Skip to content

Commit 877eca6

Browse files
jdaltonjdalton
authored
fix(ci): pin sfw download tag, swap SOCKET_API_TOKEN secret (#1252)
* fix(ci): pin sfw download to tagged version, fix checksum drift The sfw / sfw-free downloads fetched releases/latest at runtime but verified against hardcoded SHA256s in the same file. Any upstream release immediately broke every consumer because the downloaded bytes no longer matched the pinned checksum. Backporting the socket-registry fix (1ab0cfbf) to v1.x. Fix: - Introduce SFW_FREE_VERSION / SFW_ENTERPRISE_VERSION env vars at the top of each download step. Same value today (1.7.2) but the two tracks can diverge independently. Bumping a tool requires updating the matching version AND every platform's SHA256 in the same commit. - Switch from gh api repos/.../releases/latest to gh api repos/.../releases/tags/v${SFW_VERSION} so the download path is pinned to the same tag the checksums reference. A new upstream release can no longer break CI. - Guard against an empty DOWNLOAD_URL (asset missing from the pinned tag) with a clear error instead of silently piping curl nothing. - Refresh all SHA256s (5 platforms x 2 tracks: sfw-free and firewall-release enterprise) to the v1.7.2 bytes. Applied to all three workflows on v1.x (inlined, not shared): - .github/workflows/ci.yml (3 identical blocks) - .github/workflows/provenance.yml (1 block) - .github/workflows/e2e-tests.yml (1 block, free-only) The duplication is intentional on v1.x to avoid coupling to reusable workflow changes. * chore(ci): swap SOCKET_CLI_API_TOKEN secret ref to SOCKET_API_TOKEN Repo-level secret renamed to SOCKET_API_TOKEN. Only the secrets.* reference changes — the env var name the CLI reads (SOCKET_CLI_API_TOKEN) stays the same.
1 parent 5079c96 commit 877eca6

3 files changed

Lines changed: 113 additions & 56 deletions

File tree

.github/workflows/ci.yml

Lines changed: 72 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -119,40 +119,52 @@ jobs:
119119
GH_TOKEN: ${{ github.token }}
120120
SOCKET_API_KEY: ${{ secrets.SOCKET_API_KEY }} # zizmor: ignore[secrets-outside-env]
121121
run: | # zizmor: ignore[github-env]
122+
# Pinned version + per-platform checksum pairs. Bumping a tool
123+
# requires updating the matching version AND every platform's
124+
# SHA256 in the same commit, otherwise the download / verify
125+
# steps will diverge.
126+
SFW_FREE_VERSION="1.7.2"
127+
SFW_ENTERPRISE_VERSION="1.7.2"
122128
SFW_DIR="${RUNNER_TEMP:-/tmp}/sfw-bin"
123129
KERNEL="$(uname -s | cut -d- -f1)"
124130
ARCH="$(uname -m)"
125131
USE_ENTERPRISE=false
126132
[ -n "$SOCKET_API_KEY" ] && USE_ENTERPRISE=true
127133
if [ "$USE_ENTERPRISE" = "true" ]; then
128134
REPO="SocketDev/firewall-release"
135+
SFW_VERSION="$SFW_ENTERPRISE_VERSION"
129136
case "${KERNEL}-${ARCH}" in
130-
Linux-x86_64) ASSET="sfw-linux-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="9115b4ca8021eb173eb9e9c3627deb7f1066f8debd48c5c9d9f3caabb2a26a4b" ;;
131-
Linux-aarch64) ASSET="sfw-linux-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="671270231617142404a1564e52672f79b806f9df3f232fcc7606329c0246da55" ;;
132-
Darwin-x86_64) ASSET="sfw-macos-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="01d64d40effda35c31f8d8ee1fed1388aac0a11aba40d47fba8a36024b77500c" ;;
