Skip to content

feat(setup-pack): add pack-version-file input and verify download checksum#428

Open
somaz94 wants to merge 2 commits into
buildpacks:mainfrom
somaz94:feat/setup-pack-version-file-checksum
Open

feat(setup-pack): add pack-version-file input and verify download checksum#428
somaz94 wants to merge 2 commits into
buildpacks:mainfrom
somaz94:feat/setup-pack-version-file-checksum

Conversation

@somaz94

@somaz94 somaz94 commented Jun 19, 2026

Copy link
Copy Markdown

The setup-pack action only accepted an explicit pack-version, and it piped the downloaded archive straight into tar with no integrity check. This adds two things:

  1. A pack-version-file input that reads the version from a .tool-versions file (the pack entry) or a plain version file like .pack-version. When set it takes precedence over pack-version. The existing pack-version default line is left untouched so the update-pack-version automation keeps working.
  2. Default-on SHA256 verification. Each pack release publishes a sibling <asset>.sha256, so the action now downloads the archive to a temp file, verifies it against that checksum, and only then extracts. If the checksum cannot be fetched it warns and proceeds, so mirror / air-gapped setups are not broken.

Both changes are backward compatible: with neither input changed, behavior is identical except the download is now checksum verified.

Validation

Done locally (the repo has no composite-action test harness, only the Go unit tests):

  • Version resolution covered: default (no file), .tool-versions with a pack entry (including tab separated + trailing comment), plain version file (including a leading v and comment lines), missing-file error, and .tool-versions without a pack entry error.
  • Checksum path verified end to end against the real v0.40.6 linux asset: a matching sum passes, a corrupted archive is rejected, and tar member extraction still yields the pack binary.
  • shellcheck clean on both inline scripts.

…cksum

Signed-off-by: somaz <genius5711@gmail.com>
somaz94 added a commit to somaz94/somaz94 that referenced this pull request Jun 19, 2026
@dmikusa

dmikusa commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

This sounds great! A couple of notes/questions:

  1. Question about precedence of the operators:

When set it takes precedence over pack-version.

This sounds backwards to me. As I read this, my understanding is that pack-version-file would take precedent over pack-version. Typically, the inline version takes precedent so pack-version would override pack-version-file. As an example, see the setup-go action docs:

If both the go-version and the go-version-file inputs are provided then the go-version input is used.

https://github.com/actions/setup-go/blob/main/docs/advanced-usage.md#using-the-go-version-file-input

  1. Question about sha256 checksum validation. I gather that you've added this for the pack-version-file case, did you also add sha256 validation for the pack-version path? As a user, I'd expect both paths to work the same way.

@somaz94

somaz94 commented Jun 22, 2026

Copy link
Copy Markdown
Author

Thanks for the review!

On the checksum (2): it already covers both paths. The download and sha256 verification are in the shared "Install pack CLI" step that runs after version resolution, so the same archive is fetched and checked the same way whether the version came from pack-version or pack-version-file.

On precedence (1): you're right that inline-wins is the usual convention. I had the file win because pack-version carries a default (0.40.6, kept current by the update-pack-version workflow's sed on the default: line). Unlike setup-go's go-version, pack-version is never empty, so a composite action can't distinguish "user set 0.40.6" from "defaulted", and inline-always-wins would make pack-version-file unreachable.

If you're open to it I can match setup-go: drop the input default, resolve pack-version then pack-version-file then a fallback baked into the resolve step, and point the update-pack-version sed at that fallback line so the auto-bump still works. Or I keep file-as-override and just document it. Which do you prefer?

@somaz94 somaz94 marked this pull request as ready for review June 24, 2026 01:28
@somaz94 somaz94 requested review from a team and edmorley as code owners June 24, 2026 01:28

@jjbustamante jjbustamante left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@somaz94 , @dmikusa . @edmorley

The checksum validation in this PR is valuable and backward-compatible on its own, so I'd suggest we land it and handle the pack-version vs pack-version-file precedence question as a follow-up? For reference, here's the trade-off we'd revisit:

Scenario PR as-is (file wins) setup-go semantics (inline wins)
User sets nothing default 0.40.6 needs a fallback baked into the resolve step
User sets pack-version only that version that version
User sets pack-version-file only file version file version
User sets both file wins (non-standard) inline wins (standard)
update-pack-version auto-bump keeps working (default line untouched) breaks unless the sed is re-pointed
Convention match surprising familiar

Based on that, I agree with @somaz94 approach to drop the default and add the fallback but we need to be careful with the automation for update-pack-version we have in place right now.

…sion-file

Signed-off-by: somaz <genius5711@gmail.com>
@somaz94

somaz94 commented Jun 25, 2026

Copy link
Copy Markdown
Author

Thanks both. I went with the inline-wins redesign you endorsed rather than splitting, since it's contained to this PR:

  • Dropped the pack-version input default and added a FALLBACK_PACK_VERSION constant in the resolve step. Precedence is now pack-versionpack-version-file → fallback, so an explicit pack-version wins even when pack-version-file is set — matching setup-go's go-version / go-version-file rule (@dmikusa's point 1).
  • Re-pointed the update-pack-version workflow's sed from the old default: line to the new FALLBACK_PACK_VERSION='…' line, so the auto-bump keeps working (@jjbustamante's automation concern). Verified the regex still matches and rewrites the fallback line.
  • On @dmikusa's point 2: checksum verification already covers both paths — it runs in the shared "Install pack CLI" step after version resolution, so it applies regardless of which input set the version.

Behavior stays backward compatible: with nothing set, the fallback equals the previous default. Validated locally — precedence (both / file-only / neither / leading-v / missing-file) and the re-pointed sed, plus shellcheck clean. Happy to split checksum out instead if you'd still prefer that.

@edmorley edmorley left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR! Couple of comments but other than that looks good to go :-)

Comment thread setup-pack/action.yml
file like .pack-version (the first non-comment line is read). Used only
when pack-version is not set.
required: false
default: '0.40.6'

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you update the PR description to reflect the decision to now remove the default input?

It currently say things like:

The existing pack-version default line is left untouched so the update-pack-version automation keeps working.

Both changes are backward compatible: with neither input changed

(it's now a breaking change, which is fine, but will mean a major version bump so best to state that in the PR description :-) )

Comment thread setup-pack/action.yml
# Fallback pack version, used only when neither pack-version nor
# pack-version-file is set. Kept current by the update-pack-version
# workflow (which rewrites the line below).
FALLBACK_PACK_VERSION='0.40.6'

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(optional) I wonder if the fallback pack version would be best set as an env var under the env: block next to PACK_VERSION etc, so they are all in one place (and this constant isn't hidden within the inline script)? If so, then the sed in .github/workflows/update-pack-version.yml will also need updating.

Comment thread setup-pack/action.yml
;;
*)
# Plain version file: first non-empty, non-comment line
version="$(grep -vE '^[[:space:]]*(#|$)' "${PACK_VERSION_FILE}" | head -n1 | tr -d '[:space:]')"

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude says:

  • Plain-file parser doesn't strip inline trailing comments (action.yml:57): 0.40.6 # pinned → tr -d collapses to 0.40.6#pinned → broken URL. The comment says "first non-empty, non-comment line", which a reader would expect to cover this. The .tool-versions path is safe (awk '{print $2}'). Minor; worth a comment caveat or a fix.

@edmorley edmorley added semver:major A change requiring a major version bump type:enhancement A general enhancement labels Jun 30, 2026
@edmorley

Copy link
Copy Markdown
Collaborator

Could you also rebase on main to resolve the merge conflicts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

semver:major A change requiring a major version bump type:enhancement A general enhancement

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants