1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# cargo-dist checksums the release ARCHIVES (each tarball gets a .sha256, all go in sha256.sum) but
# NOT its own shell installer — so `confer-cli-installer.sh`, the artifact users pipe into a shell,
# is the one thing they can't verify. Backwards from a threat POV. This closes the gap: after the
# Release workflow completes, checksum the installer, publish a `confer-cli-installer.sh.sha256`
# companion (matching the tarballs), and append the installer line to `sha256.sum`.
name: checksum installer
on:
# Auto-fire after "Release" finishes. We CAN'T use `release: [published]`: the Release workflow
# creates the GitHub release with the default GITHUB_TOKEN, and GitHub deliberately does NOT let
# GITHUB_TOKEN-created events trigger downstream workflows (anti-recursion) — so `release: published`
# never started this job, forcing a manual `gh workflow run` every release. `workflow_run` fires
# regardless of what triggered the upstream run, closing that gap. `workflow_dispatch` stays as a
# manual fallback/backfill. (workflow_run uses this file from the DEFAULT branch, so it only takes
# effect once merged to main.)
workflow_run:
workflows:
types:
workflow_dispatch:
inputs:
tag:
description: "release tag to backfill (e.g. v0.6.3)"
required: true
permissions:
contents: write
jobs:
add-installer-checksum:
# Manual backfill always runs; the auto path runs only if the Release workflow SUCCEEDED (a failed
# or cancelled Release must not produce a checksum for a release that didn't publish).
if: >-
github.event_name == 'workflow_dispatch' ||
github.event.workflow_run.conclusion == 'success'
runs-on: ubuntu-latest
steps:
- name: Checksum the installer, attach companion + append to sha256.sum
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# workflow_dispatch → the input tag; workflow_run (tag push) → the tag in head_branch.
TAG: ${{ github.event.inputs.tag || github.event.workflow_run.head_branch }}
run: |
set -euo pipefail
gh release download "$TAG" --repo "$GITHUB_REPOSITORY" \
--pattern 'confer-cli-installer.sh' --pattern 'sha256.sum' --dir dl --clobber
cd dl
if [ ! -f confer-cli-installer.sh ]; then
echo "::notice::no installer in $TAG (shell installer not built) — nothing to do."
exit 0
fi
sum="$(sha256sum confer-cli-installer.sh | awk '{print $1}')"
printf '%s confer-cli-installer.sh\n' "$sum" > confer-cli-installer.sh.sha256
# append to the combined sums file (idempotent — skip if already present)
if [ -f sha256.sum ] && ! grep -q 'confer-cli-installer.sh' sha256.sum; then
printf '%s *confer-cli-installer.sh\n' "$sum" >> sha256.sum
gh release upload "$TAG" sha256.sum --repo "$GITHUB_REPOSITORY" --clobber
fi
gh release upload "$TAG" confer-cli-installer.sh.sha256 --repo "$GITHUB_REPOSITORY" --clobber
echo "installer sha256: $sum"