133-
Darwin-arm64) ASSET="sfw-macos-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="acad0b517601bb7408e2e611c9226f47dcccbd83333d7fc5157f1d32ed2b953d" ;;
134-
MINGW64_NT-x86_64|MSYS_NT-x86_64) ASSET="sfw-windows-x86_64.exe" ; SFW_BIN="$SFW_DIR/sfw.exe" ; EXPECTED_SHA256="9a50e1ddaf038138c3f85418dc5df0113bbe6fc884f5abe158beaa9aea18d70a" ;;
137+
Linux-x86_64) ASSET="sfw-linux-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="4482b52e6367bd4610519bfd57a104d5907ec87d5399142ed3bb3d222de1f33d" ;;
138+
Linux-aarch64) ASSET="sfw-linux-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="c24a79c27e1a01a59b7a160c165930ae029816c72b141fcfcdb2f73e0774898a" ;;
139+
Darwin-x86_64) ASSET="sfw-macos-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="da252d2a9a5d0edb271bb771e0d01b9cd6fa1635b6d765f61efd61edb6739f12" ;;
140+
Darwin-arm64) ASSET="sfw-macos-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="b1cdc3bdbd2a3161247bd5cc215eb3c44a90b87fe0b800a33889a14f61bb0d6d" ;;
141+
MINGW64_NT-x86_64|MSYS_NT-x86_64) ASSET="sfw-windows-x86_64.exe" ; SFW_BIN="$SFW_DIR/sfw.exe" ; EXPECTED_SHA256="e52ad806a1c41b440f04098eb1c7e407845f03f5740a6a79006ba6fd172056ec" ;;
135142
*) echo "Unsupported platform: ${KERNEL}-${ARCH}" >&2; exit 1 ;;
136143
esac
137144
else
138145
REPO="SocketDev/sfw-free"
146+
SFW_VERSION="$SFW_FREE_VERSION"
139147
case "${KERNEL}-${ARCH}" in
140-
Linux-x86_64) ASSET="sfw-free-linux-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="4a1e8b65e90fce7d5fd066cf0af6c93d512065fa4222a475c8d959a6bc14b9ff" ;;
141-
Linux-aarch64) ASSET="sfw-free-linux-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="df2eedb2daf2572eee047adb8bfd81c9069edcb200fc7d3710fca98ec3ca81a1" ;;
142-
Darwin-x86_64) ASSET="sfw-free-macos-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="724ccea19d847b79db8cc8e38f5f18ce2dd32336007f42b11bed7d2e5f4a2566" ;;
143-
Darwin-arm64) ASSET="sfw-free-macos-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="bf1616fc44ac49f1cb2067fedfa127a3ae65d6ec6d634efbb3098cfa355e5555" ;;
144-
MINGW64_NT-x86_64|MSYS_NT-x86_64) ASSET="sfw-free-windows-x86_64.exe" ; SFW_BIN="$SFW_DIR/sfw.exe" ; EXPECTED_SHA256="c953e62ad7928d4d8f2302f5737884ea1a757babc26bed6a42b9b6b68a5d54af" ;;
148+
Linux-x86_64) ASSET="sfw-free-linux-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="93e2d9dfa244b82a74e014dc26b1c6af18b4adec20f35254378943db5fe91411" ;;
149+
Linux-aarch64) ASSET="sfw-free-linux-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="84a045e4e1bb320cc5c0d3929f02e53f199398b5be0637e8846d02d9ef0027b1" ;;
150+
Darwin-x86_64) ASSET="sfw-free-macos-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="a5427d479d440f08e3789fa191ba57599be64997196daf42e67d964fec0382b4" ;;
151+
Darwin-arm64) ASSET="sfw-free-macos-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="248fb588e1e1a27e7192f7b079f739fc29a9de61f0bad7e90928363022dc5643" ;;
152+
MINGW64_NT-x86_64|MSYS_NT-x86_64) ASSET="sfw-free-windows-x86_64.exe" ; SFW_BIN="$SFW_DIR/sfw.exe" ; EXPECTED_SHA256="6d333b4cac9d7c5712e2e99677ca634ac8a3020d550c6308312c60bea97f0a28" ;;
145153
*) echo "Unsupported platform: ${KERNEL}-${ARCH}" >&2; exit 1 ;;
146154
esac
