Summary
Harden the shell-side install path in action.yml (Detect install method / Download release binary) for parity with the Go-side release downloader and to address review findings on PR #1954.
Background
PR #1954 (--vendor) merged recent main changes including #2053 (source-build fallback in action.yml). The vendor PR only changes the vendored-binary comment; the detect/download steps are shared infrastructure flagged by fullsend-ai-review:
- GITHUB_OUTPUT injection — When resolving
latest, the release tag from the GitHub API is written to step outputs without tr -d '[:space:]' sanitization (unlike direct inputs.version). A tag containing newlines could corrupt $GITHUB_OUTPUT.
- No checksum on shell download — The "Download release binary" step fetches and extracts a tarball over HTTPS without verifying SHA256 against release
checksums.txt, unlike internal/binary/download.go (DownloadRelease).
Scope
- Sanitize API-resolved
TAG (and derived outputs) before writing to $GITHUB_OUTPUT; prefer heredoc-delimited output syntax where appropriate.
- After downloading the release tarball in the shell step, verify SHA256 against the published checksum file (same asset naming as Go path).
- Add tests or a documented manual verification checklist if automated testing of composite action shell is impractical.
Non-goals
Tracking
Summary
Harden the shell-side install path in
action.yml(Detect install method / Download release binary) for parity with the Go-side release downloader and to address review findings on PR #1954.Background
PR #1954 (
--vendor) merged recentmainchanges including #2053 (source-build fallback inaction.yml). The vendor PR only changes the vendored-binary comment; the detect/download steps are shared infrastructure flagged byfullsend-ai-review:latest, the release tag from the GitHub API is written to step outputs withouttr -d '[:space:]'sanitization (unlike directinputs.version). A tag containing newlines could corrupt$GITHUB_OUTPUT.checksums.txt, unlikeinternal/binary/download.go(DownloadRelease).Scope
TAG(and derived outputs) before writing to$GITHUB_OUTPUT; prefer heredoc-delimited output syntax where appropriate.Non-goals
--vendorinstall paths).Tracking
52dc9d26,893d1af9).