Skip to content

Comments

feat: add SHA256 hash verification for the installer script#189

Merged
art049 merged 1 commit intomainfrom
cod-2243-hash-pin-the-runner-in-the-action
Feb 17, 2026
Merged

feat: add SHA256 hash verification for the installer script#189
art049 merged 1 commit intomainfrom
cod-2243-hash-pin-the-runner-in-the-action

Conversation

@art049
Copy link
Member

@art049 art049 commented Feb 17, 2026
edited
Loading

Verify the installer script's SHA256 hash against pinned values before
execution, closing a supply chain gap. The expected hashes are stored in
.codspeed-runner-installer-hashes.json (sourced from GitHub API digests).

Changes

Hash verification (action.yml)

  • For pinned release versions: download to temp file, verify hash, fail on mismatch or missing hash
  • For latest/branch:/rev:: warn that hash verification is not available
  • Add skip-hash-check-warning input to suppress the warning when hash verification is not available

Hash pinning (.codspeed-runner-installer-hashes.json)

  • Add SHA256 hashes for all released runner versions (3.6.0 through 4.10.6)

Bump runner version workflow (.github/workflows/bump-runner-version.yml)

  • Fetch and store the installer hash from GitHub API when bumping versions

CI (.github/workflows/ci.yml)

  • Add check-installer-hashes job that runs scripts/check-hashes.sh to verify all pinned hashes against GitHub releases
  • Add test-recent-pinned-runner-versions job that tests the last 5 pinned versions through the action

Scripts (scripts/check-hashes.sh)

  • Add a script to manually verify all pinned installer hashes by downloading each installer and checking its SHA256

Ref: COD-2243

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 17, 2026
View reviewed changes
@art049 art049 force-pushed the cod-2243-hash-pin-the-runner-in-the-action branch 5 times, most recently from 4629214 to b545690 Compare February 17, 2026 10:13
@art049
feat: add SHA256 hash verification for the installer script
2a2dd91 
Verify the installer script's SHA256 hash against pinned values before
execution, closing a supply chain gap. The expected hashes are stored in
.codspeed-runner-installer-hashes.json (sourced from GitHub API digests).

- For pinned release versions: download to temp file, verify hash, fail on
  mismatch or missing hash
- For latest/branch/rev: warn that hash verification is not available
- Add `skip-hash-check` input to bypass verification if needed
- Update bump-runner-version workflow to fetch and store the hash

Ref: COD-2243
@art049 art049 force-pushed the cod-2243-hash-pin-the-runner-in-the-action branch from b545690 to 2a2dd91 Compare February 17, 2026 10:21
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 17, 2026
View reviewed changes
@art049 art049 requested a review from adriencaccia February 17, 2026 10:23
@art049 art049 merged commit 2f0adbd into main Feb 17, 2026
30 checks passed
@art049 art049 deleted the cod-2243-hash-pin-the-runner-in-the-action branch February 17, 2026 10:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adriencaccia adriencaccia adriencaccia approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@art049 @adriencaccia