feat: add support for specifying sha256 checksum of downloaded binary

Closes #26

This release adds sha256 checksum support to improve your
reproducibility and security posture.

Specifying a checksum is not required.

To specify a checksum, specify a target in the format:
`{owner}/{repository}@{version}:sha256-{checksum}`

For example:

```yaml
- name: Install flux-capacitor
  uses: EricCrosson/install-github-release-binary@v2
  with:
    targets: |
      EricCrosson/hoverboard@11.7.3:sha256-8a4600be96d2ec013209042458ce97a9652fcc46c1c855d0217aa42e330fc06e
```

Author: EricCrosson

README.md

@@ -47,7 +47,7 @@ Install multiple binaries:
     targets: |
       EricCrosson/flux-capacitor@v1
       EricCrosson/steam-locomotive@v7.5.3
-      EricCrosson/hoverboard@7382f9a3ce14be1fd8b3656d262fc2c720c8f51c
+      EricCrosson/hoverboard@11.7.3:sha256-8a4600be96d2ec013209042458ce97a9652fcc46c1c855d0217aa42e330fc06e
 ```
 
 ## Inputs
@@ -62,12 +62,14 @@ Install multiple binaries:
 Specify a whitespace-separated list of targets.
 
 Each target is specified by repo slug and a [semantic version number] using the format `{owner}/{repository}@v{semantic-version}`.
+Optionally, include a sha256 checksum.
 
 Examples:
 
 - `EricCrosson/flux-capacitor@v1`
 - `EricCrosson/flux-capacitor@v1.2`
 - `EricCrosson/flux-capacitor@v1.2.3`
+- `EricCrosson/flux-capacitor@v1.2.3:sha256-ad91159c656d427ad8fe5ded2946f29f3a612c6b7a4af6129e9aa85256b7299e`
 
 [semantic version number]: https://semver.org/
 

src/index.ts

@@ -1,3 +1,4 @@
+import { createHash } from "node:crypto";
 import { arch, platform } from "node:os";
 import * as fs from "node:fs";
 import * as path from "node:path";
@@ -23,6 +24,7 @@ import type {
   RepositorySlug,
   TargetRelease,
 } from "./types";
+import { isSome } from "./option";
 
 function getDestinationDirectory(
   storageDirectory: string,
@@ -105,6 +107,27 @@ async function installGitHubReleaseBinary(
     }
   }
 
+  // No matter where the binary was sourced from, ensure it matches the
+  // expected checksum
+  if (isSome(targetRelease.checksum)) {
+    const fileBuffer = fs.readFileSync(destinationFilename);
+    const hash = createHash("sha256");
+    hash.update(fileBuffer);
+    const calculatedChecksum = hash.digest("hex");
+    const expectedChecksum = targetRelease.checksum.value;
+    if (calculatedChecksum !== expectedChecksum) {
+      const target = `${targetRelease.slug}@${targetRelease.tag}:sha256-${expectedChecksum}`;
+      console.error(
+        `Expected checksum ${expectedChecksum}, but got ${calculatedChecksum}`
+      );
+      throw new Error(`Unexpected checksum for ${target}`);
+    } else {
+      console.debug(
+        `Calculated checksum ${calculatedChecksum} matches expected checksum ${expectedChecksum}`
+      );
+    }
+  }
+
   // Permissions are an attribute of the filesystem, not the file.
   // Set the executable permission on the binary no matter where it came from.
   fs.chmodSync(destinationFilename, "755");