Skip to content
Verify Install Script

Verify Install Script #37

Sign in to view logs

Verify Install Script

Verify Install Script #37

Workflow file for this run

.github/workflows/verify-install.yml at 9a0f48b
name: Verify Install Script
on:
schedule:
- cron: '0 6 * * *' # Daily at 6am UTC
workflow_dispatch: # Manual trigger
jobs:
verify:
name: Verify install script integrity
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Compute expected checksum
id: expected
run: echo "sha256=$(sha256sum install.sh | awk '{print $1}')" >> "$GITHUB_OUTPUT"
- name: Fetch live install script
run: curl -fsSL ${{ vars.INSTALL_URL }} -o /tmp/live-install.sh
- name: Compute live checksum
id: live
run: echo "sha256=$(sha256sum /tmp/live-install.sh | awk '{print $1}')" >> "$GITHUB_OUTPUT"
- name: Compare checksums
run: |
echo "Expected: ${{ steps.expected.outputs.sha256 }}"
echo "Live: ${{ steps.live.outputs.sha256 }}"
if [ "${{ steps.expected.outputs.sha256 }}" != "${{ steps.live.outputs.sha256 }}" ]; then
echo "::error::Install script integrity check FAILED — live script differs from repository"
exit 1
fi
echo "Install script integrity verified"
- name: Verify install script works
run: |
sh /tmp/live-install.sh
lattice --version
- name: Audit S3 bucket for unexpected files
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
run: |
echo "Auditing bucket contents..."
OBJECTS=$(aws s3api list-objects-v2 --bucket forkzero-lattice-prod --query 'Contents[].Key' --output text 2>/dev/null || echo "")
EXPECTED_FILES="lattice/install.sh lattice/install.ps1"
UNEXPECTED=""
for key in $OBJECTS; do
if echo "$EXPECTED_FILES" | grep -qw "$key"; then
echo " OK: $key"
else
echo " UNEXPECTED: $key"
UNEXPECTED="$UNEXPECTED $key"
fi
done
if [ -n "$UNEXPECTED" ]; then
echo "::error::Unexpected files found in forkzero-lattice-prod:$UNEXPECTED"
exit 1
fi
echo "Bucket audit passed — only expected files present"