chore(release): verify SHA512 against actual archive (#691)#692
Merged
kcenon merged 1 commit intoMay 3, 2026
Merged
Conversation
Add pre-flight verify-archive job to on-release-sync-registry.yml that independently re-downloads the release tarball and computes SHA512 before delegating to the reusable sync-vcpkg-registry workflow in common_system. The sync job now declares 'needs: verify-archive' so a fetch failure or unreachable tag short-circuits the entire run before any portfile commit reaches kcenon/vcpkg-registry. File-based hashing is required: piping curl into sha512sum masks fetch failures because SHA512 of empty input is the fixed constant cf83e1357eefb8bdf..., so a 404 still produces a valid-looking digest. The download uses curl -fsSL --retry 3 to a mktemp file and exits 1 with ::error:: if the fetch fails or the computed digest is empty. This closes the detection gap surfaced by microsoft/vcpkg#51511 and kcenon/vcpkg-registry#87, matching the pattern merged into common_system via PR #676. Closes #691
This was referenced May 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #691
Part of #674.
What
Adds an independent SHA512 verification step to
.github/workflows/on-release-sync-registry.ymlthat re-downloads the release archive from GitHub and confirms the digest is computable before delegating to the reusablekcenon/common_system/.github/workflows/sync-vcpkg-registry.yml@main. The newverify-archivejob is a hard dependency ofsync(needs: verify-archive), so a fetch failure or empty digest short-circuits the run before any portfile commit reacheskcenon/vcpkg-registry.Why
Detected via microsoft/vcpkg#51511 and kcenon/vcpkg-registry#87 — every kcenon port shipped a mismatched SHA512 because release automation never compared the computed value against the actual archive. Cold-cache vcpkg consumers (new CI runners, fresh users) hit 100% install failure when the SHA in
vcpkg-registry/ports/kcenon-thread-system/portfile.cmakedoes not match the bytes athttps://github.com/kcenon/thread_system/archive/refs/tags/v<version>.tar.gz. This PR closes the detection gap forthread_system, mirroring the pattern merged intocommon_systemvia kcenon/common_system#676.Where
.github/workflows/on-release-sync-registry.ymlverify-archiveadded before the existingsyncjob;syncnow declaresneeds: verify-archiveAudit summary (other workflows considered)
on-release-sync-registry.ymlkcenon/common_system/.github/workflows/sync-vcpkg-registry.yml@main(which computes and writes SHA512)verify-archivegateci.yml,coverage.yml,cve-scan.yml,integration-tests.yml,osv-scanner.yml,performance-benchmarks.yml,sbom.yml,static-analysis.yml,stress-tests.yml,valgrind.ymlbuild-Doxygen.yaml,doc-audit.yml,update-readme-performance.ymlgrep -l -E "sha512|SHA512|sha512sum"over.github/workflows/*returned zero matches inthread_system; the only release-coupled workflow ison-release-sync-registry.yml. Hardening that single workflow inline is sufficient — no composite action extraction required.How
The new
verify-archivejob runs on the samerelease.publishedtrigger as the existingsynccall.https://github.com/kcenon/thread_system/archive/refs/tags/${TAG}.tar.gzfromgithub.event.release.tag_name.mktempfile withcurl -fsSL --retry 3 -o "${TMP}". File-based, not piped. Piping intosha512summasks fetch failures because SHA512 of empty input is the fixed constantcf83e1357eefb8bdf...— a 404 would still produce a valid-looking digest.sha512sum "${TMP}" | awk '{print $1}', removes the temp file, and asserts the digest is non-empty.verify-archive.sha512for future cross-job consumers.syncjob addsneeds: verify-archive, so it cannot run if pre-flight verification fails.Runtime: ~1-2s on a typical thread_system archive.
Test Plan
How a reviewer can validate the new job fires
v0.x.y) — the workflow triggers onrelease.published.Verify release archive SHA512. On a healthy release, the step prints:Failure-mode coverage
curl -fsSLfails with non-zero exit code. Theif !branch firesexit 1with annotationFailed to download release archive: <URL>. The download-to-file pattern is required: piping intosha512sumwould otherwise mask the curl failure with the empty-input hash.sha512sumsomehow produces an empty string, the explicit[ -z "${ACTUAL_SHA}" ]check fails withComputed SHA512 is empty.syncdeclaresneeds: verify-archive, so any failure in pre-flight prevents the reusable workflow from running and prevents any commit landing inkcenon/vcpkg-registry.YAML structure validated by re-reading the file post-edit (job keys, step names,
needsreference).Breaking Changes
None. The new job is additive and runs on the same
release.publishedtrigger. On a healthy release it adds ~1-2s and one log line. On a fetch failure (the failure mode this PR is designed to detect) it short-circuits the run before any vcpkg-registry commit, which is the desired behavior.Reference
This PR mirrors the validated pattern from kcenon/common_system#676, which merged with full CI green and hardens the upstream reusable workflow consumed by this repo. The two layers are complementary: this PR adds an independent pre-flight check that runs even if the upstream workflow ref changes, and the upstream PR hardens the actual SHA-write path.