gitea-mirror/Pulse
1
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-02-18 00:17:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
88d95f40befcc4e046eb2db4599f1eae40a20475
Pulse/scripts/validate-published-release.sh

77 lines
2.4 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Remote release validator.
# Downloads the published (or draft) assets straight from GitHub Releases,
# recalculates their SHA256 sums, and ensures checksums.txt and the *.sha256
# helper files match what is actually live. This prevents broken updates when
# artifacts are re-uploaded without regenerating checksums (see issue #698).
set -euo pipefail
if [ $# -lt 1 ]; then
echo "Usage: $0 <tag> [owner/repo]" >&2
echo "Example: $0 v4.28.0 rcourtman/Pulse" >&2
exit 1
fi
TAG="$1"
REPO="${2:-rcourtman/Pulse}"
BASE_URL="https://github.com/${REPO}/releases/download/${TAG}"
TMP_DIR="$(mktemp -d)"
trap 'rm -rf "$TMP_DIR"' EXIT
curl_args=(curl -fsSL --connect-timeout 10 --max-time 600 --retry 3 --retry-delay 2 --retry-all-errors)
CHECKSUMS_PATH="${TMP_DIR}/checksums.txt"
echo "Downloading ${BASE_URL}/checksums.txt"
if ! "${curl_args[@]}" "${BASE_URL}/checksums.txt" >"$CHECKSUMS_PATH"; then
echo "Failed to download checksums.txt for ${TAG}" >&2
exit 1
fi
status=0
while read -r checksum filename _; do
[[ -z "${checksum:-}" ]] && continue
[[ "$checksum" =~ ^# ]] && continue
if [[ -z "${filename:-}" ]]; then
echo "Malformed checksums line (missing filename): $checksum" >&2
status=1
continue
fi
artifact_url="${BASE_URL}/${filename}"
echo "Verifying ${filename}..."
if ! actual_checksum=$("${curl_args[@]}" "$artifact_url" | sha256sum | awk '{print $1}'); then
echo "Failed to download ${filename}" >&2
status=$((status + 1))
continue
fi
if [[ "$actual_checksum" != "$checksum" ]]; then
echo "Checksum mismatch for ${filename}: expected ${checksum}, got ${actual_checksum}" >&2
status=$((status + 1))
fi
sha_url="${artifact_url}.sha256"
if ! sha_content=$("${curl_args[@]}" "$sha_url" | tr -d '\r' | sed 's/[[:space:]]*$//'); then
echo "Failed to download ${filename}.sha256" >&2
status=$((status + 1))
continue
fi
expected_line="${checksum} ${filename}"
if [[ "$sha_content" != "$expected_line" ]]; then
echo "${filename}.sha256 content mismatch (expected '${expected_line}', got '${sha_content}')" >&2
status=$((status + 1))
fi
done < "$CHECKSUMS_PATH"
if [[ "$status" -ne 0 ]]; then
echo "Published release validation failed for ${TAG} (${status} error(s))." >&2
exit 1
fi
echo "Published release assets for ${TAG} match checksums.txt and *.sha256 files."
Reference in New Issue View Git Blame Copy Permalink