fix: verify chainctl checksum after download and pin pip dependency

Add SHA256 checksum verification for the chainctl binary download using
the published chainctl_checksums.txt file. Pin keyrings-chainguard-libraries
to version 0.2.0 to prevent supply chain attacks via unpinned dependency.

Fixes: FIND-007, FIND-043

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: antitree

action.yaml

@@ -125,6 +125,27 @@ runs:
         else
           curl -o ./${out} -fsL --retry 5 --retry-delay 1 --retry-all-errors "${url}"
         fi
+
+        # Verify chainctl binary checksum
+        checksums_url="https://dl.${{ inputs.environment }}/chainctl/latest/chainctl_checksums.txt"
+        echo "Downloading checksums from ${checksums_url}"
+        curl -o checksums.txt -fsL --retry 3 --retry-delay 1 "${checksums_url}"
+        expected=$(grep "chainctl_${os}_${arch}" checksums.txt | awk '{print $1}')
+        if [[ -z "${expected}" ]]; then
+          echo "::error::No checksum found for chainctl_${os}_${arch} in checksums.txt"
+          exit 1
+        fi
+        if command -v sha256sum &>/dev/null; then
+          actual=$(sha256sum ./${out} | awk '{print $1}')
+        else
+          actual=$(shasum -a 256 ./${out} | awk '{print $1}')
+        fi
+        if [[ "${expected}" != "${actual}" ]]; then
+          echo "::error::Checksum mismatch for chainctl: expected ${expected}, got ${actual}"
+          exit 1
+        fi
+        echo "Checksum verified for chainctl_${os}_${arch}"
+
         chmod +x ./${out}
         echo "$(pwd)" >> $GITHUB_PATH
 
@@ -211,4 +232,4 @@ runs:
       name: Install Python keyring package
       shell: bash
       run: |
-        python -m pip install "keyrings-chainguard-libraries"
+        python -m pip install "keyrings-chainguard-libraries==0.2.0"