taiki-e/install-action
1
0
Fork 0
mirror of https://github.com/taiki-e/install-action.git synced 2026-04-08 18:05:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add warning for disabling checksum

Browse Source
This commit is contained in:
Taiki Endo
2026-04-04 22:20:07 +09:00
parent 3f315c966f
commit bdc2e2796d
3 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -23,7 +23,7 @@ GitHub Action for installing development tools (mainly from GitHub Releases).
| Name | Required | Description | Type | Default | | Name | Required | Description | Type | Default |
| ---- | :------: | ----------- | ---- | ------- | | ---- | :------: | ----------- | ---- | ------- |
| tool | **✓** | Tools to install (whitespace or comma separated list) | String | | | tool | **✓** | Tools to install (whitespace or comma separated list) | String | |
| checksum | | Whether to enable checksums | Boolean | `true` | | checksum | | Whether to enable checksums (strongly discouraged to disable) | Boolean | `true` |
### Example workflow ### Example workflow
@@ -108,7 +108,7 @@ When installing the tool from GitHub Releases, the tool version that install-act
When installing the tool from GitHub Releases, this action will download the tool or its installer from GitHub Releases using HTTPS with tlsv1.2+. This is basically considered to be the same level of security as [the recommended installation of rustup](https://www.rust-lang.org/tools/install). When installing the tool from GitHub Releases, this action will download the tool or its installer from GitHub Releases using HTTPS with tlsv1.2+. This is basically considered to be the same level of security as [the recommended installation of rustup](https://www.rust-lang.org/tools/install).
Additionally, this action will also verify SHA256 checksums for downloaded files in all tools installed from GitHub Releases. This is enabled by default and can be disabled by setting the `checksum` input option to `false`. Additionally, this action will also verify SHA256 checksums for downloaded files in all tools installed from GitHub Releases. This is enabled by default and can be disabled by setting the `checksum` input option to `false` (strongly discouraged to disable).
Additionally, we also verify [artifact attestations](https://docs.github.com/en/actions/concepts/security/artifact-attestations) or signature if the tool publishes artifact attestations or distributes signed archives. Verification is done at the stage of getting the checksum, so disabling the checksum will also disable verification. Additionally, we also verify [artifact attestations](https://docs.github.com/en/actions/concepts/security/artifact-attestations) or signature if the tool publishes artifact attestations or distributes signed archives. Verification is done at the stage of getting the checksum, so disabling the checksum will also disable verification.

2
action.yml
View File

@@ -7,7 +7,7 @@ inputs:
required: true required: true
# default: #publish:tool # default: #publish:tool
checksum: checksum:
description: Whether to enable checksums description: Whether to enable checksums (strongly discouraged to disable)
required: false required: false
default: 'true' default: 'true'
fallback: fallback:

5
main.sh
View File

@@ -597,7 +597,10 @@ fi
enable_checksum="${INPUT_CHECKSUM:-}" enable_checksum="${INPUT_CHECKSUM:-}"
case "${enable_checksum}" in case "${enable_checksum}" in
true) ;; true) ;;
false) enable_checksum='' ;; false)
enable_checksum=''
warn "checksums have been disabled by 'checksum' input option; this is strongly discouraged for security reasons"
;;
*) bail "'checksum' input option must be 'true' or 'false': '${enable_checksum}'" ;; *) bail "'checksum' input option must be 'true' or 'false': '${enable_checksum}'" ;;
esac esac