Print hashes to the GitHub Action log while preparing a release draft

[nanogarden]

Currently, the GitHub Action will compute the file hashes and append them to the checksum file. However, it is trivial to tamper with the executables and the checskum files before finalizing the release. GitHub does not provide a way to check whether this has happened - at least not one that I know of.

By using "tee" to pipe the hashes to the GitHub Action log while simultaneously appending them to the file, one can use GitHub as a third-party verifier of the integrity of the build.

This very simple modification significantly reduces the amount of trust a user has to place on the maintainers of Nault or any of its future forks.

An example of this modification in practice can be seen in these logs, under the "Create Hashes" section: https://github.com/nanogarden/Nault/actions/runs/5866326649/job/15904942936

Here is a screenshot:

[Joohansson]

@nanogarden Seems to work fine. The github build log show same hash as when doublechecking the built executables. But the actual hash files appended to the release, for example latest.yml (for windows) show something completely different. I can't figure out why.

version: 1.18.2
files:
  - url: Nault-Setup-1.18.2-Windows.exe
    sha512: k3IaOmv9cPO7hElSPOovoxOHIxKBAz4COeRTX1rz7azzJ9vsO5gTVj9Dq0oGwUCNej7cba79baXHmTfNyScG3Q==
    size: 73993230
path: Nault-Setup-1.18.2-Windows.exe
sha512: k3IaOmv9cPO7hElSPOovoxOHIxKBAz4COeRTX1rz7azzJ9vsO5gTVj9Dq0oGwUCNej7cba79baXHmTfNyScG3Q==
releaseDate: '2023-08-19T15:07:25.437Z'

[Joohansson]

Never mind, I was looking in the wrong file. It's checksums-1.18.2-windows.txt

That is correct

[nanogarden]

Happy that it checks out. Thank you for implementing this!