Verify SHA256 checksum of downloaded file

tailscale / github-action

A GitHub Action to connect your workflow to your Tailscale network.

BSD 3-Clause "New" or "Revised" License

532 stars 80 forks source link

Verify SHA256 checksum of downloaded file #63

Closed devurandom closed 1 year ago

devurandom commented 1 year ago

Verify the binary downloaded before unpacking or executing it, to enhance security. Opt-in by providing the sha256sum argument.

Signed-off-by: Dennis Schridde dennis@metabase.com

DentonGentry commented 1 year ago

We ask that commits include a developer certificate of origin (DCO), which means a Signed-off-by line indicating someone who asserts that the code in the commit is acceptable for the open source license. That can be added to an existing PR by using:

git commit --amend --signoff
git push -f

willnorris commented 1 year ago

(interesting... I've never resolved a merge conflict through the GitHub UI before. I'll squash all this down on final merge)

DentonGentry commented 1 year ago

I had missed that it fetches the sha256 from pkgs.tailscale.com if not specified explicitly, that was my last objection. We can get this in, tag v2, and publish the Changelog.