Conversation
|
@dependabot rebase |
Bumps [opentofu/setup-opentofu](https://github.com/opentofu/setup-opentofu) from 2.0.1 to 2.0.2. - [Release notes](https://github.com/opentofu/setup-opentofu/releases) - [Commits](opentofu/setup-opentofu@847eaa4...a1320f8) --- updated-dependencies: - dependency-name: opentofu/setup-opentofu dependency-version: 2.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
9e89072 to
91245a8
Compare
potiuk
left a comment
There was a problem hiding this comment.
Approving on the basis of our internal verify-action-build tooling confirming the download is verified.
The verify CI here is a false positive. opentofu/setup-opentofu's lib/setup-tofu.js downloads via tc.downloadTool() and then validates the artifact — await fileSHA256(pathToCLIZip) checked against the release's SHA256SUMS, rejecting on mismatch. The createHash('sha256') body lives in the sibling lib/util.js, so the in-file evidence is only the fileSHA256(...) call name, which the scanner didn't yet recognize.
Fix is #1001. Running the patched tool against this PR:
✓ lib/setup-tofu.js: 1 JS download(s), verification present in file
Exit code: 0
Since our tooling now confirms the artifact is checksum-verified, merging this v2.0.1 → v2.0.2 bump. Admin-merging to bypass the stale verify check; it'll pass normally once #1001 lands.
Bumps opentofu/setup-opentofu from 2.0.1 to 2.0.2.
Release notes
Sourced from opentofu/setup-opentofu's releases.
Commits
a1320f8release docs and bump to2.0.2(#127)d3dc77dfeat: verify download against published SHA256SUMS by default (#121)5600721chore(deps): Bump semver from 7.8.1 to 7.8.3 (#123)7051243chore(deps): Bump actions/checkout from 6.0.2 to 6.0.3 (#124)50e079fchore(deps): Bump actions/checkout from 6 to 6.0.20c73a96chore(deps): Bump semver from 7.8.0 to 7.8.1 (#119)7526f4bchore(deps): Bump semver from 7.7.4 to 7.8.0a630d3bchore(deps-dev): Bump jest from 30.3.0 to 30.4.27e2b876chore(deps): Bump@actions/corefrom 3.0.0 to 3.0.1