chore(release): verify SHA512 against actual archive (#588)#589
Merged
kcenon merged 1 commit intoMay 3, 2026
Merged
Conversation
Add a defense-in-depth pre-verification job to on-release-sync-registry.yml that downloads the published GitHub release archive and computes its SHA512 before delegating to the shared sync workflow that writes the SHA into portfile.cmake. The downstream reusable workflow (kcenon/common_system/.github/workflows/sync-vcpkg-registry.yml) was hardened in kcenon/common_system#676 to compare its computed SHA against the actual archive. This change adds an independent check in this repo so a release that produces an unfetchable or empty archive fails fast in this repo's release run, with a clear log line, before the sync workflow ever runs. The check uses file-based hashing (curl -fsSL --retry 3 ... -o tmpfile) rather than piping curl into sha512sum, so a fetch failure cannot silently produce the empty-input SHA512 (cf83e1357eefb8bdf...). The empty-input hash is also explicitly rejected as a final safety net. Audit: - on-release-sync-registry.yml: thin caller of common_system reusable workflow; this PR adds an independent pre-verification job here. - release.yml: builds and publishes platform artifacts, no SHA write. - vcpkg-overlay.yml: local overlay-port build/test, no SHA write. - All other workflows (ci, sanitizers, coverage, integration, etc.): no portfile SHA computation. Closes #588 Part of kcenon/common_system#674
This was referenced May 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #588
Part of kcenon/common_system#674.
What
Adds a defense-in-depth
verify-archivepre-job to.github/workflows/on-release-sync-registry.ymlthat downloads the published GitHub release archive and computes its SHA512 before delegating to the shared sync workflow that writes the SHA intoportfile.cmake. On any fetch failure, empty archive, or empty-input hash, the job exits 1 with a clear error annotation before the sync workflow runs.Why
Detected via microsoft/vcpkg#51511 and kcenon/vcpkg-registry#87 - every kcenon port shipped a mismatched SHA512 because the release automation never compared its computed value against the actual archive. Cold-cache vcpkg consumers (new CI runners, fresh users) hit 100% install failure when the SHA in
vcpkg-registry/ports/kcenon-database-system/portfile.cmakedoes not match the bytes athttps://github.com/kcenon/database_system/archive/refs/tags/v<version>.tar.gz.The downstream reusable workflow (
kcenon/common_system/.github/workflows/sync-vcpkg-registry.yml) was hardened in kcenon/common_system#676 to compare its computed SHA against the actual archive. This PR adds an independent check in this repo so a release whose archive is unfetchable or empty fails fast in this repo's release run, with a clear log line, before the sync workflow is ever called.Where
.github/workflows/on-release-sync-registry.ymlverify-archiveandneeds: verify-archiveon the existingsyncjobAudit summary (other workflows considered)
on-release-sync-registry.ymlcommon_systemrelease.ymlvcpkg-overlay.ymlci.yml,sanitizers.yml,coverage.yml,integration*.yml,cve-scan.yml,osv-scanner.yml,static-analysis.yml,sbom.yml,benchmarks.yml,build-Doxygen.yaml,doc-audit.ymlThe actual SHA computation step lives in
common_system's reusable workflow (already hardened by #676). The sensible local addition is a pre-flight verification job in this repo's caller, so a bad release fails fast before delegating.How
The new
verify-archivejob runs before the existingsyncjob (declared vianeeds: verify-archive). It re-fetches the archive withcurl -fsSL --retry 3to a file (not piped) so a 404 cannot silently produce the empty-input SHA512cf83e1357eefb8bdf.... It additionally rejects:curl(-fsSLensures non-zero exit).! -s "${VERIFY_FILE}").Runtime: ~1-2 s on a typical
database_systemarchive (~670 KB).Test Plan
How a reviewer can validate the new job fires
v0.x.y) - the existingSync Registry on Releaseworkflow triggersverify-archive, then on success delegates to thesyncreusable workflow.Locally executed and confirmed before push
v0.1.1archive):curl -fsSLreturns 0, file size 669807 bytes, SHA512989aeb716da9e79f...(non-empty hash).v999.999.999):curl -fsSLreturns 22 (404), theif !branch firesexit 1withFailed to download release archive for verification: <URL>.[[ ! -s ... ]]check.The download-to-file pattern (rather than a pipe) is required to make these failure modes detectable - piping into
sha512sumwould otherwise mask the curl failure with the empty-input hash.YAML structure validated with
js-yaml(jobs: verify-archive, sync;sync.needs: verify-archive).Breaking Changes
None. The new job is additive; on a successful release it adds ~1-2 s and a few log lines before the existing sync runs. On a SHA mismatch or unfetchable archive (the failure modes this PR is designed to detect) it short-circuits the existing run before the sync workflow is invoked, which is the desired behavior.