are there checksums (for releases) ?

github / codeql-action

Actions for running CodeQL analysis

MIT License

1.09k stars 305 forks source link

are there checksums (for releases) ? #1880

Open ilia-shipitsin opened 9 months ago

ilia-shipitsin commented 9 months ago

Hello,

github runner images team here. we are looking for securing supply chains when adding software to CI images.

are there checksum available ? or maybe some recommended validation approach.

thanks!

smowton commented 9 months ago

Could you give a bit more info on what you want to checksum? Is it the codeql-action itself? The CodeQL CLI? Both?

ilia-shipitsin commented 9 months ago

we download codeql bundles using https://github.com/actions/runner-images/blob/main/images/win/scripts/Installers/Install-CodeQLBundle.ps1

files like "https://github.com/github/codeql-action/releases/download/$($Bundle.TagName)/codeql-bundle.tar.gz"

adityasharad commented 9 months ago

@ilia-shipitsin since we have multiple artifacts (one artifact for each of the 3 major OSes, and one "universal" artifact) do you have a preference between the following options?

a single checksums file containing checksums and filenames for each of the 4 files, on separate lines (this is what the gh CLI does for example)
one checksum file for each artifact

jsoref commented 4 months ago

The standard unix model is one signature per file, since it enables wget $url{,.sig}.