taiki-e/install-action
1
0
Fork 0
mirror of https://github.com/taiki-e/install-action.git synced 2026-04-08 18:05:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add warning for disabling checksum

Browse Source
This commit is contained in:
Taiki Endo
2026-04-04 22:20:07 +09:00
parent 3f315c966f
commit bdc2e2796d
3 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -23,7 +23,7 @@ GitHub Action for installing development tools (mainly from GitHub Releases).
| Name | Required | Description | Type | Default |
| ---- | :------: | ----------- | ---- | ------- |
| tool | **✓** | Tools to install (whitespace or comma separated list) | String | |
| checksum | | Whether to enable checksums | Boolean | `true` |
| checksum | | Whether to enable checksums (strongly discouraged to disable) | Boolean | `true` |
### Example workflow
@@ -108,7 +108,7 @@ When installing the tool from GitHub Releases, the tool version that install-act
When installing the tool from GitHub Releases, this action will download the tool or its installer from GitHub Releases using HTTPS with tlsv1.2+. This is basically considered to be the same level of security as [the recommended installation of rustup](https://www.rust-lang.org/tools/install).
Additionally, this action will also verify SHA256 checksums for downloaded files in all tools installed from GitHub Releases. This is enabled by default and can be disabled by setting the `checksum` input option to `false`.
Additionally, this action will also verify SHA256 checksums for downloaded files in all tools installed from GitHub Releases. This is enabled by default and can be disabled by setting the `checksum` input option to `false` (strongly discouraged to disable).
Additionally, we also verify [artifact attestations](https://docs.github.com/en/actions/concepts/security/artifact-attestations) or signature if the tool publishes artifact attestations or distributes signed archives. Verification is done at the stage of getting the checksum, so disabling the checksum will also disable verification.

2
action.yml
View File

@@ -7,7 +7,7 @@ inputs:
required: true
# default: #publish:tool
checksum:
description: Whether to enable checksums
description: Whether to enable checksums (strongly discouraged to disable)
required: false
default: 'true'
fallback:

5
main.sh
View File

@@ -597,7 +597,10 @@ fi
enable_checksum="${INPUT_CHECKSUM:-}"
case "${enable_checksum}" in
true) ;;
false) enable_checksum='' ;;
false)
enable_checksum=''
warn "checksums have been disabled by 'checksum' input option; this is strongly discouraged for security reasons"
;;
*) bail "'checksum' input option must be 'true' or 'false': '${enable_checksum}'" ;;
esac