147155
fi
148156
if [ ! -x "$SFW_BIN" ]; then
149157
mkdir -p "$SFW_DIR"
150-
DOWNLOAD_URL="$(gh api "repos/${REPO}/releases/latest" \
158+
DOWNLOAD_URL="$(gh api "repos/${REPO}/releases/tags/v${SFW_VERSION}" \
151159
--jq ".assets[] | select(.name == \"$ASSET\") | .browser_download_url")"
160+
if [ -z "$DOWNLOAD_URL" ]; then
161+
echo "Asset ${ASSET} not found in ${REPO}@v${SFW_VERSION}" >&2
162+
exit 1
163+
fi
152164
curl -fsSL -o "$SFW_BIN" "$DOWNLOAD_URL"
153165
ACTUAL_SHA256="$( (sha256sum "$SFW_BIN" 2>/dev/null || shasum -a 256 "$SFW_BIN") | cut -d' ' -f1 | tr -d '\\')"
154166
if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
155-
echo "Checksum mismatch for ${ASSET}!" >&2
167+
echo "Checksum mismatch for ${ASSET} (${REPO}@v${SFW_VERSION})!" >&2
156168
echo " Expected: ${EXPECTED_SHA256}" >&2
157169
echo " Actual: ${ACTUAL_SHA256}" >&2
158170
rm -f "$SFW_BIN"
@@ -283,40 +295,52 @@ jobs:
283295
GH_TOKEN: ${{ github.token }}
284296
SOCKET_API_KEY: ${{ secrets.SOCKET_API_KEY }} # zizmor: ignore[secrets-outside-env]
285297
run: | # zizmor: ignore[github-env]
298+
# Pinned version + per-platform checksum pairs. Bumping a tool
299+
# requires updating the matching version AND every platform's
300+
# SHA256 in the same commit, otherwise the download / verify
301+
# steps will diverge.
302+
SFW_FREE_VERSION="1.7.2"
303+
SFW_ENTERPRISE_VERSION="1.7.2"
286304
SFW_DIR="${RUNNER_TEMP:-/tmp}/sfw-bin"
287305
KERNEL="$(uname -s | cut -d- -f1)"
288306
ARCH="$(uname -m)"
289307
USE_ENTERPRISE=false
290308
[ -n "$SOCKET_API_KEY" ] && USE_ENTERPRISE=true
291309
if [ "$USE_ENTERPRISE" = "true" ]; then
292310
REPO="SocketDev/firewall-release"
311+
SFW_VERSION="$SFW_ENTERPRISE_VERSION"
293312
case "${KERNEL}-${ARCH}" in
294-
Linux-x86_64) ASSET="sfw-linux-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="9115b4ca8021eb173eb9e9c3627deb7f1066f8debd48c5c9d9f3caabb2a26a4b" ;;
295-
Linux-aarch64) ASSET="sfw-linux-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="671270231617142404a1564e52672f79b806f9df3f232fcc7606329c0246da55" ;;
296-
Darwin-x86_64) ASSET="sfw-macos-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="01d64d40effda35c31f8d8ee1fed1388aac0a11aba40d47fba8a36024b77500c" ;;
297-
Darwin-arm64) ASSET="sfw-macos-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="acad0b517601bb7408e2e611c9226f47dcccbd83333d7fc5157f1d32ed2b953d" ;;
298-
MINGW64_NT-x86_64|MSYS_NT-x86_64) ASSET="sfw-windows-x86_64.exe" ; SFW_BIN="$SFW_DIR/sfw.exe" ; EXPECTED_SHA256="9a50e1ddaf038138c3f85418dc5df0113bbe6fc884f5abe158beaa9aea18d70a" ;;
313+
Linux-x86_64) ASSET="sfw-linux-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="4482b52e6367bd4610519bfd57a104d5907ec87d5399142ed3bb3d222de1f33d" ;;
314+
Linux-aarch64) ASSET="sfw-linux-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="c24a79c27e1a01a59b7a160c165930ae029816c72b141fcfcdb2f73e0774898a" ;;
315+
Darwin-x86_64) ASSET="sfw-macos-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="da252d2a9a5d0edb271bb771e0d01b9cd6fa1635b6d765f61efd61edb6739f12" ;;
316+
Darwin-arm64) ASSET="sfw-macos-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="b1cdc3bdbd2a3161247bd5cc215eb3c44a90b87fe0b800a33889a14f61bb0d6d" ;;
317+
