fix: invalid checksum after signature; manually check signature before publishing (#674)

furkhat · Furkhat Kasymov Genii Uulu · web-flow · commit 94cda7486f43 · 2026-03-31T14:14:45.000+03:00
* upgrade actions; fixes incorrect checksum by older goreleaser

* publish only after verifying signature produced by goreleaser

* upgrade Go to 1.25.5

* rename jobs

---------

Co-authored-by: Furkhat Kasymov Genii Uulu &lt;furkhat@cast.ai&gt;
diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
@@ -18,34 +18,34 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout source
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
-      - name: Setup Go 1.24.0
-        uses: actions/setup-go@v4
+      - name: Setup Go
+        uses: actions/setup-go@v6
         with:
-          go-version: '1.24.0'
+          go-version: '1.25.5'
 
       - name: Cache Go modules
-        uses: actions/cache@v3
+        uses: actions/cache@v5
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-build-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-build-
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@v4
         with:
           terraform_version: '1.11.*'
           terraform_wrapper: false
 
       - name: Authenticate to GCP
-        uses: google-github-actions/auth@v2
+        uses: google-github-actions/auth@v3
         with:
           credentials_json: ${{ secrets.GOOGLE_TF_ACCEPTANCE_TEST_CREDENTIALS }}
 
       - name: Get GKE credentials
-        uses: google-github-actions/get-gke-credentials@v2
+        uses: google-github-actions/get-gke-credentials@v3
         with:
           cluster_name: tf-core-acc-20230723
           location: us-central1-c
diff --git a/.github/workflows/doc.yaml b/.github/workflows/doc.yaml
@@ -9,10 +9,10 @@ jobs:
     name: Check if SDK is up to date
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v6
         with:
-          go-version: 1.23.6
-      - uses: actions/checkout@v4  # Updated to use Node.js 20
+          go-version: 1.25.5
+      - uses: actions/checkout@v6
       - name: Check SDK
         run: | 
           make generate-sdk
@@ -25,10 +25,10 @@ jobs:
     name: Check if documentation is up to date
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v6
         with:
-          go-version: 1.23.6
-      - uses: actions/checkout@v4  # Updated to use Node.js 20
+          go-version: 1.25.5
+      - uses: actions/checkout@v6
       - name: Check Documentation
         run: | 
           make generate-docs
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -22,20 +22,20 @@ jobs:
       E2E_GKE_WORKSPACE: ${{ secrets.GKE_WORKSPACE }}
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v6
         with:
-          go-version: 1.23.6
+          go-version: 1.25.5
 
       - name: Cache Go modules
-        uses: actions/cache@v3
+        uses: actions/cache@v5
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-build-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-build-
-      - uses: hashicorp/setup-terraform@v2
+      - uses: hashicorp/setup-terraform@v4
         with:
           cli_config_credentials_token: ${{ secrets.TF_CLOUD_TOKEN }}
           cli_config_credentials_hostname: app.terraform.io
diff --git a/.github/workflows/examples.yml b/.github/workflows/examples.yml
@@ -13,20 +13,20 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4  # Updated to use Node.js 20
+        uses: actions/checkout@v6
 
       - name: Set up Terraform
-        uses: hashicorp/setup-terraform@v3  # Updated to use Node.js 20
+        uses: hashicorp/setup-terraform@v4
         with:
           terraform_version: ${{ matrix.version }}
 
       - name: Print tf version
         run: terraform version
 
-      - name: Setup Go 1.24.0
-        uses: actions/setup-go@v5
+      - name: Setup Go
+        uses: actions/setup-go@v6
         with:
-          go-version: '1.24.0'
+          go-version: '1.25.5'
           cache: true
 
       - name: Build binary
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
@@ -9,7 +9,7 @@ jobs:
   fossa-scan:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
       - uses: fossas/fossa-action@v1
         with:
           api-key: ${{ secrets.FOSSA_API_KEY }}
diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml
@@ -13,15 +13,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout source
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
-      - name: Setup Go 1.24.0
-        uses: actions/setup-go@v4
+      - name: Setup Go
+        uses: actions/setup-go@v6
         with:
-          go-version: '1.24.0'
+          go-version: '1.25.5'
 
       - name: Cache Go modules
-        uses: actions/cache@v3
+        uses: actions/cache@v5
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-build-${{ hashFiles('**/go.sum') }}
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -8,11 +8,11 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v6
         with:
-          go-version: 1.23.6
-      - uses: actions/checkout@v3
+          go-version: 1.25.5
+      - uses: actions/checkout@v6
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v9
         with:
           args: --timeout=5m
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -15,28 +15,50 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       - name: Unshallow
         run: git fetch --prune --unshallow
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v6
         with:
-          go-version: 1.23.6
+          go-version: 1.25.5
 
       - name: Import GPG key
         id: import_gpg
-        uses: paultyng/ghaction-import-gpg@v2.1.0
-        env:
-          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
-          PASSPHRASE: ${{ secrets.PASSPHRASE }}
+        uses: crazy-max/ghaction-import-gpg@v7
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.PASSPHRASE }}
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@v7
         with:
           version: '~> v2'
-          args: release --clean --config=.github/.goreleaser.yml
+          args: release --clean --skip=publish --config=.github/.goreleaser.yml
         env:
           GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Verify release artifacts
+        run: |
+          cd dist
+          checksums=$(ls *_SHA256SUMS)
+          signature=$(ls *_SHA256SUMS.sig)
+
+          # Verify GPG signature on the checksum file
+          # Goreleaser had bug so extra verifying as a safeguard (goreleaser#6508)
+          gpg --verify "$signature" "$checksums"
+
+          # Verify checksums match actual artifacts
+          sha256sum -c "$checksums"
+
+      - name: Publish release
+        uses: goreleaser/goreleaser-action@v7
+        with:
+          version: '~> v2'
+          args: continue --config=.github/.goreleaser.yml
+          workdir: .
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/stale-pr-check.yml b/.github/workflows/stale-pr-check.yml
@@ -12,7 +12,7 @@ jobs:
   stale-pr-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
         with:
           stale-pr-message: 'This PR has been labeled as stale due to inactivity and will be closed in 7 days if no further activity occurs.'
           close-pr-message: 'This PR has been closed due to inactivity. Feel free to reopen if you are still working on it.'
diff --git a/.github/workflows/terraform-fmt.yml b/.github/workflows/terraform-fmt.yml
@@ -6,10 +6,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       - name: Set up Terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@v4
 
       - name: Terraform format
         run: | 
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/castai/terraform-provider-castai
 
-go 1.24.0
+go 1.25.5
 
 require (
 	github.com/cenkalti/backoff/v4 v4.1.3
