feat: pin downloaded binaries with sha256 verification

[art049]

Every binary the runner downloads at install time (the patched valgrind .deb, the memtrack installer, the exec-harness installer, the mongo-tracer installer) is now SHA-256-pinned. URLs and expected hashes live together in a new PinnedBinary enum in src/binary_pins.rs, and the download helper (download_pinned_file) rejects the install — and removes the partial file — if the bytes don't match the declared digest.

Until now, the runner trusted whatever it pulled from GitHub releases / S3 to be the artifact that was published. That trust is implicit and we have no recovery if an artifact is replaced. Pinning the hashes alongside the version constants makes the supply-chain assumption explicit and verifiable at install time.

Bumping a pinned version now requires updating both the version constant and the matching PinnedBinary::sha256 arm — for valgrind, one hash per supported (distro_version, arch) combination. CONTRIBUTING.md is updated with the regeneration workflow and the release checklist points at the new location.

[codspeed-hq]

Merging this PR will not alter performance

⚠️ Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

✅ 7 untouched benchmarks

---

_{Comparing feat/pin-binary-downloads-sha256 (394df99) with main (db14de8)}

[greptile-apps]

Greptile Summary

This PR introduces SHA-256 pinning for every binary the runner downloads at install time. A new binary_pins.rs module centralises version, URL template, and hash for valgrind .deb, memtrack, exec-harness, and mongo-tracer; a new download_pinned_file helper enforces the hash and removes partial downloads on mismatch.

• src/binary_pins.rs (new): PinnedBinary enum + ValgrindTarget struct consolidate all artifact metadata; exhaustive match over typed enums removes the previous unreachable! risk; CI-only network tests verify every declared hash against live downloads.
• go.sh: Replaces the unverified curl | bash (including an unguarded "latest" path) with a version-keyed SHA-256 table and a sha256_file helper, eliminating the last unpinned download path.
• src/lib.rs: Removes VALGRIND_CODSPEED_VERSION, VALGRIND_CODSPEED_DEB_VERSION, and MONGODB_TRACER_VERSION from the crate root — all now live in binary_pins, making binary_pins.rs the single location to update when bumping any pinned artifact.

Confidence Score: 5/5

Safe to merge; all production download paths are correctly pinned and verified.

The Rust-side changes are clean: download_pinned_file enforces the hash on every download, the PinnedBinary / ValgrindTarget types use exhaustive matches so no runtime fallback is needed, and CI network tests validate every declared hash against live releases. The only rough edge is in go.sh, where exit 1 on hash mismatch bypasses the trap RETURN cleanup and leaves the temp directory on disk — a benign leak confined to an error path.

src/executor/helpers/introspected_golang/go.sh — the install_go_runner temp-dir cleanup trap

Important Files Changed

Filename	Overview
src/binary_pins.rs	New file: consolidates all pinned-binary metadata (version, URL template, SHA-256) for valgrind .deb, memtrack, exec-harness, and mongo-tracer; uses exhaustive enum coverage instead of unreachable arms; includes a network-bound CI test that verifies every hash against live downloads.
src/cli/run/helpers/download_file.rs	Adds download_pinned_file: downloads via the existing helper, computes SHA-256 with sha256::try_digest, and bails with a clean error and file removal on mismatch; download_file is now crate-private.
src/executor/helpers/introspected_golang/go.sh	Adds a version-keyed SHA-256 lookup table for go-runner installers, eliminates the 'latest' unverified download path, and adds install_go_runner with hash verification; temp-dir cleanup trap is bypassed when exit 1 is used on hash mismatch.
src/executor/helpers/introspected_golang/mod.rs	Adds unit test that parses the in-script SHA-256 table and a CI-only network test that verifies each go-runner installer hash against the live download.
src/executor/valgrind/setup.rs	Replaces filename/URL construction with get_codspeed_valgrind_binary returning a PinnedBinary; snapshot tests now assert the full URL rather than just the filename, improving coverage.
src/lib.rs	Removes VALGRIND_CODSPEED_VERSION, VALGRIND_CODSPEED_DEB_VERSION, MONGODB_TRACER_VERSION, and related statics — all now live in binary_pins; binary_pins module added.
CONTRIBUTING.md	Updates release checklist to point at binary_pins.rs, documents the regeneration workflow and the network-bound verification test, and explains the VALGRIND_CODSPEED_VERSION / VALGRIND_DEB_REV split.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Caller requests install] --> B{Binary already installed at correct version?}
    B -- Yes --> Z[Return Ok]
    B -- No --> C[Resolve PinnedBinary url + sha256]
    C --> D[download_file URL to tmp path]
    D --> E{HTTP success?}
    E -- No --> F[Return network error]
    E -- Yes --> G[sha256::try_digest tmp path]
    G --> H{actual == expected?}
    H -- Yes --> I[Log verified, Return Ok]
    H -- No --> J[remove_file tmp path]
    J --> K[bail! hash mismatch error]

    subgraph go.sh path
        L[Resolve version] --> M[get_go_runner_installer_sha256]
        M --> N{Version in table?}
        N -- No --> O[exit 1]
        N -- Yes --> P[curl download to tmp_dir]
        P --> Q[sha256_file]
        Q --> R{actual == expected?}
        R -- No --> S[exit 1, tmp_dir leaked]
        R -- Yes --> T[bash installer --quiet, trap RETURN cleans tmp_dir]
    end

Loading

_{Reviews (3): Last reviewed commit: "feat: pin codspeed-go-runner installer d..." | Re-trigger Greptile}