From ebb0303bb42679f2eff7499cac36a56de2c54646 Mon Sep 17 00:00:00 2001 From: Alex Eagle Date: Mon, 18 Mar 2024 17:50:08 -0700 Subject: [PATCH] chore: copy code review improvements from upstream https://github.com/bazelbuild/rules_proto/pull/205 --- .github/workflows/mirror_protoc_release.yml | 3 +++ protoc/private/mirror_protoc_release.sh | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/.github/workflows/mirror_protoc_release.yml b/.github/workflows/mirror_protoc_release.yml index fa7de6a..6cbfb36 100644 --- a/.github/workflows/mirror_protoc_release.yml +++ b/.github/workflows/mirror_protoc_release.yml @@ -3,6 +3,9 @@ on: # Trigger manually in the UI workflow_dispatch: # Trigger daily at 06:10 UTC + # Note, the create-pull-request action only sends a PR if there's a code change, + # so a no-op execution of the mirror_protoc_releases script on most days will + # not create a pull request. schedule: - cron: "10 6 * * *" diff --git a/protoc/private/mirror_protoc_release.sh b/protoc/private/mirror_protoc_release.sh index cd46ec4..4145df6 100755 --- a/protoc/private/mirror_protoc_release.sh +++ b/protoc/private/mirror_protoc_release.sh @@ -30,6 +30,10 @@ map(select(.tag_name == $version))[0] # Create a file that looks like a checksums.txt from a shasum command, i.e. # sha384-RVFu8PJJCOSXwYTqH7FyWRSgsP1AAjcEa+VViddVTgtd9wYvZjQoQ8jmlFxwfFw+ protobuf-26.0-rc3.tar.gz # sha384-JYSXGTSBfwUU6UzqazUTkT3lTZDzx10YdaNQYjojrT7X1Ro1fA+T4tjJw0e8UISV protobuf-26.0-rc3.zip +# +# Note, this follows https://en.wikipedia.org/wiki/Trust_on_first_use +# in that we assume that a release is not tampered for 24h until we mirror it, then afterward +# we are guaranteed that whatever we initially trusted does not change. CHECKSUMS=$(mktemp) for url in $(jq --arg version $VERSION --raw-output "$DOWNLOAD_URLS_FILTER" <$RELEASES); do sha=$(curl -sSL $url | shasum -b -a 384 | awk "{ print \$1 }" | xxd -r -p | base64)