Generate and upload SHA256 sums, as ripgrep does

This uses the code from the ripgrep workflow to do so, with small modifications to fit the style used here, and, except for the code that is specific to Windows, occurring twice: once for most of the Unix jobs, and once for the macOS Universal 2 archive. This also makes these closely related changes: + Refactor the parts of the Universal 2 job that are similar to the other jobs so they are expressed more similarly. + Check the new checksums for the `gh release download` downloaded archives that the Universal 2 job takes its architecture-specific binaries from (to combine into an universal binary). The risk that the files would be corrupted when downloaded in this way is *extremely* low, but the presence of a checksum published for the Universal 2 archive might be interpreted to mean that downloaded archives used for the constituent binary images were verified. (As done here, this verification is not really for security, since the checksums used to do it are obtained from the same source in the same way -- which fortunately is pretty secure. It may safeguard against a very small risk of corruption. It also fails earlier if the files are not downloaded at all, in case the cause is not one that caused `gh` to exit with a failure status.)
EliahKagan · Aug 1, 2024 · 027fef5 · 027fef5
1 parent 314de7a
commit 027fef5
Showing 1 changed file with 22 additions and 10 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -208,18 +208,22 @@ jobs:
           file -- "$TARGET_DIR"/release/{ein,gix}.exe
           cp -- "$TARGET_DIR"/release/{ein,gix}.exe "$ARCHIVE/"
           7z a "$ARCHIVE.zip" "$ARCHIVE"
+          certutil -hashfile "$ARCHIVE.zip" SHA256 > "$ARCHIVE.zip.sha256"
           echo "ASSET=$ARCHIVE.zip" >> "$GITHUB_ENV"
+          echo "ASSET_SUM=$ARCHIVE.zip.sha256" >> "$GITHUB_ENV"
 
       - name: Build archive (Unix)
         if: matrix.os != 'windows-latest'
         run: |
           file -- "$TARGET_DIR"/release/{ein,gix}
           cp -- "$TARGET_DIR"/release/{ein,gix} "$ARCHIVE/"
           tar czf "$ARCHIVE.tar.gz" "$ARCHIVE"
+          shasum --algorithm=256 "$ARCHIVE.tar.gz" > "$ARCHIVE.tar.gz.sha256"
           echo "ASSET=$ARCHIVE.tar.gz" >> "$GITHUB_ENV"
+          echo "ASSET_SUM=$ARCHIVE.tar.gz.sha256" >> "$GITHUB_ENV"
 
       - name: Upload release archive
-        run: gh release upload "$VERSION" "$ASSET"
+        run: gh release upload "$VERSION" "$ASSET" "$ASSET_SUM"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -249,38 +253,46 @@ jobs:
 
       - name: Obtain single-architecture releases
         run: |
-          gh release --repo="$REPOSITORY" download "$VERSION" --pattern="$(name aarch64).tar.gz" --pattern="$(name x86_64).tar.gz"
+          gh release --repo="$REPOSITORY" download "$VERSION" \
+            --pattern="$(name aarch64).tar.gz" --pattern="$(name aarch64).tar.gz.sha256" \
+            --pattern="$(name x86_64).tar.gz" --pattern="$(name x86_64).tar.gz.sha256"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Unpack single-architecture releases
         run: |
+          shasum --check "$(name aarch64).tar.gz.sha256" "$(name x86_64).tar.gz.sha256"
           tar xf "$(name aarch64).tar.gz"
           tar xf "$(name x86_64).tar.gz"
 
+      - name: Determine archive basename
+        run: echo "ARCHIVE=$(name universal)" >> "$GITHUB_ENV"
+
       - name: Pre-populate directory for archive
         run: |
-          cp -R -- "$(name aarch64)" "$(name universal)"
-          rm -- "$(name universal)"/{ein,gix}
+          cp -R -- "$(name aarch64)" "$ARCHIVE"
+          rm -- "$ARCHIVE"/{ein,gix}
 
       - name: Create Universal 2 binaries
         run: |
           for bin in ein gix; do
-            lipo -create "$(name aarch64)/$bin" "$(name x86_64)/$bin" -output "$(name universal)/$bin"
-            file "$(name universal)/$bin"
+            lipo -create "$(name aarch64)/$bin" "$(name x86_64)/$bin" -output "$ARCHIVE/$bin"
+            file -- "$ARCHIVE/$bin"
           done
 
       - name: Build archive
         run: |
-          tar czf "$(name universal).tar.gz" "$(name universal)"
-          echo "ASSET=$(name universal).tar.gz" >> "$GITHUB_ENV"
+          tar czf "$ARCHIVE.tar.gz" "$ARCHIVE"
+          shasum --algorithm=256 "$ARCHIVE.tar.gz" > "$ARCHIVE.tar.gz.sha256"
+          echo "ASSET=$ARCHIVE.tar.gz" >> "$GITHUB_ENV"
+          echo "ASSET_SUM=$ARCHIVE.tar.gz.sha256" >> "$GITHUB_ENV"
 
       - name: Upload release archive
-        run: gh release --repo="$REPOSITORY" upload "$VERSION" "$ASSET"
+        run: gh release --repo="$REPOSITORY" upload "$VERSION" "$ASSET" "$ASSET_SUM"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-  # This checks and publishes the release on GitHub. It does not upload to crates.io.
+  # This checks the draft release on GitHub and publishes it. It does not upload to crates.io.
   publish-release:
     name: publish-release