From bdc2e2796d4474434875b97b2dcc2a5716fc2677 Mon Sep 17 00:00:00 2001
From: Taiki Endo <te316e89@gmail.com>
Date: Sat, 4 Apr 2026 22:20:07 +0900
Subject: [PATCH] Add warning for disabling checksum

---
 README.md  | 4 ++--
 action.yml | 2 +-
 main.sh    | 5 ++++-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 02a750ee..dab67d72 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ GitHub Action for installing development tools (mainly from GitHub Releases).
 | Name | Required | Description | Type | Default |
 | ---- | :------: | ----------- | ---- | ------- |
 | tool | **✓** | Tools to install (whitespace or comma separated list) | String | |
-| checksum | | Whether to enable checksums | Boolean | `true` |
+| checksum | | Whether to enable checksums (strongly discouraged to disable) | Boolean | `true` |
 
 ### Example workflow
 
@@ -108,7 +108,7 @@ When installing the tool from GitHub Releases, the tool version that install-act
 
 When installing the tool from GitHub Releases, this action will download the tool or its installer from GitHub Releases using HTTPS with tlsv1.2+. This is basically considered to be the same level of security as [the recommended installation of rustup](https://www.rust-lang.org/tools/install).
 
-Additionally, this action will also verify SHA256 checksums for downloaded files in all tools installed from GitHub Releases. This is enabled by default and can be disabled by setting the `checksum` input option to `false`.
+Additionally, this action will also verify SHA256 checksums for downloaded files in all tools installed from GitHub Releases. This is enabled by default and can be disabled by setting the `checksum` input option to `false` (strongly discouraged to disable).
 
 Additionally, we also verify [artifact attestations](https://docs.github.com/en/actions/concepts/security/artifact-attestations) or signature if the tool publishes artifact attestations or distributes signed archives. Verification is done at the stage of getting the checksum, so disabling the checksum will also disable verification.
 
diff --git a/action.yml b/action.yml
index 9b28817f..1632a5b3 100644
--- a/action.yml
+++ b/action.yml
@@ -7,7 +7,7 @@ inputs:
     required: true
     # default: #publish:tool
   checksum:
-    description: Whether to enable checksums
+    description: Whether to enable checksums (strongly discouraged to disable)
     required: false
     default: 'true'
   fallback:
diff --git a/main.sh b/main.sh
index 59221380..a4434ede 100755
--- a/main.sh
+++ b/main.sh
@@ -597,7 +597,10 @@ fi
 enable_checksum="${INPUT_CHECKSUM:-}"
 case "${enable_checksum}" in
   true) ;;
-  false) enable_checksum='' ;;
+  false)
+    enable_checksum=''
+    warn "checksums have been disabled by 'checksum' input option; this is strongly discouraged for security reasons"
+    ;;
   *) bail "'checksum' input option must be 'true' or 'false': '${enable_checksum}'" ;;
 esac