search

rhysd / actionlint

:octocat: Static checker for GitHub Actions workflow files
https://rhysd.github.io/actionlint/
MIT License
2.79k stars 154 forks source link

Please consider publishing a checksum for verifying precompiled binaries #449

Closed jakehamtexas closed 1 month ago

jakehamtexas commented 1 month ago

It would be wonderful if the releases page for the precompiled binaries also included a section with a hash for verifying the authenticity of the binary, in order to mitigate supply chain attacks.

See https://github.com/GoogleCloudPlatform/cloud-sql-proxy/releases/tag/v2.13.0 for an example

jakehamtexas commented 1 month ago

I looked through the .github/workflows directory to see if there's an automation for the release in GitHub, but I was unable to locate one. If there's a way to help with this change in the repository, I'd be happy to investigate the improvement myself.

rhysd commented 1 month ago

This repository uses GoReleaser and I guess GoReleaser has the capability to generate checksums.

rhysd commented 1 month ago

Checksums will be included from the next release. Here is an example of the checksums file:

0901bb50c250a070471faf77f79465ea52dcecbd300cb3df13866afe92d52765  actionlint_1.7.2_darwin_amd64.tar.gz
9f35247df5a07f5f05af97fab4b46f001392018cced74cdfcbf7ad31bd89547b  actionlint_1.7.2_darwin_arm64.tar.gz
4c6f1ef4f916e204b9a6314a3167fcabdfd1fd77430a0c6f036260ca1605c577  actionlint_1.7.2_freebsd_386.tar.gz
1926b75b370efb5864a5b52aaf9e011901bca77ff81991b711f2b39c628d0386  actionlint_1.7.2_freebsd_amd64.tar.gz
04113ca44b7b79af37bb7733600738825c5fd0593fb8259459fdacdeb7587971  actionlint_1.7.2_linux_386.tar.gz
a1c267f18a3795686221f26914bca8075edae76bb4680c468aedc9992b9e8e0d  actionlint_1.7.2_linux_amd64.tar.gz
8bed380c95f269382cb57b8d0f56a007669cc5f6eb9ed032bb57f5171214e775  actionlint_1.7.2_linux_arm64.tar.gz
5c6c69fe066184c86b40c8e62a9d00d379427cae4e805920270c420e430fdf2d  actionlint_1.7.2_linux_armv6.tar.gz
091b34d58a338ab60913842aa034d2bc532d008cbe57d1197c4d53e1f6799dbf  actionlint_1.7.2_windows_386.zip
afd7cdc2d772df844c72d95197c3f46eceb334eb63440f4ddb4aa580176cb336  actionlint_1.7.2_windows_amd64.zip
b9abde4c04df0b244fda3e23f2d803446e7791ef8e5164bc198374a77a1ba59f  actionlint_1.7.2_windows_arm64.zip
jakehamtexas commented 1 month ago

Thank you so much for your care and attention to this issue!

rhysd commented 1 month ago

Relase for v1.7.3 includes the checksums: https://github.com/rhysd/actionlint/releases/tag/v1.7.3