From 7456b621a50c530450d4e20342690774af6df57a Mon Sep 17 00:00:00 2001
From: joe miller <joe@planetscale.com>
Date: Thu, 14 May 2026 23:12:46 +0000
Subject: [PATCH] ci: pin autotag binary by version + sha256
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace the deprecated `git.io/autotag-install` one-liner with a direct
download of `autotag_linux_amd64` from a pinned release, verified against a
hardcoded SHA-256.

Why:
- The installer is generated by godownloader (also deprecated upstream) and,
  while it does check the checksum file published with each GitHub release,
  those checksums are mutable — anyone who can publish a release can publish
  matching checksums. There's no way to pin an out-of-band expected SHA.
- autotag's maintainers are me and a couple of trusted ex-coworkers
  (incl. @will.milton) and I trust the code, but a compromise of the
  `autotag-dev` org or a maintainer account would silently flow into every
  pipeline that runs the installer. Hardcoding the SHA in our workflow makes
  that class of supply-chain attack fail loudly.
- autotag rarely changes and we only use its most basic functionality, so we
  don't upgrade often. Grabbing the new binary's SHA from `checksums.txt`
  on bump is a cheap one-time step for meaningful hardening.

See: https://github.com/autotag-dev/autotag/blob/main/README.md (CI install
section) for the recommended pattern.
---
 .github/workflows/release.yaml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 6c55b49..e148840 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -45,11 +45,23 @@ jobs:
           fetch-depth: 0
           fetch-tags: true
 
+      - name: install autotag
+        # To bump: update AUTOTAG_VERSION and fetch the new SHA from the release's
+        # checksums.txt (autotag_<version>_checksums.txt, line matching 'autotag_linux_amd64$').
+        env:
+          AUTOTAG_VERSION: 1.4.3
+          AUTOTAG_SHA256: 85e7ec97d732800bb838085fd3f2e19b2aa2ee3a8da0db7fd0aaf4113a279f3a
+        run: |
+          set -euo pipefail
+          mkdir -p "${RUNNER_TEMP}/bin"
+          curl -fsSLo "${RUNNER_TEMP}/bin/autotag" \
+            "https://github.com/autotag-dev/autotag/releases/download/v${AUTOTAG_VERSION}/autotag_linux_amd64"
+          echo "${AUTOTAG_SHA256}  ${RUNNER_TEMP}/bin/autotag" | sha256sum -c -
+          chmod +x "${RUNNER_TEMP}/bin/autotag"
+
       - name: Calculate new version with autotag
         run: |
           set -xeou pipefail
-
-          curl -sL https://git.io/autotag-install | sh -s -- -b "${RUNNER_TEMP}/bin"
           new_version=$(${RUNNER_TEMP}/bin/autotag -n)
           echo "new_version=$new_version" >> $GITHUB_ENV