ci: gh sha print

BhautikChudasama · BhautikChudasama · commit a87b697afacf · 2026-04-01T12:47:39.000+05:30
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
@@ -43,7 +43,8 @@ jobs:
           VERSION="nightly-$(date -u +%Y-%m-%d)"
           PKG="github.com/NodeOps-app/createos-cli/internal/pkg/version"
           CFG="github.com/NodeOps-app/createos-cli/internal/config"
-          LDFLAGS="-s -w -X ${PKG}.Version=${VERSION} -X ${PKG}.Channel=nightly -X ${CFG}.OAuthClientID=${{ secrets.OAUTH_CLIENT_ID }}"
+          COMMIT="${{ github.sha }}"
+          LDFLAGS="-s -w -X ${PKG}.Version=${VERSION} -X ${PKG}.Channel=nightly -X ${PKG}.Commit=${COMMIT} -X ${CFG}.OAuthClientID=${{ secrets.OAUTH_CLIENT_ID }}"
 
           if [ "${{ matrix.goos }}" = "windows" ]; then
             BINARY="createos-${{ matrix.goos }}-${{ matrix.goarch }}.exe"
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -43,7 +43,8 @@ jobs:
           VERSION="${{ github.ref_name }}"
           PKG="github.com/NodeOps-app/createos-cli/internal/pkg/version"
           CFG="github.com/NodeOps-app/createos-cli/internal/config"
-          LDFLAGS="-s -w -X ${PKG}.Version=${VERSION} -X ${PKG}.Channel=stable -X ${CFG}.OAuthClientID=${{ secrets.OAUTH_CLIENT_ID }}"
+          COMMIT="${{ github.sha }}"
+          LDFLAGS="-s -w -X ${PKG}.Version=${VERSION} -X ${PKG}.Channel=stable -X ${PKG}.Commit=${COMMIT} -X ${CFG}.OAuthClientID=${{ secrets.OAUTH_CLIENT_ID }}"
 
           if [ "${{ matrix.goos }}" = "windows" ]; then
             BINARY="createos-${{ matrix.goos }}-${{ matrix.goarch }}.exe"
diff --git a/cmd/oauth/helpers.go b/cmd/oauth/helpers.go
@@ -97,6 +97,9 @@ func validateURI(value string) error {
 	if err != nil || parsed.Scheme == "" {
 		return fmt.Errorf("please enter a valid absolute URI")
 	}
+	if parsed.Scheme != "http" && parsed.Scheme != "https" {
+		return fmt.Errorf("redirect URI must use http or https (got %q)", parsed.Scheme)
+	}
 	return nil
 }
 
diff --git a/cmd/version/version.go b/cmd/version/version.go
@@ -2,9 +2,12 @@
 package version
 
 import (
+	"fmt"
+
 	"github.com/urfave/cli/v2"
 
 	"github.com/NodeOps-app/createos-cli/internal/intro"
+	"github.com/NodeOps-app/createos-cli/internal/pkg/version"
 )
 
 // NewVersionCommand creates the version command.
@@ -14,6 +17,7 @@ func NewVersionCommand() *cli.Command {
 		Usage: "Print the current version",
 		Action: func(_ *cli.Context) error {
 			intro.Show()
+			fmt.Printf("  Version: %s\n  Channel: %s\n  Commit:  %s\n\n", version.Version, version.Channel, version.Commit)
 			return nil
 		},
 	}
diff --git a/install.sh b/install.sh
@@ -117,6 +117,13 @@ resolve_version() {
     fi
 
     [ -n "${VERSION}" ] || fatal "Could not determine the latest version. Check your internet connection."
+
+    # Validate format to guard against tampered API responses
+    case "${VERSION}" in
+        v[0-9]*.[0-9]*.[0-9]*) ;;
+        *) fatal "Unexpected version format received: '${VERSION}'. Aborting." ;;
+    esac
+
     info "Latest version: ${VERSION}"
 }
 
@@ -183,13 +190,25 @@ verify_checksum() {
     BINARY_PATH="$1"
     EXPECTED="$2"
 
+    # Validate expected hash is a 64-char hex string before trusting it
+    case "${EXPECTED}" in
+        [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
+[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
+[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
+[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
+[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
+[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
+[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
+[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]) ;;
+        *) fatal "Checksum file contains unexpected content — aborting." ;;
+    esac
+
     if command -v sha256sum > /dev/null 2>&1; then
         ACTUAL="$(sha256sum "${BINARY_PATH}" | awk '{print $1}')"
     elif command -v shasum > /dev/null 2>&1; then
         ACTUAL="$(shasum -a 256 "${BINARY_PATH}" | awk '{print $1}')"
     else
-        warn "No sha256sum or shasum found — skipping checksum verification."
-        return
+        fatal "sha256sum or shasum is required to verify the download. Please install one and retry."
     fi
 
     if [ "${ACTUAL}" != "${EXPECTED}" ]; then
diff --git a/internal/pkg/version/version.go b/internal/pkg/version/version.go
@@ -8,3 +8,7 @@ var Version = "dev"
 // Channel is the release channel: "stable" or "nightly".
 // Injected at build time via -ldflags="-X .../version.Channel=stable"
 var Channel = "stable"
+
+// Commit is the git commit SHA at build time.
+// Injected at build time via -ldflags="-X .../version.Commit=<sha>"
+var Commit = "unknown"

Original file line number	Diff line number	Diff line change
`@@ -97,6 +97,9 @@ func validateURI(value string) error {`
`97`	`97`	`if err != nil \|\| parsed.Scheme == "" {`
`98`	`98`	`return fmt.Errorf("please enter a valid absolute URI")`
`99`	`99`	`}`
	`100`	`+ if parsed.Scheme != "http" && parsed.Scheme != "https" {`
	`101`	`+ return fmt.Errorf("redirect URI must use http or https (got %q)", parsed.Scheme)`
	`102`	`+ }`
`100`	`103`	`return nil`
`101`	`104`	`}`
`102`	`105`