Skip to content

Verify the archive integrity in install.ts#117

Open
tcely wants to merge 8 commits intodenoland:mainfrom
tcely:patch-1
Open

Verify the archive integrity in install.ts#117
tcely wants to merge 8 commits intodenoland:mainfrom
tcely:patch-1

Conversation

@tcely
Copy link

@tcely tcely commented Feb 16, 2026
edited
Loading

It would be great to have this action and denoland/deno_install#338 both verifying the digests.

After v2.6.9 is installed, using the script from denoland/deno#31804 (comment) should let us safely downgrade to older versions as well. 🎉

As an example, safely retrieving the LTS version:

# 1. Fetch latest LTS version string
deno_lts_version="$(deno eval '
  const r = await fetch("https://dl.deno.land/release-lts-latest.txt");
  if (!r.ok) throw new Error("Fetch failed");
  console.log((await r.text()).trim());
')"

# 2. Pull the digests for artifacts from the release
deno run \
  --allow-net=api.github.com,github.com,release-assets.githubusercontent.com \
  --allow-write=release_digests.sha256 \
  pull_digests.ts "${deno_lts_version}"

# 3. Extract the correct archive checksum
deno_lts_checksum="$(deno eval '
  const t = Deno.readTextFileSync("release_digests.sha256");
  const a = "(deno-" + Deno.build.target + ".zip)";
  const l = t.split("\n").find(i => i.includes(a));
  if (!l) throw new Error("No match");
  console.log(l.split(" = ").at(-1));
')"

# 4. Verify the archive and save its deno binary
deno upgrade \
  --output 'deno.lts' \
  --checksum="${deno_lts_checksum}" \
  "${deno_lts_version#v}"

Output from pull_digests.ts:

Fetching digests for: v2.5.7...
Requesting URL: https://api.github.com/repos/denoland/deno/releases/tags/v2.5.7
Processing v2.5.7 ([2026-001-27]: Tue Jan 27 2026)...
[CMD]: deno upgrade --checksum='aee262ae33dd3376ab83131caab2fcfb06a1916d74aa5323d6c5f2d1ac58c162' '2.5.7'
Successfully saved 22 digests for v2.5.7 to release_digests.sha256

Output from deno upgrade:

Current Deno version: v2.6.9
Downloading https://github.com/denoland/deno/releases/download/v2.5.7/deno-x86_64-unknown-linux-gnu.zip
Checksum verified
Deno is upgrading to version 2.5.7

Upgraded successfully to Deno v2.5.7 (stable)

Release notes:

  https://github.com/denoland/deno/releases/tag/v2.5.7

Blog post:

  https://deno.com/blog/v2.5

@tcely tcely force-pushed the patch-1 branch 9 times, most recently from 6e9cdbd to b6a5105 Compare February 17, 2026 03:19
@tcely tcely force-pushed the patch-1 branch 2 times, most recently from c5adbd9 to 6fa6cad Compare February 17, 2026 04:01
@tcely tcely marked this pull request as ready for review February 17, 2026 04:13
@tcely tcely requested a review from lucacasonato as a code owner February 17, 2026 04:13
@tcely tcely force-pushed the patch-1 branch 2 times, most recently from 65b0ef0 to 5e107c1 Compare February 18, 2026 08:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lucacasonato lucacasonato Awaiting requested review from lucacasonato lucacasonato is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tcely