Skip to content

ci: verify zstd checksum #4396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jpnurmi merged 1 commit into from
Aug 11, 2025
Merged

ci: verify zstd checksum #4396

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
ci: verify zstd checksum
  • Loading branch information
@jpnurmi
jpnurmi committed Jul 26, 2025
commit 953088f63eb984f15f04794ff983bcfc7b03c2dd
10 changes: 10 additions & 0 deletions .github/actions/install-zstd/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ inputs:
description: 'zstd version'
required: false
default: '1.5.7'
checksum:
description: 'zstd checksum'
required: false
default: 'acb4e8111511749dc7a3ebedca9b04190e37a17afeb73f55d4425dbf0b90fad9'
Copy link
Member

@bruno-garcia bruno-garcia Jul 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have an 'auto update' automation for this? We mainly manage them here: https://github.com/getsentry/github-workflows

Copy link
Collaborator Author

@jpnurmi jpnurmi Jul 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not at the moment, no. Ideally, we wouldn't have to maintain this at all if it was pre-installed on the win-11-arm runner :)

I suppose the second-best option would be to stay in sync with the Windows x64 runner. Surprisingly enough, instead of pinning a specific version, GitHub fetches the latest version of Zstd at the time of building the Windows runner image: https://github.com/actions/runner-images/blob/main/images/windows/scripts/build/Install-Zstd.ps1.

Copy link
Collaborator

@jamescrosswell jamescrosswell Aug 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's definitely easier to "set things up" by just pulling the latest version.

I've tried to avoid floating versions for dependencies, since sometimes it results in our CI builds failing without our having made any changes.

There's a relatively low chance of that happening with zstd but still, ideally we'd pin the version and configure auto-update so that when we do bump the version of this, it's done in a separate/isolated commit.

Copy link
Collaborator Author

@jpnurmi jpnurmi Aug 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GitHub release assets have checksums since early June:
https://github.blog/changelog/2025-06-03-releases-now-expose-digests-for-release-assets/

$ gh api repos/getsentry/sentry-dotnet/releases/tags/5.14.0 \
  --jq '.assets[] | select(.name == "Sentry.5.14.0.nupkg") | {name: .name, digest: .digest}'
{
  "digest": "sha256:362de4e2c771a40aabd82fa5683ab716fd9a7ad877ef25f969613a49e84e2bf9",
  "name": "Sentry.5.14.0.nupkg"
}

The latest zstd v1.5.7 was released in February and only has separate manually uploaded .sha256 files for zstd-1.5.7.tar.{gz|zst} but not for the .zip files for Windows.

$ gh api repos/facebook/zstd/releases/tags/v1.5.7 \
  --jq '.assets[] | select(.name == "zstd-v1.5.7-win64.zip") | {name: .name, digest: .digest}'
{
  "digest": null,
  "name": "zstd-v1.5.7-win64.zip"
}

Starting with the next zstd release, it should be possible to query the checksum.

==> #4432


runs:
using: composite
Expand All @@ -17,10 +21,16 @@ runs:
shell: pwsh
env:
ZSTD_VERSION: ${{ inputs.version }}
ZSTD_CHECKSUM: ${{ inputs.checksum }}
run: |
$url = "https://github.com/facebook/zstd/releases/download/v$env:ZSTD_VERSION/zstd-v$env:ZSTD_VERSION-win64.zip"
$installDir = "$env:RUNNER_TOOL_CACHE\zstd-v$env:ZSTD_VERSION-win64"
Invoke-WebRequest -OutFile "$env:TEMP\zstd.zip" -Uri $url
$checksum = (Get-FileHash "$env:TEMP\zstd.zip" -Algorithm SHA256).Hash.ToLower()
if ($checksum -ne $env:ZSTD_CHECKSUM) {
Write-Error "zstd checksum verification failed. Expected: $env:ZSTD_CHECKSUM, Actual: $checksum"
exit 1
}
Expand-Archive -Path "$env:TEMP\zstd.zip" -DestinationPath $env:RUNNER_TOOL_CACHE -Force
echo "$installDir" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
& "$installDir\zstd.exe" --version
Loading