From b101ef0c274c23a92816845c942e065676d665fb Mon Sep 17 00:00:00 2001
From: Iain McGinniss <309153+iainmcgin@users.noreply.github.com>
Date: Fri, 26 Jun 2026 16:32:03 +0000
Subject: [PATCH] ci,task: verify changie download against pinned SHA256 before
 executing

Both the check-changelog CI job and task install-changie were fetching
the changie release tarball and executing it with no integrity check, so
a replaced or tampered upstream asset would run unchallenged.

- CI: pin the linux_amd64 tarball SHA256 directly, download to a temp
  file, sha256sum -c before extracting, extract to RUNNER_TEMP/bin (no
  sudo into /usr/local/bin), append to GITHUB_PATH.
- Taskfile: pin the SHA256 of the upstream checksums.txt (one hash
  covers all four supported OS/arch tarballs), download tarball +
  checksums.txt, verify checksums.txt against the pin then the tarball
  against checksums.txt. Uses shasum -a 256 for Linux/macOS portability.

Bumping CHANGIE_VERSION now requires updating the adjacent pin in both
files; comments cross-reference each other.

install-protoc has the same gap and predates this PR; not touched here.
---
 .github/workflows/ci.yml | 13 ++++++++++---
 Taskfile.yml             | 21 ++++++++++++++++-----
 2 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f557786..6af7c2a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -90,10 +90,17 @@ jobs:
       - name: Install changie
         env:
           CHANGIE_VERSION: 1.24.2
+          # SHA256 of changie_${CHANGIE_VERSION}_linux_amd64.tar.gz from the
+          # upstream release's checksums.txt. Bump together with the version.
+          CHANGIE_SHA256: 31535a9d8dc548d6d8f315762bfd5b1fba34e707b7600748c8bb8a609649007d
         run: |
-          curl -fsSL "https://github.com/miniscruff/changie/releases/download/v${CHANGIE_VERSION}/changie_${CHANGIE_VERSION}_linux_amd64.tar.gz" \
-            | sudo tar -xz -C /usr/local/bin changie
-          changie --version
+          curl -fsSL -o /tmp/changie.tar.gz \
+            "https://github.com/miniscruff/changie/releases/download/v${CHANGIE_VERSION}/changie_${CHANGIE_VERSION}_linux_amd64.tar.gz"
+          echo "${CHANGIE_SHA256}  /tmp/changie.tar.gz" | sha256sum -c -
+          mkdir -p "${RUNNER_TEMP}/bin"
+          tar -xzf /tmp/changie.tar.gz -C "${RUNNER_TEMP}/bin" changie
+          echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
+          "${RUNNER_TEMP}/bin/changie" --version
       - name: Verify CHANGELOG.md is in sync
         run: |
           changie merge
diff --git a/Taskfile.yml b/Taskfile.yml
index 0c4528e..85564a7 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -146,14 +146,20 @@ tasks:
   install-changie:
     desc: >-
       Download changie (changelog fragment manager) into .local/bin/ via
-      gh release download. The changelog-* tasks depend on this, so a direct
-      install is rarely needed.
+      gh release download, with checksum verification. The changelog-* tasks
+      depend on this, so a direct install is rarely needed.
     vars:
       CHANGIE_VERSION: 1.24.2
+      # SHA256 of the upstream release's checksums.txt — pinned in-repo so a
+      # replaced or tampered release asset is detected before execution. Bump
+      # together with CHANGIE_VERSION (and the matching pin in
+      # .github/workflows/ci.yml).
+      CHANGIE_CHECKSUMS_SHA256: 79c8ddf317bb0a5443e00ab75fe70f7790849e91846cae68b34e503f78aaecf1
       CHANGIE_OS:
         sh: uname -s | sed 's/Linux/linux/;s/Darwin/darwin/'
       CHANGIE_ARCH:
         sh: uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/'
+      CHANGIE_TARBALL: changie_{{.CHANGIE_VERSION}}_{{.CHANGIE_OS}}_{{.CHANGIE_ARCH}}.tar.gz
     status:
       - .local/bin/changie --version 2>/dev/null | grep -qF "v{{.CHANGIE_VERSION}}"
     preconditions:
@@ -161,11 +167,16 @@ tasks:
         msg: >-
           gh CLI must be authenticated. Run: gh auth login
     cmds:
-      - mkdir -p .local/bin
+      - mkdir -p .local/bin .local/dl
       - gh release download 'v{{.CHANGIE_VERSION}}'
           --repo miniscruff/changie
-          --pattern 'changie_*_{{.CHANGIE_OS}}_{{.CHANGIE_ARCH}}.tar.gz'
-          --output - | tar -xz -C .local/bin changie
+          --pattern '{{.CHANGIE_TARBALL}}'
+          --pattern checksums.txt
+          --dir .local/dl --clobber
+      - echo '{{.CHANGIE_CHECKSUMS_SHA256}}  checksums.txt' | (cd .local/dl && shasum -a 256 -c -)
+      - (cd .local/dl && grep -F '{{.CHANGIE_TARBALL}}' checksums.txt | shasum -a 256 -c -)
+      - tar -xzf .local/dl/{{.CHANGIE_TARBALL}} -C .local/bin changie
+      - rm -rf .local/dl
       - .local/bin/changie --version
 
   changelog-new: