip) and predates #230 — left for a separate PR so this one stays a clean #230 follow-up.