Skip to content

Add checksum verification input#16

Open
illera88 wants to merge 1 commit into
go-task:mainfrom
illera88:alberto/add-checksum-input
Open

Add checksum verification input#16
illera88 wants to merge 1 commit into
go-task:mainfrom
illera88:alberto/add-checksum-input

Conversation

@illera88

@illera88 illera88 commented Jul 8, 2026

Copy link
Copy Markdown

Summary

Supply chain attacks are lately one of the most practical ways to compromise CI: an action can be pinned, but the binary it downloads at runtime can still change upstream. Adding a checksum input lets users pin both the action code and the downloaded release asset, so workflows fail closed if that binary is replaced, corrupted, or unexpectedly modified.

  • add an optional checksum input
  • verify the downloaded Task archive before extracting and caching it
  • update the bundled action and README

Why

This action downloads a release archive during CI. Pinning the action SHA fixes the action code, but it does not pin the release asset that gets fetched later. A checksum input gives security-sensitive workflows a simple way to make that binary download fail closed if the asset changes unexpectedly.

Testing

  • npm_config_engine_strict=false task ts:build
  • npm_config_engine_strict=false task ts:test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant