Skip to content

feat(workflow): security hardening + AccessLint-Distribution URL migration + SHA256 verification #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
SyncTekLLC wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(workflow): security hardening + AccessLint-Distribution URL migration + SHA256 verification #1

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 26 additions & 2 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,19 @@ runs:
exit 1
fi

# Download and verify SHA256 checksum (pinned releases only; latest skips verification)
if [ "${INPUT_VERSION}" != "latest" ]; then
SUMS_URL="https://github.com/${REPO}/releases/download/${TAG}/SHA256SUMS"
SUMS_HTTP=$(curl -sL -w '%{http_code}' -o "${INSTALL_DIR}/SHA256SUMS" "${SUMS_URL}")
if [ "${SUMS_HTTP}" -ge 200 ] && [ "${SUMS_HTTP}" -lt 300 ]; then
# Run checksum verification against the downloaded binary only
(cd "${INSTALL_DIR}" && grep 'accesslint$' SHA256SUMS | shasum -a 256 -c -)
echo "SHA256 verification passed"
else
echo "::warning::SHA256SUMS not available for ${TAG} (HTTP ${SUMS_HTTP}) — skipping verification"
fi
fi

chmod +x "${INSTALL_DIR}/accesslint"

# Verify it executes
Expand Down Expand Up @@ -275,7 +288,18 @@ runs:
} >> "${GITHUB_STEP_SUMMARY}"

# ------------------------------------------------------------------
# Step 5: Post PR comment (if in a pull request context)
# Step 5: Upload findings as workflow artifact
# ------------------------------------------------------------------
- name: Upload AccessLint reports
if: always()
uses: actions/upload-artifact@v4
with:
name: accesslint-reports
path: ${{ github.workspace }}/accesslint-reports
if-no-files-found: ignore

# ------------------------------------------------------------------
# Step 6: Post PR comment (if in a pull request context)
# ------------------------------------------------------------------
- name: Comment on PR
if: always() && github.event_name == 'pull_request'
Expand Down Expand Up @@ -381,7 +405,7 @@ runs:
}

# ------------------------------------------------------------------
# Step 6: Enforce threshold — exit with the correct code
# Step 7: Enforce threshold — exit with the correct code
# ------------------------------------------------------------------
- name: Enforce fail-on threshold
id: threshold
Expand Down