MINGW64_NT-x86_64|MSYS_NT-x86_64) ASSET="sfw-windows-x86_64.exe" ; SFW_BIN="$SFW_DIR/sfw.exe" ; EXPECTED_SHA256="e52ad806a1c41b440f04098eb1c7e407845f03f5740a6a79006ba6fd172056ec" ;;
299318
*) echo "Unsupported platform: ${KERNEL}-${ARCH}" >&2; exit 1 ;;
300319
esac
301320
else
302321
REPO="SocketDev/sfw-free"
322+
SFW_VERSION="$SFW_FREE_VERSION"
303323
case "${KERNEL}-${ARCH}" in
304-
Linux-x86_64) ASSET="sfw-free-linux-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="4a1e8b65e90fce7d5fd066cf0af6c93d512065fa4222a475c8d959a6bc14b9ff" ;;
305-
Linux-aarch64) ASSET="sfw-free-linux-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="df2eedb2daf2572eee047adb8bfd81c9069edcb200fc7d3710fca98ec3ca81a1" ;;
306-
Darwin-x86_64) ASSET="sfw-free-macos-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="724ccea19d847b79db8cc8e38f5f18ce2dd32336007f42b11bed7d2e5f4a2566" ;;
307-
Darwin-arm64) ASSET="sfw-free-macos-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="bf1616fc44ac49f1cb2067fedfa127a3ae65d6ec6d634efbb3098cfa355e5555" ;;
308-
MINGW64_NT-x86_64|MSYS_NT-x86_64) ASSET="sfw-free-windows-x86_64.exe" ; SFW_BIN="$SFW_DIR/sfw.exe" ; EXPECTED_SHA256="c953e62ad7928d4d8f2302f5737884ea1a757babc26bed6a42b9b6b68a5d54af" ;;
324+
Linux-x86_64) ASSET="sfw-free-linux-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="93e2d9dfa244b82a74e014dc26b1c6af18b4adec20f35254378943db5fe91411" ;;
325+
Linux-aarch64) ASSET="sfw-free-linux-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="84a045e4e1bb320cc5c0d3929f02e53f199398b5be0637e8846d02d9ef0027b1" ;;
326+
Darwin-x86_64) ASSET="sfw-free-macos-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="a5427d479d440f08e3789fa191ba57599be64997196daf42e67d964fec0382b4" ;;
327+
Darwin-arm64) ASSET="sfw-free-macos-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="248fb588e1e1a27e7192f7b079f739fc29a9de61f0bad7e90928363022dc5643" ;;
328+
MINGW64_NT-x86_64|MSYS_NT-x86_64) ASSET="sfw-free-windows-x86_64.exe" ; SFW_BIN="$SFW_DIR/sfw.exe" ; EXPECTED_SHA256="6d333b4cac9d7c5712e2e99677ca634ac8a3020d550c6308312c60bea97f0a28" ;;
309329
*) echo "Unsupported platform: ${KERNEL}-${ARCH}" >&2; exit 1 ;;
310330
esac
311331
fi
312332
if [ ! -x "$SFW_BIN" ]; then
313333
mkdir -p "$SFW_DIR"
314-
DOWNLOAD_URL="$(gh api "repos/${REPO}/releases/latest" \
334+
DOWNLOAD_URL="$(gh api "repos/${REPO}/releases/tags/v${SFW_VERSION}" \
315335
--jq ".assets[] | select(.name == \"$ASSET\") | .browser_download_url")"
336+
if [ -z "$DOWNLOAD_URL" ]; then
337+
echo "Asset ${ASSET} not found in ${REPO}@v${SFW_VERSION}" >&2
338+
exit 1
339+
fi
316340
curl -fsSL -o "$SFW_BIN" "$DOWNLOAD_URL"
317341
ACTUAL_SHA256="$( (sha256sum "$SFW_BIN" 2>/dev/null || shasum -a 256 "$SFW_BIN") | cut -d' ' -f1 | tr -d '\\')"
318342
if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
319-
echo "Checksum mismatch for ${ASSET}!" >&2
343+
echo "Checksum mismatch for ${ASSET} (${REPO}@v${SFW_VERSION})!" >&2
320344
echo " Expected: ${EXPECTED_SHA256}" >&2
321345
echo " Actual: ${ACTUAL_SHA256}" >&2
322346
rm -f "$SFW_BIN"
@@ -452,40 +476,52 @@ jobs:
452476
GH_TOKEN: ${{ github.token }}
453477
SOCKET_API_KEY: ${{ secrets.SOCKET_API_KEY }} # zizmor: ignore[secrets-outside-env]
454478
run: | # zizmor: ignore[github-env]
