test: derive pinned binary verification targets

Author: art049

src/binary_pins.rs

@@ -112,7 +112,7 @@ const MONGO_TRACER_INSTALLER: BinaryPin = BinaryPin {
 /// A binary the runner downloads at install time. The download helper looks
 /// up the URL and SHA-256 via `url()` and `sha256()` and rejects the install
 /// if the bytes don't match.
-#[derive(Debug, Clone, Copy)]
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum PinnedBinary {
     ValgrindDeb {
         distro_version: &'static str,
@@ -144,33 +144,6 @@ impl PinnedBinary {
         self.pin().url()
     }
 
-    /// Every `PinnedBinary` instance the runner can produce at runtime, used
-    /// by the verification test to catch a stale or mistyped hash before
-    /// release. Update this whenever a new variant or valgrind target is
-    /// added.
-    #[cfg(test)]
-    pub const ALL: &'static [PinnedBinary] = &[
-        PinnedBinary::ValgrindDeb {
-            distro_version: "22.04",
-            arch: "amd64",
-        },
-        PinnedBinary::ValgrindDeb {
-            distro_version: "24.04",
-            arch: "amd64",
-        },
-        PinnedBinary::ValgrindDeb {
-            distro_version: "22.04",
-            arch: "arm64",
-        },
-        PinnedBinary::ValgrindDeb {
-            distro_version: "24.04",
-            arch: "arm64",
-        },
-        PinnedBinary::MemtrackInstaller,
-        PinnedBinary::ExecHarnessInstaller,
-        PinnedBinary::MongoTracerInstaller,
-    ];
-
     pub fn sha256(&self) -> &'static str {
         self.pin().sha256()
     }
@@ -182,21 +155,54 @@ mod tests {
     use crate::cli::run::helpers::download_pinned_file;
     use tempfile::NamedTempFile;
 
+    const INSTALLER_BINARIES: &[PinnedBinary] = &[
+        PinnedBinary::MemtrackInstaller,
+        PinnedBinary::ExecHarnessInstaller,
+        PinnedBinary::MongoTracerInstaller,
+    ];
+
+    fn assert_installer_variant_is_listed(binary: PinnedBinary) {
+        match binary {
+            PinnedBinary::ValgrindDeb { .. } => {}
+            PinnedBinary::MemtrackInstaller
+            | PinnedBinary::ExecHarnessInstaller
+            | PinnedBinary::MongoTracerInstaller => {
+                assert!(INSTALLER_BINARIES.contains(&binary));
+            }
+        }
+    }
+
+    fn all_pinned_binaries() -> impl Iterator<Item = PinnedBinary> {
+        VALGRIND_DEBS
+            .iter()
+            .map(|pin| PinnedBinary::ValgrindDeb {
+                distro_version: pin.distro_version,
+                arch: pin.arch,
+            })
+            .chain(INSTALLER_BINARIES.iter().copied())
+    }
+
+    #[test]
+    fn installer_variant_list_is_exhaustive() {
+        assert_installer_variant_is_listed(PinnedBinary::MemtrackInstaller);
+        assert_installer_variant_is_listed(PinnedBinary::ExecHarnessInstaller);
+        assert_installer_variant_is_listed(PinnedBinary::MongoTracerInstaller);
+    }
+
     // Network-bound: downloads every pinned URL and asserts its bytes hash to
     // the declared SHA-256. Skipped locally; CI sets `GITHUB_ACTIONS=true`.
     // Run after bumping a version to make sure the release won't ship a stale
     // or mistyped hash.
     #[test_with::env(GITHUB_ACTIONS)]
     #[tokio::test(flavor = "multi_thread")]
     async fn all_pinned_binaries_match_their_declared_sha256() {
-        let results =
-            futures::future::join_all(PinnedBinary::ALL.iter().map(|binary| async move {
-                let temp = NamedTempFile::new().expect("failed to create temp file");
-                download_pinned_file(*binary, temp.path())
-                    .await
-                    .map_err(|e| format!("{binary:?} ({}): {e}", binary.url()))
-            }))
-            .await;
+        let results = futures::future::join_all(all_pinned_binaries().map(|binary| async move {
+            let temp = NamedTempFile::new().expect("failed to create temp file");
+            download_pinned_file(binary, temp.path())
+                .await
+                .map_err(|e| format!("{binary:?} ({}): {e}", binary.url()))
+        }))
+        .await;
 
         let failures: Vec<_> = results.into_iter().filter_map(Result::err).collect();
         assert!(

src/executor/helpers/introspected_golang/go.sh

@@ -11,6 +11,59 @@ debug_log() {
 debug_log "Called with arguments: $*"
 debug_log "Number of arguments: $#"
 
