From d3042e7f93ca329408f56b0e2b591a6a83c4bdc0 Mon Sep 17 00:00:00 2001
From: Baptiste Fernandez <fernandez.baptiste1@gmail.com>
Date: Tue, 31 Mar 2026 09:44:17 +0100
Subject: [PATCH] Add optional checksum input for binary verification
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a `checksum` input that accepts an expected SHA-256 hash of the
downloaded tarball. When provided, the action verifies the hash after
download and before extraction, failing the step on mismatch.

This is a backwards-compatible, client-side mitigation for the binary
integrity concern raised in tesslio/skill-review#11 and tracked in #3.
Callers who pin a version can now also pin a checksum without waiting
for server-side SHA256SUMS files.

Closes #3 (partial — server-side checksums and version resolution
improvements remain open)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 action.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/action.yml b/action.yml
index 181c5d9..37f7f7f 100644
--- a/action.yml
+++ b/action.yml
@@ -10,6 +10,9 @@ inputs:
     description: Tessl CLI version to install (e.g. "0.73.0", or "latest")
     required: false
     default: "latest"
+  checksum:
+    description: Expected SHA-256 hash of the downloaded tarball. When set, the action verifies the download before extracting. Obtain with "shasum -a 256 tessl-<version>-<platform>.tar.gz".
+    required: false
   token:
     description: Tessl API token for authentication. When set, exported as TESSL_TOKEN for all subsequent steps.
     required: false
@@ -72,6 +75,7 @@ runs:
       env:
         VERSION: ${{ steps.resolve.outputs.version }}
         PLATFORM: ${{ steps.platform.outputs.platform }}
+        EXPECTED_CHECKSUM: ${{ inputs.checksum }}
       run: |
         URL="https://install.tessl.io/binaries/${VERSION}/tessl-${VERSION}-${PLATFORM}.tar.gz"
         INSTALL_DIR="${RUNNER_TOOL_CACHE}/tessl/${VERSION}/${PLATFORM}"
@@ -81,6 +85,17 @@ runs:
         echo "URL: ${URL}"
 
         curl -fsSL "$URL" -o "$INSTALL_DIR/tessl.tar.gz"
+
+        if [ -n "$EXPECTED_CHECKSUM" ]; then
+          ACTUAL="$(shasum -a 256 "$INSTALL_DIR/tessl.tar.gz" | awk '{print $1}')"
+          if [ "$ACTUAL" != "$EXPECTED_CHECKSUM" ]; then
+            echo "::error::Checksum mismatch for tessl ${VERSION} (${PLATFORM}). Expected: ${EXPECTED_CHECKSUM}, got: ${ACTUAL}"
+            rm -f "$INSTALL_DIR/tessl.tar.gz"
+            exit 1
+          fi
+          echo "Checksum verified: ${ACTUAL}"
+        fi
+
         tar -xzf "$INSTALL_DIR/tessl.tar.gz" -C "$INSTALL_DIR"
         rm "$INSTALL_DIR/tessl.tar.gz"
         mv "$INSTALL_DIR/tessl-${VERSION}-${PLATFORM}" "$INSTALL_DIR/tessl"