Summary
Currently, src/main.ts downloads a release tarball via tc.downloadTool() and immediately extracts it via tc.extractTar() without verifying the archive's integrity. This weakens supply-chain security for every workflow using this action.
Background
To properly implement checksum verification in the setup-adc action, the upstream ADC release workflow must first be enhanced to:
- Publish SHA-256 digest files alongside each release asset (e.g.,
adc_linux_amd64.tar.gz.sha256).
- Enable immutable releases so that release assets cannot be silently replaced after publication.
Once the upstream project provides these artifacts, the action can be updated to:
- Fetch the expected checksum from the release metadata or a
.sha256 sidecar file.
- Compute the SHA-256 digest of the downloaded archive.
- Compare the computed digest to the expected value and abort extraction if they do not match.
References
/cc @bzp2010
Summary
Currently,
src/main.tsdownloads a release tarball viatc.downloadTool()and immediately extracts it viatc.extractTar()without verifying the archive's integrity. This weakens supply-chain security for every workflow using this action.Background
To properly implement checksum verification in the
setup-adcaction, the upstream ADC release workflow must first be enhanced to:adc_linux_amd64.tar.gz.sha256).Once the upstream project provides these artifacts, the action can be updated to:
.sha256sidecar file.References
/cc @bzp2010