479+
# Pinned version + per-platform checksum pairs. Bumping a tool
480+
# requires updating the matching version AND every platform's
481+
# SHA256 in the same commit, otherwise the download / verify
482+
# steps will diverge.
483+
SFW_FREE_VERSION="1.7.2"
484+
SFW_ENTERPRISE_VERSION="1.7.2"
455485
SFW_DIR="${RUNNER_TEMP:-/tmp}/sfw-bin"
456486
KERNEL="$(uname -s | cut -d- -f1)"
457487
ARCH="$(uname -m)"
458488
USE_ENTERPRISE=false
459489
[ -n "$SOCKET_API_KEY" ] && USE_ENTERPRISE=true
460490
if [ "$USE_ENTERPRISE" = "true" ]; then
461491
REPO="SocketDev/firewall-release"
492+
SFW_VERSION="$SFW_ENTERPRISE_VERSION"
462493
case "${KERNEL}-${ARCH}" in
463-
Linux-x86_64) ASSET="sfw-linux-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="9115b4ca8021eb173eb9e9c3627deb7f1066f8debd48c5c9d9f3caabb2a26a4b" ;;
464-
Linux-aarch64) ASSET="sfw-linux-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="671270231617142404a1564e52672f79b806f9df3f232fcc7606329c0246da55" ;;
465-
Darwin-x86_64) ASSET="sfw-macos-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="01d64d40effda35c31f8d8ee1fed1388aac0a11aba40d47fba8a36024b77500c" ;;
466-
Darwin-arm64) ASSET="sfw-macos-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="acad0b517601bb7408e2e611c9226f47dcccbd83333d7fc5157f1d32ed2b953d" ;;
467-
MINGW64_NT-x86_64|MSYS_NT-x86_64) ASSET="sfw-windows-x86_64.exe" ; SFW_BIN="$SFW_DIR/sfw.exe" ; EXPECTED_SHA256="9a50e1ddaf038138c3f85418dc5df0113bbe6fc884f5abe158beaa9aea18d70a" ;;
494+
Linux-x86_64) ASSET="sfw-linux-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="4482b52e6367bd4610519bfd57a104d5907ec87d5399142ed3bb3d222de1f33d" ;;
495+
Linux-aarch64) ASSET="sfw-linux-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="c24a79c27e1a01a59b7a160c165930ae029816c72b141fcfcdb2f73e0774898a" ;;
496+
Darwin-x86_64) ASSET="sfw-macos-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="da252d2a9a5d0edb271bb771e0d01b9cd6fa1635b6d765f61efd61edb6739f12" ;;
497+
Darwin-arm64) ASSET="sfw-macos-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="b1cdc3bdbd2a3161247bd5cc215eb3c44a90b87fe0b800a33889a14f61bb0d6d" ;;
498+
MINGW64_NT-x86_64|MSYS_NT-x86_64) ASSET="sfw-windows-x86_64.exe" ; SFW_BIN="$SFW_DIR/sfw.exe" ; EXPECTED_SHA256="e52ad806a1c41b440f04098eb1c7e407845f03f5740a6a79006ba6fd172056ec" ;;
468499
*) echo "Unsupported platform: ${KERNEL}-${ARCH}" >&2; exit 1 ;;
469500
esac
470501
else
471502
REPO="SocketDev/sfw-free"
503+
SFW_VERSION="$SFW_FREE_VERSION"
472504
case "${KERNEL}-${ARCH}" in
473-
Linux-x86_64) ASSET="sfw-free-linux-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="4a1e8b65e90fce7d5fd066cf0af6c93d512065fa4222a475c8d959a6bc14b9ff" ;;
