fix: add SHA-256 checksum verification for binary downloads (S6)#10
Merged
fix: add SHA-256 checksum verification for binary downloads (S6)#10
Conversation
Add checksum verification when downloading capiscio-core binary from GitHub Releases. Mirrors pattern from capiscio-node and capiscio-python. - New src/checksum.ts module: fetchText, computeSHA256, verifyChecksum, parseChecksums (exported for testing) - Stream-based SHA-256 hashing via fs.createReadStream (not readFileSync) - On mismatch: delete file, throw with expected vs actual hash - On checksums.txt unavailable: check CAPISCIO_REQUIRE_CHECKSUM env var - If true: delete and throw (fail-closed) - If false: core.warning() and continue (graceful degradation) - chmod + rename only AFTER successful verification - Updated CAPISCIO_VERSION from 2.4.0 to 2.6.0 - 7 new tests for checksum parsing, hashing, and edge cases - Rebuilt dist/index.js (deployed artifact) Board report finding: S6 (P1 - Supply chain gap in public GitHub Action)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Board Report Finding: S6
Severity: P1 - Supply chain gap in public-facing GitHub Action
Finding: The GitHub Action downloads capiscio-core binary from GitHub Releases with no SHA-256 verification.
Changes
Added checksum verification mirroring the pattern from capiscio-node (PR #40) and capiscio-python (PR #16).
New:
src/checksum.tsfetchText()- HTTPS GET with redirect followingcomputeSHA256()- Stream-based SHA-256 hashingverifyChecksum()- Full verification flowparseChecksums()- Checksum file parser (exported for testing)Flow
@actions/tool-cachechecksums.txtfrom same GitHub Releasechecksums.txtunavailable: checkCAPISCIO_REQUIRE_CHECKSUMenv varchmod+renameAFTER successful verificationAlso
CAPISCIO_VERSIONfrom2.4.0to2.6.0dist/index.js(deployed artifact)Verification