Hash-pinning release-plz archives

[konstin]

release-plz sits at a sensitive location: It has access to out publish pipeline, and it has write access to the archives before upload. To harden our release pipelines, we hash-pin all github actions and their binaries to ensure the integrity of tooling releases. The release-plz/action supports pinning the version of release-plz, but doesn't seem to have a way of pinning the archive hashes of the binary.

Would it be possible to add hashes, either by storing them in the repo (with the default version update) or by allowing the user to set a hash?

[marcoieni]

so you mean to add a step where we verified that we downloaded the binary? Yes, that would be cool. PR welcome, I think it makes sense to have the hash in the action itself. However, hashes should be automatically updated in this repo. Manually doing it would be too much.

So either use renovate or edit https://github.com/release-plz/action/tree/main/updater 👍