Skip to content

Add sha256 checksums to releases #667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Add sha256 checksums to releases #667

wants to merge 2 commits into from

Conversation

@icfaust
Copy link

@icfaust icfaust commented Mar 12, 2025
edited
Loading

Helps to try and push forward goal of #418 and helps on uxlfoundation/oneDAL#3078 I know from the other PR there was a discussion of SLSA, and that Google may be using some sort of internal release process so this may be in the wrong direction. This PR attempts to patch in a file to the release called checksums.txt which creates a text file with the sha256 hashes based on github releases using free github runners.

I have not verified its operation. Any assistance would be greatly appreciated.

@google-cla
Copy link

google-cla bot commented Mar 12, 2025

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@meteorcloudy meteorcloudy added the P3 We're not considering working on this, but happy to review a PR. (No assignee) label Apr 15, 2025
@meteorcloudy meteorcloudy requested a review from fweikert April 15, 2025 15:12
@icfaust
Copy link
Author

icfaust commented May 16, 2025

@fweikert Hallo, sagen Sie bitte Bescheid, ob es nützlich ist oder ob etwas geändert werden sollte. Vielen Dank für Ihre Arbeit an Bazelisk

@icfaust
Copy link
Author

icfaust commented Jun 8, 2025

@meteorcloudy I haven't received any response from the requested reviewer on the PR, am I doing something wrong? Let me know if there are any steps I can take to help this get reviewed

@meteorcloudy
Copy link
Member

@fweikert is currently OOO, he'll be back in the next few days, sorry for the delay.

I'm all for enhancing the security of bazelisk, but not sure adding this github action is the best way, let's wait for Florian's opinion since he owns the bazelisk release.

@icfaust
Copy link
Author

icfaust commented Jul 1, 2025

Hello @fweikert , any thoughts on including hashes with releases?

@fweikert
Copy link
Member

I like the general idea, but I'm not really familiar with the intricacies of GitHub actions.

Moreover, I don't know whether this is still necessary - I can see that GitHub generates checksums for the artifacts in https://github.com/bazelbuild/bazelisk/releases/tag/v1.27.0

@icfaust
Copy link
Author

icfaust commented Aug 12, 2025

@fweikert It looks like it was introduced after the PR was opened: https://github.blog/changelog/2025-06-03-releases-now-expose-digests-for-release-assets/ and is no-longer necessary.

@icfaust icfaust closed this Aug 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fweikert fweikert Awaiting requested review from fweikert

Assignees

No one assigned

Labels

P3 We're not considering working on this, but happy to review a PR. (No assignee)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@icfaust @meteorcloudy @fweikert