Conversation
jferrazbr
force-pushed
the
checksum-validation
branch
from
fe915da to
1787701
Compare
There was a problem hiding this comment.
Pull request overview
This PR tightens driver download integrity by requiring and enforcing SHA-256 checksum validation when a custom --driver-download-url is provided, and prevents publishing to the Prime Prod registry for RC tags.
Changes:
- Fail fast in
entrypoint.shwhen--driver-download-urlis used without a corresponding--driver-hash. - Make
download_driver.shtreat download failures as fatal and always validate the downloaded driver against the provided SHA-256 hash. - Gate the “Prime Prod Registry” publish step in the release workflow to skip
*-rc*tags.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package/entrypoint.sh | Requires a driver hash whenever a custom driver URL is provided. |
| package/download_driver.sh | Makes curl failures fatal and enforces checksum validation via sha256sum -c. |
| .github/workflows/release.yaml | Skips Prime Prod publishing for RC-tagged releases. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
package/download_driver.sh
Outdated
| if ! echo "$2 $driver_file" | sha256sum -c -; then | ||
| echo "downloaded file $driver_file failed sha256 checksum" | ||
| exit 1 |
There was a problem hiding this comment.
The checksum verification builds the sha256sum -c input using echo "$2 $driver_file". echo is not portable (may interpret -n/escapes) and this also breaks if driver_file expands to multiple matches or contains whitespace/newlines. Prefer using printf to format a single checksum line, and consider ensuring exactly one downloaded file is selected before running sha256sum -c (e.g., fail if multiple files match the prefix).
jferrazbr
force-pushed
the
checksum-validation
branch
from
1787701 to
edef886
Compare
No description provided.