diff --git a/action.yml b/action.yml index 092744e..c655a6d 100644 --- a/action.yml +++ b/action.yml @@ -87,6 +87,19 @@ runs: exit 1 fi + # Download and verify SHA256 checksum (pinned releases only; latest skips verification) + if [ "${INPUT_VERSION}" != "latest" ]; then + SUMS_URL="https://github.com/${REPO}/releases/download/${TAG}/SHA256SUMS" + SUMS_HTTP=$(curl -sL -w '%{http_code}' -o "${INSTALL_DIR}/SHA256SUMS" "${SUMS_URL}") + if [ "${SUMS_HTTP}" -ge 200 ] && [ "${SUMS_HTTP}" -lt 300 ]; then + # Run checksum verification against the downloaded binary only + (cd "${INSTALL_DIR}" && grep 'accesslint$' SHA256SUMS | shasum -a 256 -c -) + echo "SHA256 verification passed" + else + echo "::warning::SHA256SUMS not available for ${TAG} (HTTP ${SUMS_HTTP}) — skipping verification" + fi + fi + chmod +x "${INSTALL_DIR}/accesslint" # Verify it executes @@ -275,7 +288,18 @@ runs: } >> "${GITHUB_STEP_SUMMARY}" # ------------------------------------------------------------------ - # Step 5: Post PR comment (if in a pull request context) + # Step 5: Upload findings as workflow artifact + # ------------------------------------------------------------------ + - name: Upload AccessLint reports + if: always() + uses: actions/upload-artifact@v4 + with: + name: accesslint-reports + path: ${{ github.workspace }}/accesslint-reports + if-no-files-found: ignore + + # ------------------------------------------------------------------ + # Step 6: Post PR comment (if in a pull request context) # ------------------------------------------------------------------ - name: Comment on PR if: always() && github.event_name == 'pull_request' @@ -381,7 +405,7 @@ runs: } # ------------------------------------------------------------------ - # Step 6: Enforce threshold — exit with the correct code + # Step 7: Enforce threshold — exit with the correct code # ------------------------------------------------------------------ - name: Enforce fail-on threshold id: threshold