fix(wfctl): preserve registry download checksums

intel352 · intel352 · commit 9438e6f84897 · 2026-06-03T05:53:08.000-04:00
diff --git a/cmd/wfctl/plugin_registry_sync.go b/cmd/wfctl/plugin_registry_sync.go
@@ -270,10 +270,11 @@ func releaseExists(ghRepo, tag string) bool {
 }
 
 type releaseAsset struct {
-	Name string `json:"name"`
-	OS   string `json:"os"`
-	Arch string `json:"arch"`
-	URL  string `json:"url"`
+	Name   string `json:"name"`
+	OS     string `json:"os"`
+	Arch   string `json:"arch"`
+	URL    string `json:"url"`
+	SHA256 string `json:"sha256,omitempty"`
 }
 
 // releaseDownloads returns the platform release-asset list for a tag, in the
@@ -294,17 +295,49 @@ func releaseDownloads(ghRepo, tag string) ([]releaseAsset, error) {
 	if err := json.Unmarshal(out, &resp); err != nil {
 		return nil, err
 	}
+	checksums, _ := releaseChecksums(ghRepo, tag)
 	var assets []releaseAsset
 	for _, a := range resp.Assets {
 		goos, goarch, ok := releaseAssetPlatform(a.Name)
 		if !ok {
 			continue
 		}
-		assets = append(assets, releaseAsset{Name: a.Name, OS: goos, Arch: goarch, URL: a.URL})
+		assets = append(assets, releaseAsset{
+			Name:   a.Name,
+			OS:     goos,
+			Arch:   goarch,
+			URL:    a.URL,
+			SHA256: checksums[a.Name],
+		})
 	}
 	return assets, nil
 }
 
+func releaseChecksums(ghRepo, tag string) (map[string]string, error) {
+	cmd := exec.Command("gh", "release", "download", tag, "--repo", ghRepo, "--pattern", "checksums.txt", "--output", "-") // #nosec G204 -- ghRepo+tag from trusted manifest
+	out, err := cmd.Output()
+	if err != nil {
+		return nil, err
+	}
+	return parseReleaseChecksums(string(out)), nil
+}
+
+func parseReleaseChecksums(text string) map[string]string {
+	checksums := make(map[string]string)
+	for _, line := range strings.Split(text, "\n") {
+		fields := strings.Fields(line)
+		if len(fields) < 2 {
+			continue
+		}
+		sha, err := NormalizeSHA256Hex(fields[0])
+		if err != nil {
+			continue
+		}
+		checksums[filepath.Base(fields[len(fields)-1])] = sha
+	}
+	return checksums
+}
+
 func releaseAssetPlatform(assetName string) (string, string, bool) {
 	nameNoExt := strings.TrimSuffix(assetName, ".tar.gz")
 	nameNoExt = strings.TrimSuffix(nameNoExt, ".tgz")
@@ -511,18 +544,22 @@ func versionGT(newVer, oldVer string) bool {
 }
 
 func applyFix(manifestPath string, raw map[string]any, ghRepo, targetTag, targetVersion string) error {
-	downloads, _ := releaseDownloads(ghRepo, targetTag)
+	downloads, _ := registrySyncReleaseDownloads(ghRepo, targetTag)
 	if len(downloads) == 0 {
 		raw["version"] = targetVersion
 	} else {
 		raw["version"] = targetVersion
 		dlAny := make([]any, 0, len(downloads))
 		for _, dl := range downloads {
-			dlAny = append(dlAny, map[string]any{
+			entry := map[string]any{
 				"os":   dl.OS,
 				"arch": dl.Arch,
 				"url":  dl.URL,
-			})
+			}
+			if dl.SHA256 != "" {
+				entry["sha256"] = dl.SHA256
+			}
+			dlAny = append(dlAny, entry)
 		}
 		raw["downloads"] = dlAny
 	}
diff --git a/cmd/wfctl/plugin_registry_sync_test.go b/cmd/wfctl/plugin_registry_sync_test.go
@@ -145,6 +145,24 @@ func TestPluginRegistrySync_ReleaseAssetPlatform(t *testing.T) {
 	}
 }
 
+func TestPluginRegistrySync_ParseReleaseChecksums(t *testing.T) {
+	got := parseReleaseChecksums(`
+44A1F367B554555A872EC274D9B50D71372D40FA66704C3F806F1CAFAF14412C  workflow-plugin-aws-darwin-amd64.tar.gz
+not-a-sha  workflow-plugin-aws-linux-amd64.tar.gz
+1f1043c2addbc1a668873d12b1696c03ab428c32df034425fc072d2235af664b  ./dist/workflow-plugin-aws-darwin-arm64.tar.gz
+`)
+
+	if got["workflow-plugin-aws-darwin-amd64.tar.gz"] != "44a1f367b554555a872ec274d9b50d71372d40fa66704c3f806f1cafaf14412c" {
+		t.Fatalf("darwin amd64 checksum = %q", got["workflow-plugin-aws-darwin-amd64.tar.gz"])
+	}
+	if got["workflow-plugin-aws-darwin-arm64.tar.gz"] != "1f1043c2addbc1a668873d12b1696c03ab428c32df034425fc072d2235af664b" {
+		t.Fatalf("darwin arm64 checksum = %q", got["workflow-plugin-aws-darwin-arm64.tar.gz"])
+	}
+	if _, ok := got["workflow-plugin-aws-linux-amd64.tar.gz"]; ok {
+		t.Fatal("invalid checksum should be ignored")
+	}
+}
+
 func TestPluginRegistrySync_MetadataSyncProjectsIaCServices(t *testing.T) {
 	raw := map[string]any{
 		"capabilities": map[string]any{
@@ -498,6 +516,48 @@ func TestPluginRegistrySync_AssetBinaryName(t *testing.T) {
 	}
 }
 
+func TestPluginRegistrySync_ApplyFixIncludesDownloadChecksums(t *testing.T) {
+	restoreRegistrySyncTestHooks(t)
+
+	registrySyncReleaseDownloads = func(ghRepo, tag string) ([]releaseAsset, error) {
+		if ghRepo != "owner/repo" || tag != "v1.2.3" {
+			t.Fatalf("releaseDownloads args = %q %q, want owner/repo v1.2.3", ghRepo, tag)
+		}
+		return []releaseAsset{{
+			Name:   "workflow-plugin-foo-linux-amd64.tar.gz",
+			OS:     "linux",
+			Arch:   "amd64",
+			URL:    "https://github.com/owner/repo/releases/download/v1.2.3/workflow-plugin-foo-linux-amd64.tar.gz",
+			SHA256: strings.Repeat("a", 64),
+		}}, nil
+	}
+
+	manifest := filepath.Join(t.TempDir(), "manifest.json")
+	raw := map[string]any{
+		"name":    "workflow-plugin-foo",
+		"type":    "external",
+		"version": "1.0.0",
+	}
+
+	if err := applyFix(manifest, raw, "owner/repo", "v1.2.3", "1.2.3"); err != nil {
+		t.Fatalf("applyFix returned error: %v", err)
+	}
+
+	var got map[string]any
+	data, err := os.ReadFile(manifest)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := json.Unmarshal(data, &got); err != nil {
+		t.Fatal(err)
+	}
+	downloads := got["downloads"].([]any)
+	first := downloads[0].(map[string]any)
+	if first["sha256"] != strings.Repeat("a", 64) {
+		t.Fatalf("sha256 = %q", first["sha256"])
+	}
+}
+
 func TestPluginRegistrySync_VerifyCapabilitiesDownloadsExtractsAndSkipsName(t *testing.T) {
 	restoreRegistrySyncTestHooks(t)
 
