Skip to content

feat(security): add SHA-256 checksums to release artifacts (B5)#57

Merged
beonde merged 1 commit intomainfrom
fix/eval-binary-checksums
Mar 27, 2026
Merged

feat(security): add SHA-256 checksums to release artifacts (B5)#57
beonde merged 1 commit intomainfrom
fix/eval-binary-checksums

Conversation

@beonde
Copy link
Copy Markdown
Member

@beonde beonde commented Mar 27, 2026

Summary

Adds SHA-256 checksum generation to the release workflow (B5 - design partner eval, part 1/3).

Changes

  • Generates checksums.txt containing SHA-256 hashes for all 4 release binaries
  • Publishes checksums.txt as a release asset alongside the binaries

Related PRs

  • capiscio-python: checksum verification in download manager (separate PR)
  • capiscio-node: checksum verification in download manager (separate PR)

Evaluation Plan

Design partner eval item B5 (P1 — Security)

@beonde
feat(security): add SHA-256 checksums to release artifacts (B5)
cb3333f 
- Generate checksums.txt with SHA-256 for all release binaries
- Publish checksums.txt as release asset alongside binaries
- Enables downstream SDK integrity verification
Copilot AI review requested due to automatic review settings March 27, 2026 22:52
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 27, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds SHA-256 checksum generation to the GitHub Release workflow so published CLI binaries ship with a verifiable checksums.txt asset (B5 security evaluation item).

Changes:

  • Generate checksums.txt with SHA-256 hashes for the four release binaries.
  • Upload checksums.txt alongside the release binaries.

.github/workflows/release.yml
Comment on lines +37 to +38
- name: Generate checksums
run: sha256sum capiscio-linux-amd64 capiscio-darwin-amd64 capiscio-darwin-arm64 capiscio-windows-amd64.exe > checksums.txt
Copy link

Copilot AI Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow is still pinning Go to 1.24.0 (both build-cli and test jobs), while go.mod requires Go 1.25.0 and CI lint/test already run on 1.25.0. This makes releases/toolchain selection inconsistent and can break builds depending on toolchain auto-download behavior. Consider updating actions/setup-go to v5 and setting go-version to 1.25.0 here as well.

Copilot uses AI. Check for mistakes.
@beonde beonde merged commit 68e0f96 into main Mar 27, 2026
8 checks passed
@beonde beonde deleted the fix/eval-binary-checksums branch March 27, 2026 23:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@beonde