Skip to content

action.yml: harden release download path (output sanitization + checksum) #2152

Description

@ifireball

Summary

Harden the shell-side install path in action.yml (Detect install method / Download release binary) for parity with the Go-side release downloader and to address review findings on PR #1954.

Background

PR #1954 (--vendor) merged recent main changes including #2053 (source-build fallback in action.yml). The vendor PR only changes the vendored-binary comment; the detect/download steps are shared infrastructure flagged by fullsend-ai-review:

  1. GITHUB_OUTPUT injection — When resolving latest, the release tag from the GitHub API is written to step outputs without tr -d '[:space:]' sanitization (unlike direct inputs.version). A tag containing newlines could corrupt $GITHUB_OUTPUT.
  2. No checksum on shell download — The "Download release binary" step fetches and extracts a tarball over HTTPS without verifying SHA256 against release checksums.txt, unlike internal/binary/download.go (DownloadRelease).

Scope

  • Sanitize API-resolved TAG (and derived outputs) before writing to $GITHUB_OUTPUT; prefer heredoc-delimited output syntax where appropriate.
  • After downloading the release tarball in the shell step, verify SHA256 against the published checksum file (same asset naming as Go path).
  • Add tests or a documented manual verification checklist if automated testing of composite action shell is impractical.

Non-goals

Tracking

Metadata

Metadata

Assignees

No one assigned

    Labels

    component/ciCI pipelines and checkscomponent/installCLI install and app setuppriority/mediumNormal priority, plan for next cycletriagedTriaged but awaiting human prioritizationtype/choreMaintenance and housekeeping tasks

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions