feat: pin codspeed-go-runner installer downloads with sha256 verification

art049 · claude · art049 · commit 394df990704e · 2026-05-24T16:36:21.000+02:00
The introspected `go test` shim now installs `codspeed-go-runner` from
a pinned URL whose installer bytes are verified against a sha256
recorded in `go.sh`. The mapping covers every released installer
(0.1.1 through 1.2.0) and is stored as a `version sha256` table looked
up via awk, so version bumps are a one-line edit. The pinned default
replaces the previous "latest" fallback, which silently introduced
breaking changes; users can still override via the
`go-runner-version` CLI option.

A CI-gated Rust test (`GITHUB_ACTIONS=true`) parses the table out of
the embedded `go.sh`, downloads each installer in parallel, and
asserts its bytes hash to the declared pin — same gating as the
existing `binary_pins` network check.

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/src/cli/shared.rs b/src/cli/shared.rs
@@ -96,7 +96,7 @@ pub struct ExecAndRunSharedArgs {
     pub allow_empty: bool,
 
     /// The version of the go-runner to use (e.g., 1.2.3, 1.0.0-beta.1)
-    /// If not specified, the latest version will be installed
+    /// If not specified, the runner installs the pinned default version
     #[arg(long, env = "CODSPEED_GO_RUNNER_VERSION", value_parser = parse_version)]
     pub go_runner_version: Option<semver::Version>,
 
diff --git a/src/executor/helpers/introspected_golang/go.sh b/src/executor/helpers/introspected_golang/go.sh
@@ -12,6 +12,73 @@ debug_log "Called with arguments: $*"
 debug_log "Number of arguments: $#"
 
 
+GO_RUNNER_INSTALLER_SHA256S="
+0.1.1 f841950fe630dbc5c1bd534eb7cb8acf476b744297081710866092551110a68f
+0.1.2 cdbe066adccad7eb11ca53daf57a2c754666966d6ec9ab02e399f6f00a87f3eb
+0.2.0 10b75883bd8c09133281d652ea3ae1897f35606dd8a4a722d5c9b304666eaf7e
+0.3.0 d50608b9ceff1426badf5cb868bb76eca74428715006029519248d61c4781799
+0.4.0 dfb13bd30afef8a430680813b5605f46243962f6e31359f387d7c90ee9018be3
+0.4.1 94b8b82a095597e3bf4fea12cccd6bbc2e52e619d7953c3fcb695651ae5e804c
+0.4.2 5fca476647e269aedc91e5920265867de56e4dcada5bd83d99a507e437236e06
+0.5.0 82c68678904691903567f542117bcbf6aceca87b34db14c946915b988f12cf8f
+0.5.1 db2de37e815913ce72f761a8c25aeef4a64fe2407a870e0dc2ea149a3decd904
+0.6.0 e7bf7c37b07bc43610cf35140556b51cb03b4355914307f8100bef5f7f37c85d
+0.6.1 a38e0e3417abce9260f1b8c3ff7407bb93900a0ad83ee191725a0266f97c797c
+0.6.2 616200762cc2fa582fae56ea58e77ad6c056bd658f6907d5be56d39d59ec6616
+1.0.0 0540d8abe62357acefb85b9f1a9ff81dcfef70d6be8bea35096bf26a295a91f8
+1.0.1 c26f463883a77591e5a2e2f17f0995a989cbada0d4f5115f327900badac07918
+1.0.2 4e4ecfb1888ced253f0acbbc132db0b1d7e99351d40f3eff789a518a6130ee35
+1.1.0 d16e0e14bdfaea61a6da1d46d7b3b36f940b64335c8affbdc85b802d6e949a97
+1.2.0 072876ccd43b8c73c123df206eda4b1f82f9ff03b1330efe35e5eaa5c1b6cefe
+"
+
+DEFAULT_GO_RUNNER_VERSION="1.2.0"
+
+get_go_runner_installer_sha256() {
+    if ! awk -v v="$1" '$1==v{print $2; f=1} END{exit !f}' <<<"$GO_RUNNER_INSTALLER_SHA256S"; then
+        echo "ERROR: No pinned sha256 for codspeed-go-runner version $1" >&2
+        exit 1
+    fi
+}
+
+sha256_file() {
+    if command -v sha256sum >/dev/null 2>&1; then
+        sha256sum "$1" | awk '{ print $1 }'
+    elif command -v shasum >/dev/null 2>&1; then
+        shasum -a 256 "$1" | awk '{ print $1 }'
+    else
+        echo "ERROR: Could not find sha256sum or shasum to verify downloaded installer" >&2
+        exit 1
+    fi
+}
+
+install_go_runner() {
+    local version="$1"
+    local expected_sha256
+    expected_sha256=$(get_go_runner_installer_sha256 "$version")
+    local download_url="https://github.com/CodSpeedHQ/codspeed-go/releases/download/v${version}/codspeed-go-runner-installer.sh"
+    local tmp_dir
+    tmp_dir=$(mktemp -d)
+    local installer_path="$tmp_dir/codspeed-go-runner-installer.sh"
+
+    cleanup_go_runner_installer() {
+        rm -rf "$tmp_dir"
+    }
+    trap cleanup_go_runner_installer RETURN
+
+    curl -fsSL "$download_url" -o "$installer_path"
+
+    local actual_sha256
+    actual_sha256=$(sha256_file "$installer_path")
+    if [ "$actual_sha256" != "$expected_sha256" ]; then
+        echo "ERROR: Hash mismatch for $download_url: expected $expected_sha256, got $actual_sha256" >&2
+        exit 1
+    fi
+
+    bash "$installer_path" --quiet
+}
+
+
 # Currently only walltime is supported
 if [ "${CODSPEED_RUNNER_MODE:-}" != "walltime" ]; then
     echo "CRITICAL: Go benchmarks can only be run with the walltime instrument"
@@ -47,17 +114,9 @@ case "$1" in
         # Find go-runner or install if not found
         GO_RUNNER=$(which codspeed-go-runner 2>/dev/null || true)
         if [ -z "$GO_RUNNER" ]; then
-            # Build the installer URL with the specified version or use latest
-            INSTALLER_VERSION="${CODSPEED_GO_RUNNER_VERSION:-latest}"
-            if [ "$INSTALLER_VERSION" = "latest" ]; then
-                DOWNLOAD_URL="http://github.com/CodSpeedHQ/codspeed-go/releases/latest/download/codspeed-go-runner-installer.sh"
-                echo "::warning::Installing the latest version of codspeed-go-runner. This can silently introduce breaking changes. We recommend pinning a specific version via the \`go-runner-version\` option in the action." >&2
-            else
-                DOWNLOAD_URL="http://github.com/CodSpeedHQ/codspeed-go/releases/download/v${INSTALLER_VERSION}/codspeed-go-runner-installer.sh"
-            fi
-
-            debug_log "Installing go-runner from: $DOWNLOAD_URL"
-            curl -fsSL "$DOWNLOAD_URL" | bash -s -- --quiet
+            INSTALLER_VERSION="${CODSPEED_GO_RUNNER_VERSION:-$DEFAULT_GO_RUNNER_VERSION}"
+            debug_log "Installing go-runner v${INSTALLER_VERSION}"
+            install_go_runner "$INSTALLER_VERSION"
             GO_RUNNER=$(which codspeed-go-runner 2>/dev/null || true)
         fi
 
diff --git a/src/executor/helpers/introspected_golang/mod.rs b/src/executor/helpers/introspected_golang/mod.rs
@@ -17,3 +17,94 @@ pub fn setup() -> Result<PathBuf> {
     script_file.set_permissions(perms)?;
     Ok(script_folder)
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::request_client::REQUEST_CLIENT;
+
+    fn pinned_go_runner_installers() -> Vec<(String, String)> {
+        let start = INTROSPECTED_GO_SCRIPT
+            .find("GO_RUNNER_INSTALLER_SHA256S=\"")
+            .expect("GO_RUNNER_INSTALLER_SHA256S table not found in go.sh");
+        let body_start = INTROSPECTED_GO_SCRIPT[start..]
+            .find('\n')
+            .map(|i| start + i + 1)
+            .expect("malformed GO_RUNNER_INSTALLER_SHA256S table");
+        let body_end = INTROSPECTED_GO_SCRIPT[body_start..]
+            .find("\n\"")
+            .map(|i| body_start + i)
+            .expect("unterminated GO_RUNNER_INSTALLER_SHA256S table");
+
+        INTROSPECTED_GO_SCRIPT[body_start..body_end]
+            .lines()
+            .filter(|line| !line.trim().is_empty())
+            .map(|line| {
+                let mut parts = line.split_whitespace();
+                let version = parts.next().expect("missing version").to_string();
+                let sha256 = parts.next().expect("missing sha256").to_string();
+                assert!(
+                    parts.next().is_none(),
+                    "unexpected extra column in GO_RUNNER_INSTALLER_SHA256S row: {line:?}"
+                );
+                (version, sha256)
+            })
+            .collect()
+    }
+
+    #[test]
+    fn pinned_go_runner_installers_parses_table() {
+        let pins = pinned_go_runner_installers();
+        assert!(!pins.is_empty(), "no go-runner installer pins parsed");
+        for (version, sha256) in &pins {
+            assert!(!version.is_empty(), "empty version in pin row");
+            assert_eq!(sha256.len(), 64, "sha256 must be 64 hex chars: {sha256}");
+            assert!(
+                sha256.chars().all(|c| c.is_ascii_hexdigit()),
+                "sha256 must be hex: {sha256}",
+            );
+        }
+    }
+
+    // Network-bound: downloads every pinned go-runner installer and asserts its
+    // bytes hash to the declared SHA-256. Skipped locally; CI sets
+    // `GITHUB_ACTIONS=true`. Run after bumping a version to make sure the
+    // release won't ship a stale or mistyped hash.
+    #[test_with::env(GITHUB_ACTIONS)]
+    #[tokio::test(flavor = "multi_thread")]
+    async fn all_pinned_go_runner_installers_match_their_declared_sha256() {
+        let pins = pinned_go_runner_installers();
+
+        let results = futures::future::join_all(pins.into_iter().map(|(version, expected)| async move {
+            let url = format!(
+                "https://github.com/CodSpeedHQ/codspeed-go/releases/download/v{version}/codspeed-go-runner-installer.sh"
+            );
+            let bytes = REQUEST_CLIENT
+                .get(&url)
+                .send()
+                .await
+                .map_err(|e| format!("{version} ({url}): request failed: {e}"))?
+                .error_for_status()
+                .map_err(|e| format!("{version} ({url}): {e}"))?
+                .bytes()
+                .await
+                .map_err(|e| format!("{version} ({url}): read failed: {e}"))?;
+            let actual = sha256::digest(bytes.as_ref());
+            if actual != expected {
+                Err(format!(
+                    "{version} ({url}): expected {expected}, got {actual}"
+                ))
+            } else {
+                Ok(())
+            }
+        }))
+        .await;
+
+        let failures: Vec<_> = results.into_iter().filter_map(Result::err).collect();
+        assert!(
+            failures.is_empty(),
+            "pinned go-runner installers failed verification:\n  - {}",
+            failures.join("\n  - "),
+        );
+    }
+}
