[build] Add SHA2-SUMS to GHA logs #9582
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In light of what happened with xz's tarballs, I think it would be good to provide a verifiable "chain of custody" from our git repo to our release assets (tarball, binaries).
Our GitHub Actions logs for the build workflow will have a section that looks like this now:
https://github.com/bashonly/yt-dlp/actions/runs/8497175700/job/23275527118
Users and downstream packagers can compare the sums in the log with those in the
SHA256SUMS
andSHA512SUMS
release assets to verify that the release assets are indeed the product of our build workflow and have not been tampered with.Template
Before submitting a pull request make sure you have:
In order to be accepted and merged into yt-dlp each piece of code must be in public domain or released under Unlicense. Check all of the following options that apply:
What is the purpose of your pull request?