feat: Add checksum generation and verification to release process

- Generate SHA256 checksums for release artifacts - Add checksum verification to download script - Improve error handling and cleanup in download script
utensils · Jan 31, 2025 · 0d399c9 · 0d399c9
1 parent 4551b3f
commit 0d399c9
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 6 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -114,12 +114,20 @@ jobs:
           tar czf ../../../essex-${{ matrix.target }}.tar.gz ${{ matrix.binary_name }}
         fi
         cd -
+        # Generate checksum for the archive
+        if [ "${{ matrix.os }}" = "windows-latest" ]; then
+          shasum -a 256 essex-${{ matrix.target }}.zip > essex-${{ matrix.target }}.zip.sha256
+        else
+          shasum -a 256 essex-${{ matrix.target }}.tar.gz > essex-${{ matrix.target }}.tar.gz.sha256
+        fi
 
     - name: Upload artifact
       uses: actions/upload-artifact@v4
       with:
         name: essex-${{ matrix.target }}
-        path: essex-${{ matrix.target }}.${{ matrix.os == 'windows-latest' && 'zip' || 'tar.gz' }}
+        path: |
+          essex-${{ matrix.target }}.${{ matrix.os == 'windows-latest' && 'zip' || 'tar.gz' }}
+          essex-${{ matrix.target }}.${{ matrix.os == 'windows-latest' && 'zip' || 'tar.gz' }}.sha256
         retention-days: 5
 
   release:
@@ -154,4 +162,4 @@ jobs:
           files: dist/*
           generate_release_notes: true
           draft: false
-          prerelease: false
+          prerelease: false
diff --git a/download_cli.sh b/download_cli.sh
@@ -79,8 +79,19 @@ get_latest_version() {
 # Verify SHA256 checksum
 verify_checksum() {
     local file="$1"
-    local expected_sha="$2"
+    local expected_sha
     local computed_sha
+    local checksum_file="${file}.sha256"
+
+    # Download checksum file if it doesn't exist
+    if [ ! -f "$checksum_file" ]; then
+        if ! curl -L --fail -o "$checksum_file" "${2}.sha256"; then
+            error "Failed to download checksum file"
+            return 1
+        fi
+    fi
+
+    expected_sha=$(cat "$checksum_file" | cut -d ' ' -f 1)
 
     if command -v sha256sum >/dev/null 2>&1; then
         computed_sha=$(sha256sum "$file" | cut -d ' ' -f 1)
@@ -93,6 +104,7 @@ verify_checksum() {
 
     if [ "$computed_sha" != "$expected_sha" ]; then
         error "Checksum verification failed"
+        rm -f "$file" "$checksum_file"
         return 1
     fi
     return 0
@@ -104,17 +116,25 @@ install_essex() {
     local platform="$2"
     local temp_dir
     temp_dir=$(mktemp -d)
-    local download_url="https://github.com/${ESSEX_REPO}/releases/download/${version}/essex-${platform}.tar.gz"
+    local base_url="https://github.com/${ESSEX_REPO}/releases/download/${version}"
+    local archive_name="essex-${platform}.tar.gz"
+    local download_url="${base_url}/${archive_name}"
 
     info "Downloading Essex ${version} for ${platform}..."
-    if ! curl -L --fail "$download_url" -o "${temp_dir}/essex.tar.gz"; then
+    if ! curl -L --fail "$download_url" -o "${temp_dir}/${archive_name}"; then
         error "Download failed"
         rm -rf "$temp_dir"
         return 1
     fi
 
+    info "Verifying checksum..."
+    if ! verify_checksum "${temp_dir}/${archive_name}" "$download_url"; then
+        rm -rf "$temp_dir"
+        return 1
+    fi
+
     info "Extracting..."
-    if ! tar xzf "${temp_dir}/essex.tar.gz" -C "$temp_dir"; then
+    if ! tar xzf "${temp_dir}/${archive_name}" -C "$temp_dir"; then
         error "Extraction failed"
         rm -rf "$temp_dir"
         return 1