You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Includes product update to be announced in the next stable release notes
What does this PR do?
Where should the reviewer start?
How should this be manually tested?
What's the product update that needs to be communicated to CLI users?
PR Type
Enhancement
Description
Introduce new scripts for Snyk CLI deployment monitoring.
Automate validation of release artifact SHA256 checksums.
Ensure version consistency across different distribution channels.
Refactor CI workflow to leverage new modular scripts.
Diagram Walkthrough
flowchart LR
subgraph "New Scripts"
A[compare-cdn-shasums.go]
B[extract-release-json-hash.go]
C[is-elf-binary.go]
D[capture-homebrew-metadata.sh]
E[capture-linux-metadata.sh]
F[compare-snyk-versions.sh]
G[helpers]
end
subgraph "Existing Workflow"
H[deployment-monitor.yml]
end
H -- "Orchestrates and calls" --> A
H -- "Orchestrates and calls" --> B
H -- "Orchestrates and calls" --> C
H -- "Orchestrates and calls" --> D
H -- "Orchestrates and calls" --> E
H -- "Orchestrates and calls" --> F
H -- "Orchestrates and calls" --> G
D -- "Uses helper" --> G
E -- "Uses helper" --> G
F -- "Uses helper" --> G
A -- "Uses tool" --> C
E -- "Uses tool" --> C
D -- "Uses tool" --> B
The script explicitly filters metadata to only include static.snyk.io and downloads.snyk.io. However, capture-homebrew-metadata.sh sets BASE_URL="homebrew" and capture-linux-metadata.sh may set descriptive names like npm. These channels are silently ignored during shasum consistency checks, meaning the Homebrew binary's hash is never verified against the CDN versions despite metadata being collected for it.
The script uses ls *.txt and for file in *.txt to collect version numbers. Since this script runs in the SNYK_VERSION_DIR where artifacts are downloaded, any unrelated text files (e.g., build logs, READMEs) will be treated as version files. This will cause the script to fail with an error or report a false version mismatch if the unrelated file does not contain a valid version string.
txt_files=$(ls *.txt 2>/dev/null || true)if [ -z"$txt_files" ];thenecho"❌ No .txt files found in ${SNYK_VERSION_DIR}. Version comparison cannot proceed."exit 2
fiecho"Collected Snyk versions:"
stable_versions=()
preview_versions=()
# First, sort the *.txt files containg versions numbers into a preview and stable arrayforfilein*.txt;do
The script generates a JSON file using a shell heredoc without any character escaping. If BINARY_NAME or VERSION (which comes from snyk --version) contains a double quote or backslash (common in pre-release or custom build strings), the resulting metadata file will be invalid JSON, causing the compare-cdn-shasums Go utility to exit with an error.
robertolopezlopez
changed the title
chore: add deployment monitoring scripts for metadata and shasum vali…
chore: add deployment monitoring scripts for metadata and shasum validation
Jun 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
robertolopezlopez
force-pushed
the
feat/CLI-1550
branch
2 times, most recently
from
User description
This PR
deployment-monitor.ymlto separate scriptsBoth changes aim for readability and sustainability.
In detail:
.github/scripts/deployment-monitor/capture-linux-metadata.shmonitor_npmandmonitor_snyk_imagesjobs..github/scripts/deployment-monitor/capture-homebrew-metadata.shmonitor_homebrewjob..github/scripts/deployment-monitor/compare-snyk-versions.shcompare_versionsjob..github/scripts/deployment-monitor/helpers/*.github/scripts/deployment-monitor/cmd/*.github/workflows/deployment-monitor.ymlPull Request Submission Checklist
are release-note ready, emphasizing
what was changed, not how.
What does this PR do?
Where should the reviewer start?
How should this be manually tested?
What's the product update that needs to be communicated to CLI users?
PR Type
Enhancement
Description
Diagram Walkthrough
flowchart LR subgraph "New Scripts" A[compare-cdn-shasums.go] B[extract-release-json-hash.go] C[is-elf-binary.go] D[capture-homebrew-metadata.sh] E[capture-linux-metadata.sh] F[compare-snyk-versions.sh] G[helpers] end subgraph "Existing Workflow" H[deployment-monitor.yml] end H -- "Orchestrates and calls" --> A H -- "Orchestrates and calls" --> B H -- "Orchestrates and calls" --> C H -- "Orchestrates and calls" --> D H -- "Orchestrates and calls" --> E H -- "Orchestrates and calls" --> F H -- "Orchestrates and calls" --> G D -- "Uses helper" --> G E -- "Uses helper" --> G F -- "Uses helper" --> G A -- "Uses tool" --> C E -- "Uses tool" --> C D -- "Uses tool" --> BFile Walkthrough
Deployment Tests > Run workflow > this branch
Successful test