Resolve SHA pins to release tags in script/release-train#194
Merged
Conversation
When the action is pinned by commit SHA (e.g. `uses: WillAbides/release-train@<sha>`), `basename "$GITHUB_ACTION_PATH"` returns the SHA instead of a release tag, so the bindown.yaml download from `https://github.com/WillAbides/release-train/releases/download/<sha>/bindown.yaml` returns a 404 HTML page that curl silently writes to disk, bindown then fails parsing it, and the failure is masked by `action_dl || local_build` so the user sees a confusing 'go: command not found' or 'go.mod not found' error instead of the real problem. Fix: - Only treat `vX.Y.Z`-shaped basenames as release tags. - For full 40-hex SHAs pinned against the canonical `WillAbides/release-train` repo, resolve the SHA to a release tag via `git ls-remote --tags` against the canonical URL. Don't trust forks at the same SHA, because they could have an unrelated `vX.Y.Z` tag. - Anything else (branch name, local action dir basename, fork SHA, short SHA) falls through to a clean source build with a clear log message instead of attempting a download that will 404. - `curl --fail --silent --show-error --location` so a 404 surfaces as an error instead of a 200-with-HTML. - Explicit error checks around curl and bindown install, and remove any stale `bin/release-train` before install so we can't exec a previous build if the current install fails. - When a release tag is selected (explicitly or via SHA resolution), a download or install failure is fatal: silently falling back to a source build would defeat the point of pinning to a released version. Fixes #193 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #193
Problem
When the action is pinned by commit SHA (e.g.
uses: WillAbides/release-train@<sha>),basename "$GITHUB_ACTION_PATH"inscript/release-trainreturns the SHA instead of a release tag. That produces a download URL likewhich 404s.
curl -L -ohappily writes the 404 HTML page totmp/bindown.yaml, bindown then fails parsing it, and the failure is masked byaction_dl || local_build. Most consumers don't havegoon the runner, so what they actually see is a confusinggo: command not found/go.mod not founderror far removed from the real cause.Fix
script/release-trainnow decides what to do based on the basename of$GITHUB_ACTION_PATH:vX.Y.Z-shaped → downloadbindown.yamlfor that release. Any download/install failure is fatal — silently falling back to a source build would defeat the point of pinning to a released version.WillAbides/release-train→ resolve the SHA to a release tag viagit ls-remote --tags https://github.com/WillAbides/release-train.git, then treat as a release. Forks at the same SHA are intentionally not trusted — a fork could carry avX.Y.Ztag pointing at unrelated source.main, fork SHA, short SHA, local checkout, unresolved SHA) → fall through togo buildwith a clear log message instead of attempting a download that's guaranteed to 404.Additional hardening:
curl --fail --silent --show-error --locationso a 404 surfaces as an error instead of a 200-with-HTML body.curlandbindown installwith diagnostic messages.bin/release-trainbefore install so a failed install can't exec a previous build.git ls-remoteoutput is captured before being piped throughawkso a network failure isn't lost to POSIX-sh's lack ofpipefail.Notes / follow-ups
#!/bin/shand passesbin/shellcheck(perscript/lint).gitis assumed available on the runner. It's effectively guaranteed on GitHub-hosted runners and on any runner usingactions/checkout. Ifgit ls-remotefails, the script logs and falls back to local build.VERSIONfile into the release artifacts. That would avoid the runtime network call but requires non-trivial release-workflow changes (the release runs from detachedHEADso the new file would need a separate commit path). Happy to do that as a follow-up if preferred.Validation
bin/shellcheck script/*passes.looks_like_release_tag,is_full_sha,resolve_sha_to_tag,determine_release_tag) were spot-tested locally against the scenarios above, including resolving the actualcd01ea9e19bb396bf659f61e1c840c5174b92de8SHA from the issue →v3.8.5.go test ./...passes.script/release-train --generate-actionproduces an unchangedaction.yml.