Checksum verification

[jdolitsky]

Does it make sense to validate the checksum of release tarballs prior to unpacking?

Maybe as an optional input param?

[imjasonh]

Is that something I can get from GitHub? I'd rather not have to maintain a mapping of version->sha myself.

That means a compromised GitHub can lie to us about the artifact and it's sha, but then they could also lie to users about what this action is configured to do, so 🤷‍♂️

[jdolitsky]

It's be something as a user I could provide (optionally):

- uses: imjasonh/[email protected]
  with:
    version: v0.6.0
    checksum: b71c7ca16abff07787516efbe0c06c129d273f34490d6a85f815cec980fffe85

Happy to PR this

[imjasonh]

I guess my question is, what kind of attack/error are you trying to guard against? Malicious/compromised crane maintainers pushing a new crane binary in a release?

[jdolitsky]

Yes.

But I suppose if they get you, they can get this action too 😭

[imjasonh]

Yeah, more or less.

I'm not opposed to adding it, I just don't think I'd use it myself. And it'd only be useful for version-pinned releases, not latest-release (the default) or tip.