goreleaser/goreleaser-action
1
0
Fork 0
mirror of https://github.com/goreleaser/goreleaser-action synced 2026-06-30 00:07:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: verify release checksum and cosign signature (#550)

Browse Source 
* feat: verify release checksum and cosign signature

Download checksums.txt for the release and verify the SHA-256 of the
downloaded archive against it. When cosign is available in PATH, also
download checksums.txt.sigstore.json and verify the signature against
the goreleaser/goreleaser-pro release workflow identity. Both steps
degrade gracefully (with a warning) when the corresponding artifacts
or tooling are missing.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* test: use install() for checksum e2e tests

Drop the http-client download helper from verifyChecksum integration
tests; call goreleaser.install() instead so the test exercises the
public API path and avoids duplicating download logic.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Carlos Alexandro Becker
2026-04-18 14:34:46 -03:00
committed by GitHub
parent 01cbe076be
commit 4b462d3d1d
5 changed files with 199 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
__tests__/goreleaser.test.ts
+92
View File
@@ -1,5 +1,8 @@
import {describe, expect, it} from '@jest/globals';
import * as fs from 'fs';
import * as os from 'os';
import * as path from 'path';
import * as io from '@actions/io';
import * as goreleaser from '../src/goreleaser';
describe('install', () => {
@@ -53,3 +56,92 @@ describe('distribSuffix', () => {
expect(goreleaser.distribSuffix('goreleaser')).toEqual('');
});
});
describe('findChecksum', () => {
const sample = [
'*malformed-line',
'',
'abc123 goreleaser_Linux_x86_64.tar.gz',
'def456 *goreleaser_Darwin_all.tar.gz',
'789xyz checksums.txt'
].join('\n');
it('finds a checksum by filename', () => {
expect(goreleaser.findChecksum(sample, 'goreleaser_Linux_x86_64.tar.gz')).toEqual('abc123');
});
it('strips a leading asterisk on the filename (binary mode)', () => {
expect(goreleaser.findChecksum(sample, 'goreleaser_Darwin_all.tar.gz')).toEqual('def456');
});
it('returns undefined when not present', () => {
expect(goreleaser.findChecksum(sample, 'missing.tar.gz')).toBeUndefined();
});
});
describe('getCertificateIdentity', () => {
it('returns the OSS workflow identity for tagged releases', () => {
expect(goreleaser.getCertificateIdentity('goreleaser', 'v2.15.3')).toEqual(
'https://github.com/goreleaser/goreleaser/.github/workflows/release.yml@refs/tags/v2.15.3'
);
});
it('returns the Pro internal workflow identity for tagged releases', () => {
expect(goreleaser.getCertificateIdentity('goreleaser-pro', 'v2.15.3')).toEqual(
'https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/release-pro.yml@refs/tags/v2.15.3'
);
});
it('uses nightly-oss.yml@refs/heads/main for OSS nightly', () => {
expect(goreleaser.getCertificateIdentity('goreleaser', 'nightly')).toEqual(
'https://github.com/goreleaser/goreleaser/.github/workflows/nightly-oss.yml@refs/heads/main'
);
});
it('uses nightly-pro.yml@refs/heads/main for Pro nightly', () => {
expect(goreleaser.getCertificateIdentity('goreleaser-pro', 'nightly')).toEqual(
'https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/nightly-pro.yml@refs/heads/main'
);
});
});
describe('verifyChecksum', () => {
const requireCosign = async (): Promise<void> => {
const cosign = await io.which('cosign', false);
if (!cosign) {
throw new Error(
'cosign must be installed in PATH to run this integration test (apk add cosign / sigstore/cosign-installer)'
);
}
};
it('verifies a tagged OSS release end-to-end with cosign', async () => {
await requireCosign();
const bin = await goreleaser.install('goreleaser', 'v2.15.3');
expect(fs.existsSync(bin)).toBe(true);
}, 120000);
it('verifies the OSS nightly release end-to-end with cosign', async () => {
await requireCosign();
const bin = await goreleaser.install('goreleaser', 'nightly');
expect(fs.existsSync(bin)).toBe(true);
}, 120000);
it('throws on checksum mismatch', async () => {
const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'gha-'));
const archive = path.join(dir, 'fake.tar.gz');
fs.writeFileSync(archive, 'tampered content');
await expect(
goreleaser.verifyChecksum('goreleaser', 'v2.15.3', archive, 'goreleaser_Linux_x86_64.tar.gz')
).rejects.toThrow(/Checksum mismatch/);
}, 60000);
it('throws when the filename is not in checksums.txt', async () => {
const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'gha-'));
const archive = path.join(dir, 'whatever.tar.gz');
fs.writeFileSync(archive, '');
await expect(
goreleaser.verifyChecksum('goreleaser', 'v2.15.3', archive, 'not-a-real-asset.tar.gz')
).rejects.toThrow(/Could not find not-a-real-asset.tar.gz in checksums.txt/);
}, 60000);
});