bsv-blockchain · mrz1836 · Jun 1, 2026 · Jun 1, 2026
@@ -22,6 +22,8 @@ vendor/
 # Binaries for programs and plugins
 dist/
 !dist/linux/
+!dist/linux-amd64/
+!dist/linux-arm64/
 gin-bin
 *.exe
 *.exe~

@@ -3,8 +3,6 @@
 #
 #  Purpose: YAML formatting configuration for the mage-x (yamlfmt) tool
 #
-#  Maintainer: @mrz1836
-#
 # ------------------------------------------------------------------------------------
 
 formatter:
@@ -74,6 +72,9 @@ exclude:
   - "**/*.swo"
   - "**/*~"
 
+  # Test fixtures (intentionally malformed YAML used by ci-tester).
+  - ".github/ci-tester/fixtures/workflow-invalid/.github/workflows/invalid.yml"
+
   # Environment files
   - "**/env/**"
   - "**/.env.base"

@@ -10,8 +10,6 @@
 .github/scripts/* @mrz1836
 .github/workflows/* @mrz1836
 .github/env/* @mrz1836
-.github/.env.base @mrz1836
-.github/.env.custom @mrz1836
 
 # MAGE-X
 .mage.yaml @mrz1836
@@ -43,7 +41,7 @@ codecov.yml @mrz1836
 
 # Security and configuration files
 .github/SECURITY.md @mrz1836
-.github/.gitleaks.toml @mrz1836
+.gitleaksignore @mrz1836
 
 # Repository configuration
 .github/labels.yml @mrz1836

@@ -46,6 +46,7 @@ runs:
       id: load-env
       shell: bash
       run: |
+        set -euo pipefail
         echo "📋 Loading environment configuration..."
 
         LOADER_SCRIPT=".github/env/load-env.sh"

@@ -105,7 +105,7 @@ runs:
     # --------------------------------------------------------------------
     - name: ✅ Install GoReleaser (cache miss)
       if: steps.check-existing.outputs.exists != 'true' && steps.goreleaser-cache.outputs.cache-hit != 'true'
-      uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
+      uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
       with:
         distribution: goreleaser
         version: ${{ inputs.goreleaser-version }}

@@ -156,12 +156,49 @@ runs:
             --pattern "$ASSET_NAME" \
             --dir .; then
           echo "✅ Download successful"
-          mv "$ASSET_NAME" mage-x.tar.gz
         else
           echo "❌ Download failed for $ASSET_NAME from mrz1836/mage-x@$VERSION"
           exit 1
         fi
 
+        # Verify SHA256 integrity against the release's checksums file before extraction.
+        # Without this, a compromised release asset would silently be executed.
+        # GoReleaser names the file mage-x_${VERSION}_checksums.txt by default.
+        CHECKSUMS_FILE="mage-x_${CLEAN_VERSION}_checksums.txt"
+        echo "🔐 Verifying SHA256 checksum against $CHECKSUMS_FILE..."
+        if ! gh release download "$VERSION" \
+            --repo mrz1836/mage-x \
+            --pattern "$CHECKSUMS_FILE" \
+            --dir .; then
+          echo "❌ Failed to download $CHECKSUMS_FILE from mrz1836/mage-x@$VERSION"
+          echo "❌ Cannot verify binary integrity — refusing to proceed"
+          exit 1
+        fi
+
+        EXPECTED_HASH=$(grep " ${ASSET_NAME}\$" "$CHECKSUMS_FILE" | awk '{print $1}')
+        if [[ -z "$EXPECTED_HASH" ]]; then
+          echo "❌ No checksum entry found for $ASSET_NAME in $CHECKSUMS_FILE"
+          echo "📋 $CHECKSUMS_FILE contents:"
+          cat "$CHECKSUMS_FILE"
+          exit 1
+        fi
+
+        if command -v sha256sum >/dev/null 2>&1; then
+          ACTUAL_HASH=$(sha256sum "$ASSET_NAME" | awk '{print $1}')
+        else
+          ACTUAL_HASH=$(shasum -a 256 "$ASSET_NAME" | awk '{print $1}')
+        fi
+
+        if [[ "$ACTUAL_HASH" != "$EXPECTED_HASH" ]]; then
+          echo "❌ Checksum mismatch for $ASSET_NAME"
+          echo "   Expected: $EXPECTED_HASH"
+          echo "   Actual:   $ACTUAL_HASH"
+          exit 1
+        fi
+        echo "✅ SHA256 checksum verified: $ACTUAL_HASH"
+
+        mv "$ASSET_NAME" mage-x.tar.gz
+
         # Extract the tarball
         if tar -xzf mage-x.tar.gz; then
           echo "✅ Extraction successful"