+sha256_file() {
+    if command -v sha256sum >/dev/null 2>&1; then
+        sha256sum "$1" | awk '{ print $1 }'
+    elif command -v shasum >/dev/null 2>&1; then
+        shasum -a 256 "$1" | awk '{ print $1 }'
+    else
+        echo "ERROR: Could not find sha256sum or shasum to verify downloaded installer" >&2
+        exit 1
+    fi
+}
+
+install_go_runner() {
+    local download_url="$1"
+    local release_api_url="$2"
+    local tmp_dir
+    tmp_dir=$(mktemp -d)
+    local installer_path="$tmp_dir/codspeed-go-runner-installer.sh"
+    local release_json_path="$tmp_dir/release.json"
+
+    cleanup_go_runner_installer() {
+        rm -rf "$tmp_dir"
+    }
+    trap cleanup_go_runner_installer RETURN
+
+    curl -fsSL "$download_url" -o "$installer_path"
+    curl -fsSL "$release_api_url" -o "$release_json_path"
+
+    local expected_sha256
+    expected_sha256=$(awk '
+        /"name": "codspeed-go-runner-installer.sh"/ { in_installer_asset = 1 }
+        in_installer_asset && /"digest": "sha256:/ {
+            sub(/^.*"digest": "sha256:/, "")
+            sub(/".*$/, "")
+            print
+            found = 1
+            exit
+        }
+        END { if (!found) exit 1 }
+    ' "$release_json_path") || {
+        echo "ERROR: Could not find codspeed-go-runner-installer.sh digest in release metadata" >&2
+        exit 1
+    }
+
+    local actual_sha256
+    actual_sha256=$(sha256_file "$installer_path")
+    if [ "$actual_sha256" != "$expected_sha256" ]; then
+        echo "ERROR: Hash mismatch for $download_url: expected $expected_sha256, got $actual_sha256" >&2
+        exit 1
+    fi
+
+    bash "$installer_path" --quiet
+}
+
 
 # Currently only walltime is supported
 if [ "${CODSPEED_RUNNER_MODE:-}" != "walltime" ]; then
@@ -50,14 +103,16 @@ case "$1" in
             # Build the installer URL with the specified version or use latest
             INSTALLER_VERSION="${CODSPEED_GO_RUNNER_VERSION:-latest}"
             if [ "$INSTALLER_VERSION" = "latest" ]; then
-                DOWNLOAD_URL="http://github.com/CodSpeedHQ/codspeed-go/releases/latest/download/codspeed-go-runner-installer.sh"
+                DOWNLOAD_URL="https://github.com/CodSpeedHQ/codspeed-go/releases/latest/download/codspeed-go-runner-installer.sh"
+                RELEASE_API_URL="https://api.github.com/repos/CodSpeedHQ/codspeed-go/releases/latest"
                 echo "::warning::Installing the latest version of codspeed-go-runner. This can silently introduce breaking changes. We recommend pinning a specific version via the \`go-runner-version\` option in the action." >&2
             else
-                DOWNLOAD_URL="http://github.com/CodSpeedHQ/codspeed-go/releases/download/v${INSTALLER_VERSION}/codspeed-go-runner-installer.sh"
+                DOWNLOAD_URL="https://github.com/CodSpeedHQ/codspeed-go/releases/download/v${INSTALLER_VERSION}/codspeed-go-runner-installer.sh"
+                RELEASE_API_URL="https://api.github.com/repos/CodSpeedHQ/codspeed-go/releases/tags/v${INSTALLER_VERSION}"
             fi
 
             debug_log "Installing go-runner from: $DOWNLOAD_URL"
-            curl -fsSL "$DOWNLOAD_URL" | bash -s -- --quiet
+            install_go_runner "$DOWNLOAD_URL" "$RELEASE_API_URL"
             GO_RUNNER=$(which codspeed-go-runner 2>/dev/null || true)
         fi