chore(release): verify SHA512 against actual archive

[kcenon]

What

Add SHA512 verify-against-archive step to the release workflow(s) of kcenon/thread_system so that an archive's actual SHA is verified against sha512sum of the GitHub release archive before the new value is committed to the vcpkg overlay registry.

Part of #674 (kcenon/common_system).

Why

kcenon/thread_system's release automation writes SHA512 to the vcpkg overlay portfile without verifying against the actual archive at https://github.com/kcenon/thread_system/archive/refs/tags/v<version>.tar.gz. Audit (kcenon/vcpkg-registry#87) confirmed the port had the same class of mismatch as the other 7 systems. Without verification, cold-cache consumers (new CI runners, new users) hit 100% install failure when the SHA in vcpkg-registry/ports/kcenon-thread-system/portfile.cmake does not match the actual archive.

Where

Item	Value
Repository	kcenon/thread_system
Release workflow file	.github/workflows/release.yml (or release-*.yml family — audit and identify)
Step location	After SHA computation, BEFORE committing portfile change
Sync workflow (if separate)	sync-vcpkg-registry.yml, on-release-sync-registry.yml (audit)

How

Implementation

Insert the verification step into the release workflow:

# Verify computed SHA against the actual GitHub archive
TAG="$1"           # e.g., v0.2.0
REPO="kcenon/thread_system"
NEW_SHA="$2"       # value the workflow is about to write to portfile.cmake

ARCHIVE_URL="https://github.com/$thread_system/archive/refs/tags/${TAG}.tar.gz"
ACTUAL_SHA=$(curl -fsSL "$ARCHIVE_URL" | sha512sum | awk '{print $1}')

if [ "$NEW_SHA" != "$ACTUAL_SHA" ]; then
    echo "ERROR: SHA mismatch — workflow computed $NEW_SHA, archive has $ACTUAL_SHA" >&2
    exit 1
fi

Acceptance criteria

• Audit identifies all release workflow files in this repo that compute and write SHA512
• Each such workflow includes a "verify SHA against actual archive" step that runs AFTER computing the SHA and BEFORE committing the portfile change
• A deliberate-mismatch test (e.g., bumping the SHA by one character in a feature branch) demonstrates the workflow fails fast with a clear error
• If the repo has multiple release-related workflows (release, sync-vcpkg-registry, on-release-sync-registry), each is hardened or routed through a shared composite action / reusable workflow

References

• Parent EPIC: [EPIC] Harden release SHA512 automation across all 8 kcenon systems common_system#674
• Bash snippet origin: Tag and publish v1.0.0 release #674 body
• First finding: chore(vcpkg): submit kcenon-common-system to microsoft/vcpkg official registry common_system#653 ([kcenon-common-system] new port microsoft/vcpkg#51511)
• Cross-port audit: fix(port): kcenon-common-system portfile SHA512 mismatch (silent until cache miss) vcpkg-registry#87

[kcenon]

Implementation Update

Field	Value
PR	#692 (merged)
Branch	chore/issue-691-verify-sha512-against-actual-archive (deleted)
Status	Done

Summary

Added a pre-flight verify-archive job to .github/workflows/on-release-sync-registry.yml that independently re-downloads the release tarball from https://github.com/kcenon/thread_system/archive/refs/tags/<tag>.tar.gz and computes SHA512 before the existing sync job delegates to kcenon/common_system/.github/workflows/sync-vcpkg-registry.yml@main. The sync job now declares needs: verify-archive, so any fetch failure or empty digest short-circuits the run before any portfile commit reaches kcenon/vcpkg-registry.

Audit Result

grep -l -E "sha512|SHA512|sha512sum" .github/workflows/* returned zero matches in this repo; on-release-sync-registry.yml is the only release-coupled workflow and is a thin caller of the reusable workflow in common_system. Hardening the single delegating workflow inline (no composite action extraction) is sufficient and matches the validated reference pattern.

Pattern

Mirrors kcenon/common_system#676 (merged with full CI green). File-based hashing is mandatory: piping curl ... | sha512sum masks fetch failures because SHA512 of empty input is the fixed constant cf83e1357eefb8bdf.... The new step uses curl -fsSL --retry 3 -o $(mktemp) then sha512sum on the resulting file, with explicit empty-digest defense.

Acceptance Criteria

• Audit identifies all release workflow files in this repo that compute and write SHA512 (only on-release-sync-registry.yml participates; SHA computation itself lives in the reusable upstream)
• The release-coupled workflow includes a verify-archive job that runs BEFORE the sync delegation; sync declares needs: verify-archive
• Failure modes covered: bad URL (curl exits non-zero, fail-fast with annotation), empty digest (defensive check), sync gating (needs: prevents portfile commit on pre-flight failure)
• Single inline job in the single relevant workflow — no composite action needed

Part of EPIC #674.