Skip to content

Commit a87b697

Browse files
ci: gh sha print
1 parent d007635 commit a87b697

6 files changed

Lines changed: 36 additions & 4 deletions

File tree

.github/workflows/nightly.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,8 @@ jobs:
4343
VERSION="nightly-$(date -u +%Y-%m-%d)"
4444
PKG="github.com/NodeOps-app/createos-cli/internal/pkg/version"
4545
CFG="github.com/NodeOps-app/createos-cli/internal/config"
46-
LDFLAGS="-s -w -X ${PKG}.Version=${VERSION} -X ${PKG}.Channel=nightly -X ${CFG}.OAuthClientID=${{ secrets.OAUTH_CLIENT_ID }}"
46+
COMMIT="${{ github.sha }}"
47+
LDFLAGS="-s -w -X ${PKG}.Version=${VERSION} -X ${PKG}.Channel=nightly -X ${PKG}.Commit=${COMMIT} -X ${CFG}.OAuthClientID=${{ secrets.OAUTH_CLIENT_ID }}"
4748
4849
if [ "${{ matrix.goos }}" = "windows" ]; then
4950
BINARY="createos-${{ matrix.goos }}-${{ matrix.goarch }}.exe"

.github/workflows/release.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,8 @@ jobs:
4343
VERSION="${{ github.ref_name }}"
4444
PKG="github.com/NodeOps-app/createos-cli/internal/pkg/version"
4545
CFG="github.com/NodeOps-app/createos-cli/internal/config"
46-
LDFLAGS="-s -w -X ${PKG}.Version=${VERSION} -X ${PKG}.Channel=stable -X ${CFG}.OAuthClientID=${{ secrets.OAUTH_CLIENT_ID }}"
46+
COMMIT="${{ github.sha }}"
47+
LDFLAGS="-s -w -X ${PKG}.Version=${VERSION} -X ${PKG}.Channel=stable -X ${PKG}.Commit=${COMMIT} -X ${CFG}.OAuthClientID=${{ secrets.OAUTH_CLIENT_ID }}"
4748
4849
if [ "${{ matrix.goos }}" = "windows" ]; then
4950
BINARY="createos-${{ matrix.goos }}-${{ matrix.goarch }}.exe"

cmd/oauth/helpers.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -97,6 +97,9 @@ func validateURI(value string) error {
9797
if err != nil || parsed.Scheme == "" {
9898
return fmt.Errorf("please enter a valid absolute URI")
9999
}
100+
if parsed.Scheme != "http" && parsed.Scheme != "https" {
101+
return fmt.Errorf("redirect URI must use http or https (got %q)", parsed.Scheme)
102+
}
100103
return nil
101104
}
102105

cmd/version/version.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,12 @@
22
package version
33

44
import (
5+
"fmt"
6+
57
"github.com/urfave/cli/v2"
68

79
"github.com/NodeOps-app/createos-cli/internal/intro"
10+
"github.com/NodeOps-app/createos-cli/internal/pkg/version"
811
)
912

1013
// NewVersionCommand creates the version command.
@@ -14,6 +17,7 @@ func NewVersionCommand() *cli.Command {
1417
Usage: "Print the current version",
1518
Action: func(_ *cli.Context) error {
1619
intro.Show()
20+
fmt.Printf(" Version: %s\n Channel: %s\n Commit: %s\n\n", version.Version, version.Channel, version.Commit)
1721
return nil
1822
},
1923
}

install.sh

Lines changed: 21 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -117,6 +117,13 @@ resolve_version() {
117117
fi
118118

119119
[ -n "${VERSION}" ] || fatal "Could not determine the latest version. Check your internet connection."
120+
121+
# Validate format to guard against tampered API responses
122+
case "${VERSION}" in
123+
v[0-9]*.[0-9]*.[0-9]*) ;;
124+
*) fatal "Unexpected version format received: '${VERSION}'. Aborting." ;;
125+
esac
126+
120127
info "Latest version: ${VERSION}"
121128
}
122129

@@ -183,13 +190,25 @@ verify_checksum() {
183190
BINARY_PATH="$1"
184191
EXPECTED="$2"
185192

193+
# Validate expected hash is a 64-char hex string before trusting it
194+
case "${EXPECTED}" in
195+
[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
196+
[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
197+
[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
198+
[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
199+
[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
200+
[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
201+
[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
202+
[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]) ;;
203+
*) fatal "Checksum file contains unexpected content — aborting." ;;
204+
esac
205+
186206
if command -v sha256sum > /dev/null 2>&1; then
187207
ACTUAL="$(sha256sum "${BINARY_PATH}" | awk '{print $1}')"
188208
elif command -v shasum > /dev/null 2>&1; then
189209
ACTUAL="$(shasum -a 256 "${BINARY_PATH}" | awk '{print $1}')"
190210
else
191-
warn "No sha256sum or shasum found — skipping checksum verification."
192-
return
211+
fatal "sha256sum or shasum is required to verify the download. Please install one and retry."
193212
fi
194213

195214
if [ "${ACTUAL}" != "${EXPECTED}" ]; then

internal/pkg/version/version.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,3 +8,7 @@ var Version = "dev"
88
// Channel is the release channel: "stable" or "nightly".
99
// Injected at build time via -ldflags="-X .../version.Channel=stable"
1010
var Channel = "stable"
11+
12+
// Commit is the git commit SHA at build time.
13+
// Injected at build time via -ldflags="-X .../version.Commit=<sha>"
14+
var Commit = "unknown"

0 commit comments

Comments
 (0)