Skip to content

chore(release): verify SHA512 against actual archive (#691)#692

Merged
kcenon merged 1 commit into
developfrom
chore/issue-691-verify-sha512-against-actual-archive
May 3, 2026
Merged

chore(release): verify SHA512 against actual archive (#691)#692
kcenon merged 1 commit into
developfrom
chore/issue-691-verify-sha512-against-actual-archive

Conversation

@kcenon

@kcenon kcenon commented May 3, 2026

Copy link
Copy Markdown
Owner

Closes #691

Part of #674.

What

Adds an independent SHA512 verification step to .github/workflows/on-release-sync-registry.yml that re-downloads the release archive from GitHub and confirms the digest is computable before delegating to the reusable kcenon/common_system/.github/workflows/sync-vcpkg-registry.yml@main. The new verify-archive job is a hard dependency of sync (needs: verify-archive), so a fetch failure or empty digest short-circuits the run before any portfile commit reaches kcenon/vcpkg-registry.

Why

Detected via microsoft/vcpkg#51511 and kcenon/vcpkg-registry#87 — every kcenon port shipped a mismatched SHA512 because release automation never compared the computed value against the actual archive. Cold-cache vcpkg consumers (new CI runners, fresh users) hit 100% install failure when the SHA in vcpkg-registry/ports/kcenon-thread-system/portfile.cmake does not match the bytes at https://github.com/kcenon/thread_system/archive/refs/tags/v<version>.tar.gz. This PR closes the detection gap for thread_system, mirroring the pattern merged into common_system via kcenon/common_system#676.

Where

File Change
.github/workflows/on-release-sync-registry.yml New job verify-archive added before the existing sync job; sync now declares needs: verify-archive

Audit summary (other workflows considered)

Workflow Touches portfile SHA? Action
on-release-sync-registry.yml Delegates to kcenon/common_system/.github/workflows/sync-vcpkg-registry.yml@main (which computes and writes SHA512) Hardened (this PR) with a pre-flight verify-archive gate
ci.yml, coverage.yml, cve-scan.yml, integration-tests.yml, osv-scanner.yml, performance-benchmarks.yml, sbom.yml, static-analysis.yml, stress-tests.yml, valgrind.yml No SHA512 / portfile interaction No change needed
build-Doxygen.yaml, doc-audit.yml, update-readme-performance.yml No release/portfile interaction No change needed

grep -l -E "sha512|SHA512|sha512sum" over .github/workflows/* returned zero matches in thread_system; the only release-coupled workflow is on-release-sync-registry.yml. Hardening that single workflow inline is sufficient — no composite action extraction required.

How

The new verify-archive job runs on the same release.published trigger as the existing sync call.

  1. Constructs https://github.com/kcenon/thread_system/archive/refs/tags/${TAG}.tar.gz from github.event.release.tag_name.
  2. Downloads to a mktemp file with curl -fsSL --retry 3 -o "${TMP}". File-based, not piped. Piping into sha512sum masks fetch failures because SHA512 of empty input is the fixed constant cf83e1357eefb8bdf... — a 404 would still produce a valid-looking digest.
  3. Runs sha512sum "${TMP}" | awk '{print $1}', removes the temp file, and asserts the digest is non-empty.
  4. Exposes the digest as job output verify-archive.sha512 for future cross-job consumers.
  5. The sync job adds needs: verify-archive, so it cannot run if pre-flight verification fails.

Runtime: ~1-2s on a typical thread_system archive.

Test Plan

How a reviewer can validate the new job fires

  1. Cut a release tag (v0.x.y) — the workflow triggers on release.published.
  2. Inspect the run log for the new job Verify release archive SHA512. On a healthy release, the step prints:
    Re-fetching https://github.com/kcenon/thread_system/archive/refs/tags/v0.x.y.tar.gz for independent verification...
    Archive SHA512 verified for v0.x.y:
      <128-char hex digest>
    

Failure-mode coverage

  • Bad URL path (nonexistent tag): curl -fsSL fails with non-zero exit code. The if ! branch fires exit 1 with annotation Failed to download release archive: <URL>. The download-to-file pattern is required: piping into sha512sum would otherwise mask the curl failure with the empty-input hash.
  • Empty digest path (defensive): even if sha512sum somehow produces an empty string, the explicit [ -z "${ACTUAL_SHA}" ] check fails with Computed SHA512 is empty.
  • Sync gating: sync declares needs: verify-archive, so any failure in pre-flight prevents the reusable workflow from running and prevents any commit landing in kcenon/vcpkg-registry.

YAML structure validated by re-reading the file post-edit (job keys, step names, needs reference).

Breaking Changes

None. The new job is additive and runs on the same release.published trigger. On a healthy release it adds ~1-2s and one log line. On a fetch failure (the failure mode this PR is designed to detect) it short-circuits the run before any vcpkg-registry commit, which is the desired behavior.

Reference

This PR mirrors the validated pattern from kcenon/common_system#676, which merged with full CI green and hardens the upstream reusable workflow consumed by this repo. The two layers are complementary: this PR adds an independent pre-flight check that runs even if the upstream workflow ref changes, and the upstream PR hardens the actual SHA-write path.

Add pre-flight verify-archive job to on-release-sync-registry.yml that
independently re-downloads the release tarball and computes SHA512 before
delegating to the reusable sync-vcpkg-registry workflow in common_system.
The sync job now declares 'needs: verify-archive' so a fetch failure or
unreachable tag short-circuits the entire run before any portfile commit
reaches kcenon/vcpkg-registry.

File-based hashing is required: piping curl into sha512sum masks fetch
failures because SHA512 of empty input is the fixed constant
cf83e1357eefb8bdf..., so a 404 still produces a valid-looking digest.
The download uses curl -fsSL --retry 3 to a mktemp file and exits 1 with
::error:: if the fetch fails or the computed digest is empty.

This closes the detection gap surfaced by microsoft/vcpkg#51511 and
kcenon/vcpkg-registry#87, matching the pattern merged into common_system
via PR #676.

Closes #691
@kcenon kcenon merged commit 61e0bd4 into develop May 3, 2026
1 check passed
@kcenon kcenon deleted the chore/issue-691-verify-sha512-against-actual-archive branch May 3, 2026 12:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant