chore: supply chain hardening (#428)

Co-authored-by: grandizzy <38490174+grandizzy@users.noreply.github.com>

Author: decofe

.github/workflows/workflow-validation.yml

@@ -31,7 +31,13 @@ jobs:
         run: |
           set -euo pipefail
           version=1.7.8
-          curl -sSL "https://github.com/rhysd/actionlint/releases/download/v${version}/actionlint_${version}_linux_amd64.tar.gz" -o /tmp/actionlint.tgz
+          expected_sha256="be92c2652ab7b6d08425428797ceabeb16e31a781c07bc388456b4e592f3e36a"
+          curl -fsSL "https://github.com/rhysd/actionlint/releases/download/v${version}/actionlint_${version}_linux_amd64.tar.gz" -o /tmp/actionlint.tgz
+          actual_sha256=$(sha256sum /tmp/actionlint.tgz | cut -d' ' -f1)
+          if [ "$actual_sha256" != "$expected_sha256" ]; then
+            echo "::error::actionlint checksum mismatch: expected $expected_sha256, got $actual_sha256"
+            exit 1
+          fi
           tar -xzf /tmp/actionlint.tgz -C /tmp
           sudo mv /tmp/actionlint /usr/local/bin/actionlint
       - name: Run actionlint

Cargo.lock

@@ -47,7 +47,7 @@ serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 sha2 = "0.11"
 tempfile = "3.27"
-tempo-primitives = { git = "https://github.com/tempoxyz/tempo.git", features = ["serde"] }
+tempo-primitives = { git = "https://github.com/tempoxyz/tempo.git", rev = "7d809cf350e35c92b420a18672222b710f86f77a", features = ["serde"] }
 thiserror = "2.0"
 time = "0.3"
 tokio = { version = "1.51", features = ["macros", "rt-multi-thread", "signal"] }
@@ -68,5 +68,5 @@ predicates = "3.1"
 serial_test = "3.2"
 
 [patch.crates-io]
-tempo-alloy = { git = "https://github.com/tempoxyz/tempo.git" }
-tempo-primitives = { git = "https://github.com/tempoxyz/tempo.git" }
+tempo-alloy = { git = "https://github.com/tempoxyz/tempo.git", rev = "7d809cf350e35c92b420a18672222b710f86f77a" }
+tempo-primitives = { git = "https://github.com/tempoxyz/tempo.git", rev = "7d809cf350e35c92b420a18672222b710f86f77a" }