ci: pin oasdiff to v1.16.0#516
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Greptile SummaryThis PR replaces the unpinned
Confidence Score: 4/5Safe to merge — the change is a straightforward, targeted improvement to the install method with no functional logic changes downstream. The switch from curl | sh to a pinned tarball download is clearly correct and more reproducible. The only open gap is that the downloaded binary is not checksum-verified, so a tampered release asset would be installed silently. This is a hardening suggestion rather than a present defect, but it is worth addressing before the version is bumped again. No files require special attention beyond the optional checksum hardening in openapi-breaking-changes.yml.
|
| Filename | Overview |
|---|---|
| .github/workflows/openapi-breaking-changes.yml | Replaces the unpinned curl |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Install oasdiff step] --> B["curl: download oasdiff_1.16.0_linux_amd64.tar.gz\nfrom GitHub Releases → /tmp/oasdiff.tgz"]
B --> C["tar: extract oasdiff binary → /tmp/oasdiff"]
C --> D["sudo mv /tmp/oasdiff → /usr/local/bin/oasdiff"]
D --> E["oasdiff --version (sanity check)"]
E --> F[Run oasdiff breaking check]
F -->|breaking changes found| G[Post PR comment + add label]
F -->|no breaking changes| H[Remove label + clear comment]
Prompt To Fix All With AI
Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 1
.github/workflows/openapi-breaking-changes.yml:37-42
The tarball is fetched over HTTPS from a pinned release tag, which is already much safer than the previous `curl | sh` approach. Adding a SHA256 checksum verification step would close the remaining gap: a tampered release asset or a (very unlikely) MITM would be caught before the binary is installed.
```suggestion
curl -fsSL \
"https://github.com/oasdiff/oasdiff/releases/download/v${OASDIFF_VERSION}/oasdiff_${OASDIFF_VERSION}_linux_amd64.tar.gz" \
-o /tmp/oasdiff.tgz
# Verify checksum — update this hash when bumping OASDIFF_VERSION
echo "<sha256-of-oasdiff_1.16.0_linux_amd64.tar.gz> /tmp/oasdiff.tgz" | sha256sum -c -
tar -xzf /tmp/oasdiff.tgz -C /tmp oasdiff
sudo mv /tmp/oasdiff /usr/local/bin/oasdiff
oasdiff --version
```
Reviews (1): Last reviewed commit: "ci: pin oasdiff to v1.16.0" | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
pengying
force-pushed
the
05-27-ci_pin_oasdiff_to_v1.16.0
branch
from
423e83b to
fb02991
Compare
1 participant
Summary
Pins oasdiff to v1.16.0 in the breaking-changes workflow and verifies the downloaded tarball against a hardcoded SHA-256, instead of running the upstream install script.
The previous
install.sh | shapproach grabs whatever release is current at build time, with no integrity check:Now we download a fixed release tarball and verify it against a hardcoded SHA-256 (
2f424431c4…dd521, from the upstreamchecksums.txtfor v1.16.0 linux_amd64). The SHA is hardcoded rather than fetched, so a tamperedchecksums.txtcan't slip a bad binary through. Bumping the version is a two-line change (OASDIFF_VERSION+OASDIFF_SHA256).Test plan