Skip to content

Verify downloaded prek archives against manifest checksums#83

Merged
j178 merged 2 commits intomainfrom
stack/prek-download-checksum
Mar 15, 2026
Merged

Verify downloaded prek archives against manifest checksums#83
j178 merged 2 commits intomainfrom
stack/prek-download-checksum

Conversation

@j178
Copy link
Copy Markdown
Owner

@j178 j178 commented Mar 15, 2026
edited
Loading

Summary

  • verify downloaded prek archives against the SHA-256 digests stored in the bundled manifest
  • fail fast on checksum mismatches before extraction
  • keep semver range parsing in the next PR in the stack

Closes #61

Stack

Depends on #80.

Copilot AI review requested due to automatic review settings March 15, 2026 12:35
@j178 j178 mentioned this pull request Mar 15, 2026
Merged
Copilot AI reviewed Mar 15, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds integrity verification for downloaded prek archives by checking their SHA-256 digest from the bundled version manifest before extraction, and updates the bundled dist/ output and documentation accordingly.

Changes:

  • Verify downloaded archives against manifest SHA-256 digests before extraction.
  • Bundle updated dist/index.js with the new verification logic.
  • Update README to mention manifest SHA-256 digests.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 4 comments.

File Description
src/install.ts Adds SHA-256 checksum verification for downloaded archives prior to extraction.
dist/index.js Regenerates the bundled action output to include the new install-time verification.
README.md Updates manifest documentation to mention SHA-256 digests.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/install.ts Outdated
Comment thread src/install.ts
Comment thread README.md Outdated
Comment thread src/install.ts Outdated
@j178 j178 force-pushed the stack/prek-manifest-refresh-pr branch from 6281c2d to 1e1d565 Compare March 15, 2026 12:43
@j178 j178 force-pushed the stack/prek-download-checksum branch from d10de0c to 202ba74 Compare March 15, 2026 12:43
@j178 j178 added the enhancement New feature or request label Mar 15, 2026
@j178 j178 force-pushed the stack/prek-manifest-refresh-pr branch from 0fd300a to de011c0 Compare March 15, 2026 12:58
Base automatically changed from stack/prek-manifest-refresh-pr to main March 15, 2026 13:18
@j178 j178 force-pushed the stack/prek-download-checksum branch from 202ba74 to 6f5da20 Compare March 15, 2026 13:22
@j178 j178 merged commit 5eb39e0 into main Mar 15, 2026
9 checks passed
@j178 j178 deleted the stack/prek-download-checksum branch March 15, 2026 13:26
j178 added a commit that referenced this pull request Mar 15, 2026
@j178
Support semver ranges for prek-version (#81)
d39622b 
## Summary
- add semver range resolution for the prek-version input from the
bundled manifest
- document semver usage in the action inputs and README
- add unit and CI coverage for semver range resolution

## Stack
Depends on #83.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add checksum verification for downloaded prek binary

2 participants

@j178