474-
Linux-aarch64) ASSET="sfw-free-linux-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="df2eedb2daf2572eee047adb8bfd81c9069edcb200fc7d3710fca98ec3ca81a1" ;;
475-
Darwin-x86_64) ASSET="sfw-free-macos-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="724ccea19d847b79db8cc8e38f5f18ce2dd32336007f42b11bed7d2e5f4a2566" ;;
476-
Darwin-arm64) ASSET="sfw-free-macos-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="bf1616fc44ac49f1cb2067fedfa127a3ae65d6ec6d634efbb3098cfa355e5555" ;;
477-
MINGW64_NT-x86_64|MSYS_NT-x86_64) ASSET="sfw-free-windows-x86_64.exe" ; SFW_BIN="$SFW_DIR/sfw.exe" ; EXPECTED_SHA256="c953e62ad7928d4d8f2302f5737884ea1a757babc26bed6a42b9b6b68a5d54af" ;;
505+
Linux-x86_64) ASSET="sfw-free-linux-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="93e2d9dfa244b82a74e014dc26b1c6af18b4adec20f35254378943db5fe91411" ;;
506+
Linux-aarch64) ASSET="sfw-free-linux-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="84a045e4e1bb320cc5c0d3929f02e53f199398b5be0637e8846d02d9ef0027b1" ;;
507+
Darwin-x86_64) ASSET="sfw-free-macos-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="a5427d479d440f08e3789fa191ba57599be64997196daf42e67d964fec0382b4" ;;
508+
Darwin-arm64) ASSET="sfw-free-macos-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="248fb588e1e1a27e7192f7b079f739fc29a9de61f0bad7e90928363022dc5643" ;;
509+
MINGW64_NT-x86_64|MSYS_NT-x86_64) ASSET="sfw-free-windows-x86_64.exe" ; SFW_BIN="$SFW_DIR/sfw.exe" ; EXPECTED_SHA256="6d333b4cac9d7c5712e2e99677ca634ac8a3020d550c6308312c60bea97f0a28" ;;
478510
*) echo "Unsupported platform: ${KERNEL}-${ARCH}" >&2; exit 1 ;;
479511
esac
480512
fi
481513
if [ ! -x "$SFW_BIN" ]; then
482514
mkdir -p "$SFW_DIR"
483-
DOWNLOAD_URL="$(gh api "repos/${REPO}/releases/latest" \
515+
DOWNLOAD_URL="$(gh api "repos/${REPO}/releases/tags/v${SFW_VERSION}" \
484516
--jq ".assets[] | select(.name == \"$ASSET\") | .browser_download_url")"
517+
if [ -z "$DOWNLOAD_URL" ]; then
518+
echo "Asset ${ASSET} not found in ${REPO}@v${SFW_VERSION}" >&2
519+
exit 1
520+
fi
485521
curl -fsSL -o "$SFW_BIN" "$DOWNLOAD_URL"
486522
ACTUAL_SHA256="$( (sha256sum "$SFW_BIN" 2>/dev/null || shasum -a 256 "$SFW_BIN") | cut -d' ' -f1 | tr -d '\\')"
487523
if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
488-
echo "Checksum mismatch for ${ASSET}!" >&2
524+
echo "Checksum mismatch for ${ASSET} (${REPO}@v${SFW_VERSION})!" >&2
489525
echo " Expected: ${EXPECTED_SHA256}" >&2
490526
echo " Actual: ${ACTUAL_SHA256}" >&2
491527
rm -f "$SFW_BIN"

0 commit comments

Comments
 (0)