Derive digest algorithm from ref length in release verify commands#13430
Merged
bdehamer merged 2 commits intoMay 15, 2026
Conversation
The 'gh release verify' and 'gh release verify-asset' commands hard-coded a 'sha1:' prefix when constructing the digest identifier for a release tag's commit SHA. Once GitHub repositories using SHA-256 commit digests are supported, that ref will be a 64-character SHA-256 hash and labeling it as 'sha1:' is both misleading in user output and incorrect for the attestation lookup. Add a shared 'DigestAlgForRef' helper that returns 'sha256' for 64-char digests and 'sha1' otherwise (preserving existing behavior for SHA-1 repositories), and use it at both call sites. Add test coverage for the helper and for the SHA-256 error path in both commands. Fixes cli#13429 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Thanks for your pull request! Unfortunately, it doesn't meet the requirements for review:
Please update your PR to address the above. This PR will be automatically closed in 4 days if these requirements are not met. Full contribution requirements
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates release verification to derive the release ref digest algorithm from the ref length so SHA-256 repository refs are labeled and queried correctly.
Changes:
- Added
DigestAlgForRefto choosesha256for 64-character refs andsha1otherwise. - Updated
release verifyandrelease verify-assetto use the derived algorithm. - Added SHA-256-focused regression tests and helper unit tests.
Show a summary per file
| File | Description |
|---|---|
pkg/cmd/release/verify/verify.go |
Uses the shared helper when constructing the release ref digest. |
pkg/cmd/release/verify/verify_test.go |
Adds SHA-256 no-attestations coverage for release verify. |
pkg/cmd/release/verify-asset/verify_asset.go |
Uses the shared helper when constructing the release ref digest. |
pkg/cmd/release/verify-asset/verify_asset_test.go |
Adds SHA-256 no-attestations coverage for release verify-asset. |
pkg/cmd/release/shared/fetch.go |
Adds the shared digest algorithm helper. |
pkg/cmd/release/shared/fetch_test.go |
Adds unit tests for digest algorithm selection. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 6/6 changed files
- Comments generated: 2
babakks
approved these changes
May 15, 2026
babakks
left a comment
Member
There was a problem hiding this comment.
LGTM! Also, I think 
comments are valid.
Address PR review feedback: - Rename SHA1 tests to make the algorithm explicit - Assert the sha1:/sha256: prefix appears in the error - Use a capturing MockClient so we verify the actual digest sent to GetByDigest, not just the wrapped error message Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This comment was marked as spam.
This comment was marked as spam.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #13429
Summary
The
gh release verifyandgh release verify-assetcommands hard-coded asha1:prefix when constructing the digest identifier for a release tag's commit SHA. Once GitHub repositories using SHA-256 commit digests are supported, that ref will be a 64-character SHA-256 hash and labeling it assha1:is both misleading in user-facing output and incorrect for the attestation lookup.Changes
DigestAlgForRef(digest string) stringinpkg/cmd/release/shared/fetch.gothat returns"sha256"for 64-character digests and"sha1"otherwise (preserving existing behavior)."sha1"argument inpkg/cmd/release/verify/verify.goandpkg/cmd/release/verify-asset/verify_asset.gowith a call to the new helper.DigestAlgForRefcovering SHA-1, SHA-256, empty, and unexpected lengths.*_SHA256variants of the existingFailedNoAttestationstests in both commands that assert the error message includessha256:<digest>.Verification
go test ./pkg/cmd/release/shared/... ./pkg/cmd/release/verify/... ./pkg/cmd/release/verify-asset/...passes.go build ./...passes.