Skip to content

Comments

feat: add SHA256 hash verification for the installer script#189

Merged
art049 merged 1 commit intomainfrom
cod-2243-hash-pin-the-runner-in-the-action
Feb 17, 2026
Merged

feat: add SHA256 hash verification for the installer script#189
art049 merged 1 commit intomainfrom
cod-2243-hash-pin-the-runner-in-the-action

Conversation

@art049
Copy link
Member

@art049 art049 commented Feb 17, 2026

Verify the installer script's SHA256 hash against pinned values before
execution, closing a supply chain gap. The expected hashes are stored in
.codspeed-runner-installer-hashes.json (sourced from GitHub API digests).

Changes

Hash verification (action.yml)

  • For pinned release versions: download to temp file, verify hash, fail on mismatch or missing hash
  • For latest/branch:/rev:: warn that hash verification is not available
  • Add skip-hash-check-warning input to suppress the warning when hash verification is not available

Hash pinning (.codspeed-runner-installer-hashes.json)

  • Add SHA256 hashes for all released runner versions (3.6.0 through 4.10.6)

Bump runner version workflow (.github/workflows/bump-runner-version.yml)

  • Fetch and store the installer hash from GitHub API when bumping versions

CI (.github/workflows/ci.yml)

  • Add check-installer-hashes job that runs scripts/check-hashes.sh to verify all pinned hashes against GitHub releases
  • Add test-recent-pinned-runner-versions job that tests the last 5 pinned versions through the action

Scripts (scripts/check-hashes.sh)

  • Add a script to manually verify all pinned installer hashes by downloading each installer and checking its SHA256

Ref: COD-2243

@art049 art049 force-pushed the cod-2243-hash-pin-the-runner-in-the-action branch 5 times, most recently from 4629214 to b545690 Compare February 17, 2026 10:13
Verify the installer script's SHA256 hash against pinned values before
execution, closing a supply chain gap. The expected hashes are stored in
.codspeed-runner-installer-hashes.json (sourced from GitHub API digests).

- For pinned release versions: download to temp file, verify hash, fail on
  mismatch or missing hash
- For latest/branch/rev: warn that hash verification is not available
- Add `skip-hash-check` input to bypass verification if needed
- Update bump-runner-version workflow to fetch and store the hash

Ref: COD-2243
@art049 art049 force-pushed the cod-2243-hash-pin-the-runner-in-the-action branch from b545690 to 2a2dd91 Compare February 17, 2026 10:21
@art049 art049 requested a review from adriencaccia February 17, 2026 10:23
@art049 art049 merged commit 2f0adbd into main Feb 17, 2026
30 checks passed
@art049 art049 deleted the cod-2243-hash-pin-the-runner-in-the-action branch February 17, 2026 10:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants