bazelisk icon indicating copy to clipboard operation
bazelisk copied to clipboard

Published 20 hours ago verified publisher icon bazelbuild

Add sha256 checksums to releases

Open icfaust opened this issue 8 months ago • 4 comments

Helps to try and push forward goal of #418 and helps on uxlfoundation/oneDAL#3078 I know from the other PR there was a discussion of SLSA, and that Google may be using some sort of internal release process so this may be in the wrong direction. This PR attempts to patch in a file to the release called checksums.txt which creates a text file with the sha256 hashes based on github releases using free github runners.

I have not verified its operation. Any assistance would be greatly appreciated.

icfaust avatar Mar 12 '25 21:03 icfaust

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

google-cla[bot] avatar Mar 12 '25 21:03 google-cla[bot]

@fweikert Hallo, sagen Sie bitte Bescheid, ob es nützlich ist oder ob etwas geändert werden sollte. Vielen Dank für Ihre Arbeit an Bazelisk

icfaust avatar May 16 '25 05:05 icfaust

@meteorcloudy I haven't received any response from the requested reviewer on the PR, am I doing something wrong? Let me know if there are any steps I can take to help this get reviewed

icfaust avatar Jun 08 '25 09:06 icfaust

@fweikert is currently OOO, he'll be back in the next few days, sorry for the delay.

I'm all for enhancing the security of bazelisk, but not sure adding this github action is the best way, let's wait for Florian's opinion since he owns the bazelisk release.

meteorcloudy avatar Jun 10 '25 10:06 meteorcloudy

Hello @fweikert , any thoughts on including hashes with releases?

icfaust avatar Jul 01 '25 08:07 icfaust

I like the general idea, but I'm not really familiar with the intricacies of GitHub actions.

Moreover, I don't know whether this is still necessary - I can see that GitHub generates checksums for the artifacts in https://github.com/bazelbuild/bazelisk/releases/tag/v1.27.0

fweikert avatar Aug 12 '25 16:08 fweikert

@fweikert It looks like it was introduced after the PR was opened: https://github.blog/changelog/2025-06-03-releases-now-expose-digests-for-release-assets/ and is no-longer necessary.

icfaust avatar Aug 12 '25 22:08 icfaust