ci: add sha256 checksums

[simonsan]

I want to create a scoop install manifest, but the version inside the zipped folder is pretty uncommon, the usual way is $app_name-$target_platform with the zip, can we please rename it?

It would be also lovely, if we could add SHA256 hashes to the release, do you want me to add that as well in this PR?

[simonsan]

Current scoop manifest

{
    "version": "0.11.3",
    "description": "A CLI task runner defined by a simple markdown file.",
    "homepage": "https://github.com/jacobdeichert/mask",
    "license": "MIT",
    "architecture": {
        "64bit": {
            "url": "https://github.com/jacobdeichert/mask/releases/download/v0.11.3/mask-v0.11.3-x86_64-pc-windows-msvc.zip",
            "hash": "0d849c344fdcb64b0047ce1faf95f8c6cb9b4d282f1a6c78e9f30132d9bace55"
        }
    },
    "extract_dir": "mask-x86_64-pc-windows-msvc",
    "bin": "mask.exe",
    "checkver": {
        "github": "https://github.com/jacobdeichert/mask"
    },
    "autoupdate": {
        "architecture": {
            "64bit": {
                "url": "https://github.com/jacobdeichert/mask/releases/download/v$version/mask-v$version-x86_64-pc-windows-msvc.zip"
            }
        },
        "hash": {
            "url": "$url.sha256"
        }
    }
}

[simonsan]

Afaic assets in the upload-artifact isn't really taking more than one asset glob, because I didn't want to change the whole thing (I'm in the online editor), I was doing it this way.

[jacobdeichert]

Hey, thanks for the PR. I don't have time to review right now, but will aim to catch up with this in a few weeks.

Regarding removing the version, I'm not sure yet, I'll have to consider it. Many other rust tools follow the same convention, including the version in the zip name. Here's another example https://github.com/sharkdp/fd/releases

[simonsan]

Hey, thanks for the PR. I don't have time to review right now, but will aim to catch up with this in a few weeks.

Regarding removing the version, I'm not sure yet, I'll have to consider it. Many other rust tools follow the same convention, including the version in the zip name. Here's another example https://github.com/sharkdp/fd/releases

Found a way to circumvent that with the version name in the zip folder so I removed the code and just let the sha checksum stuff inside. 👍🏽

[jacobdeichert]

Hey @simonsan, thanks for keeping this PR open with the checksums - this looks pretty good!

Before merging as is, I'm going to take a look at some other rust projects and see if it's common to upload checksums as a release asset or if it's more common to just add the checksums to the release notes/description area. If you happen to know of any other rust projects that do one or the other, let me know 👍

I'll get back to this within the next week hopefully. I plan on automating the mask release process this month and will be cutting a new release after that is done.

[simonsan]

add the checksums to the release notes/description area.

That would be pretty bad, as that would actively work against automating checking checksums when downloading. Where you could just download both, checksums and the zipped binaries and use the checksums from the file. You would rather need to parse the checksum from the text description area.

Unfortunately, fewer projects upload their checksums at all, so I can't really show examples in this very moment. I would recommend uploading them as an extra asset, though, as having them in the description would be a pretty bad idea going against automation.

[jacobdeichert]

That would be pretty bad, as that would actively work against automating checking checksums when downloading. Where you could just download both, checksums and the zipped binaries and use the checksums from the file. You would rather need to parse the checksum from the text description area.

Oh, okay this makes sense for automation purposes 👍