Skip to content

verify: accept validate* checksum helpers as JS download verification (unblocks #910)#912

Merged
potiuk merged 1 commit into
mainfrom
verify-accept-validate-checksum-helpers
Jun 5, 2026
Merged

verify: accept validate* checksum helpers as JS download verification (unblocks #910)#912
potiuk merged 1 commit into
mainfrom
verify-accept-validate-checksum-helpers

Conversation

@potiuk
Copy link
Copy Markdown
Member

@potiuk potiuk commented Jun 5, 2026

Summary

verify-action-build's binary-download check false-flagged the routine astral-sh/setup-uv bump in #910 as an unverified download.

The flagged line is src/download/download-version.ts:128:

const downloadPath = await tc.downloadTool(downloadUrl, undefined, githubToken);
await validateChecksum(checksum, downloadPath, arch, platform, version);

The download is verified — validateChecksum (imported from the sibling ./checksum/checksum) SHA-256s the artifact against a user-provided checksum or the built-in KNOWN_CHECKSUMS table. v8.2.0 just extracted that validation into the sibling module, moving the createHash token out of download-version.ts and tripping the same-file heuristic (which only knew verify*/compute*/calculate* helper names).

Fix

Add the validate* checksum-helper family to _JS_VERIFICATION_PATTERNS. The call name is the in-file evidence that survives the refactor.

Test plan

  • Regression tests in test_security.py (bare names + a faithful trim of the real setup-uv download→validate sequence).
  • uv run pytest utils/tests/ → 278 passed.
  • verify_action_build --from-pr 910 → exit 0, "verification present in file".
  • prek clean.

Case E in the analyze-action-pr skill — JS analogue of #800 (sibling sha256sum -c counts as verify).

🤖 Generated with Claude Code

@potiuk
verify: accept validate* checksum helpers as JS download verification
d17c15e 
astral-sh/setup-uv@v8.2.0 refactored its uv-binary checksum validation
out of src/download/download-version.ts into a sibling module
(src/download/checksum/checksum.ts). The download site still calls
validateChecksum(checksum, downloadPath, …) immediately after
tc.downloadTool, but the same-file JS verification heuristic only
recognised verify*/compute*/calculate* helper names — so it lost the
createHash token and false-flagged the download as unverified,
blocking the routine setup-uv bump in #910.

Add the validate* checksum-helper family to the JS verification
markers, plus a regression test anchored to the real setup-uv source.

Generated-by: Claude Opus 4.8 (1M context)
@potiuk potiuk requested review from dfoulks1 and ppkarwasz as code owners June 5, 2026 00:44
@potiuk potiuk mentioned this pull request Jun 5, 2026
Merged
dfoulks1
dfoulks1 approved these changes Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@dfoulks1 dfoulks1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@potiuk potiuk merged commit df5bdc0 into main Jun 5, 2026
7 checks passed
@potiuk potiuk deleted the verify-accept-validate-checksum-helpers branch June 5, 2026 13:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dfoulks1 dfoulks1 dfoulks1 approved these changes

@ppkarwasz ppkarwasz Awaiting requested review from ppkarwasz ppkarwasz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@potiuk @dfoulks1