sec(ci): verify golang-migrate tarball sha256 before install

[cristim]

Summary

• Replace the unverified curl -L ... | tar xvz pipe in all three Install golang-migrate steps (AWS, GCP, Azure jobs) with a two-step download + sha256 checksum verification before extraction.
• The expected sha256 (26c53c9...) is sourced from the official sha256sum.txt published alongside the golang-migrate v4.17.0 GitHub Release.
• set -euo pipefail + sha256sum --check --strict ensures the step aborts immediately on a mismatch; a tampered tarball cannot silently execute.

Closes #434

Test plan

• Confirm sha256sum --check --strict works on ubuntu-latest (it ships with coreutils)
• Manually verify the expected sha256 matches migrate.linux-amd64.tar.gz from the v4.17.0 release: curl -fsSL https://github.com/golang-migrate/migrate/releases/download/v4.17.0/sha256sum.txt | grep linux-amd64.tar.gz
• Confirm the workflow still installs migrate to /usr/local/bin and it is executable

Summary by CodeRabbit

• Chores
  • Enhanced database migration workflow with improved security verification and error handling for golang-migrate binary installation across all cloud providers.

[coderabbitai]

📝 Walkthrough

Walkthrough

The workflow file .github/workflows/database-migration.yml updates golang-migrate installation across three cloud provider jobs (AWS, GCP, Azure) to download the binary with pinned version and SHA-256 checksum verification instead of unsecured direct piping from curl to tar.

Changes

golang-migrate Download Security Hardening

Layer / File(s)	Summary
Add SHA256 checksum verification to all provider jobs .github/workflows/database-migration.yml	AWS, GCP, and Azure jobs each now pin MIGRATE_VERSION and MIGRATE_SHA256, download the tarball to a temporary file, verify the checksum strictly before extraction, and install via sudo install with cleanup. Shell safety flags set -euo pipefail are added to each block, replacing the prior unsecured curl-to-tar pipeline.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

priority/p0, severity/high, urgency/now

Poem

🐰 A rabbit hops through CI with care,
No more blind downloads through the air!
SHA checksums now guard the way,
golang-migrate verified each day.
Security hopping, strong and true! ✓

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main security change: adding SHA-256 verification before installing golang-migrate, which directly addresses the PR's core objective.
Linked Issues check	✅ Passed	All coding requirements from issue #434 are met: SHA-256 checksum verification is implemented, the tarball is verified before extraction, and proper error handling with set -euo pipefail is included.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the three golang-migrate installation steps in .github/workflows/database-migration.yml with no extraneous modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sec/ci-migrate-verify

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/database-migration.yml (1)

147-157: ⚖️ Poor tradeoff

Consider extracting the golang-migrate installation into a composite action or using go install for better maintainability.

The installation logic is duplicated identically across all three cloud provider jobs (AWS, GCP, Azure). While the current approach significantly improves security, the duplication creates a maintenance burden—any version bump or checksum update must be applied in three places.

Two alternatives to consider:

1. Extract to a composite action: Create .github/actions/install-golang-migrate/action.yml that accepts version and SHA256 as inputs, reducing duplication and centralizing the installation logic.

2. Use go install (preferred): As suggested in issue #434, install via a pinned Go module eliminates tarball/checksum management entirely:

   - name: Install golang-migrate
     run: |
       go install -tags 'postgres' github.com/golang-migrate/migrate/v4/cmd/migrate@v4.17.0

   This leverages Go's module checksums (go.sum) for integrity verification and is already used elsewhere in your CI.

Also applies to: 226-236, 295-305

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/database-migration.yml around lines 147 - 157, The
golang-migrate install block (env MIGRATE_VERSION / MIGRATE_SHA256 and the run:
curl|sha256sum|tar|sudo install sequence) is duplicated across provider jobs;
replace it by either (A) extracting that logic into a composite action (e.g.,
.github/actions/install-golang-migrate/action.yml) that accepts MIGRATE_VERSION
and MIGRATE_SHA256 inputs and performs the curl/verify/install steps, then call
that action from each job; or (B, preferred) remove the tarball steps and
replace the run block with a go install invocation that pins the module (e.g.,
go install -tags 'postgres'
github.com/golang-migrate/migrate/v4/cmd/migrate@${MIGRATE_VERSION}) so CI
relies on Go module checksums instead of manual tarball download; update the
three occurrences (the run blocks referenced) accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/database-migration.yml:
- Around line 147-157: The golang-migrate install block (env MIGRATE_VERSION /
MIGRATE_SHA256 and the run: curl|sha256sum|tar|sudo install sequence) is
duplicated across provider jobs; replace it by either (A) extracting that logic
into a composite action (e.g.,
.github/actions/install-golang-migrate/action.yml) that accepts MIGRATE_VERSION
and MIGRATE_SHA256 inputs and performs the curl/verify/install steps, then call
that action from each job; or (B, preferred) remove the tarball steps and
replace the run block with a go install invocation that pins the module (e.g.,
go install -tags 'postgres'
github.com/golang-migrate/migrate/v4/cmd/migrate@${MIGRATE_VERSION}) so CI
relies on Go module checksums instead of manual tarball download; update the
three occurrences (the run blocks referenced) accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3e514ebd-e240-411f-9558-8512c96a3c66

📥 Commits

Reviewing files that changed from the base of the PR and between b1ea4b1 and 1b494d4.

📒 Files selected for processing (1)

• .github/workflows/database-migration.yml