chains-project · LogFlames · Sep 10, 2025 · Sep 10, 2025 · Sep 10, 2025 · Sep 10, 2025
diff --git a/.github/actions/ghasum/action.yml b/.github/actions/ghasum/action.yml
@@ -5,43 +5,204 @@ inputs:
     description: Update or verify checksums. Valid options are "update" and "verify".
     required: false
     default: "verify"
+  checksum:
+    description: The checksum of the ghasum checksums file
+    required: false
+    default: 95d891957f28101aff06353c1dd74dd98145327ea568eb9d81e80a4bfd623ddaed461eb55b34148ec977ea92f57f01cbf7949682947d7586fcb31a47c725aca2 # Set the 'checksums-sha512.txt' file's checksum.
+  version:
+    description: The version of ghasum to use
+    required: false
+    default: v0.6.0         # Set the ghasum version.
 
 runs:
   using: composite
   steps:
-    - name: Downloading ghasum
+    # Unix download
+    - name: Initialize ghasum directory
+      if: runner.os == 'macOS' || runner.os == 'Linux'
+      shell: bash
+      run: mkdir -p /tmp/ghasum
+    - name: Download ghasum checksums
+      if: runner.os == 'macOS' || runner.os == 'Linux'
+      shell: bash
+      working-directory: /tmp/ghasum
       env:
-        VERSION: v0.5.1
-        CHECKSUM: 57270991fee8c7e0f00f5d27c36f514c1743621f11bd53685c3153477a4929de2851f2fb7d4a3f5b2a68c85203b35759d580a023544665b466a3298047034c64
+        CHECKSUM: ${{ inputs.checksum }}
         GH_TOKEN: ${{ github.token }}
+        VERSION: ${{ inputs.version }}
       run: |
-        # Download the ghasum CLI
-        ARTIFACT="ghasum_linux_amd64.tar.gz"
-        gh release download "${VERSION}" --repo chains-project/ghasum --pattern "${ARTIFACT}"
-        echo "${CHECKSUM}  ${ARTIFACT}" | shasum -a 512 -c -
-        tar -xf "${ARTIFACT}"
+        ARTIFACT='checksums-sha512.txt'
+        gh release download "$VERSION" --repo chains-project/ghasum --pattern "$ARTIFACT"
+        echo "$CHECKSUM  $ARTIFACT" | shasum -a 256 -c -
 
-      shell: bash
+    # Windows download
+    - name: Initialize ghasum directory
+      if: runner.os == 'Windows'
+      shell: pwsh
+      run: mkdir C:\ghasum
+    - name: Download ghasum checksums
+      if: runner.os == 'Windows'
+      shell: pwsh
+      working-directory: C:\ghasum
+      env:
+        CHECKSUM: ${{ inputs.checksum }}
+        GH_TOKEN: ${{ github.token }}
+        VERSION: ${{ inputs.version }}
+      run: |
+        $ARTIFACT = "checksums-sha512.txt"
+        gh release download "$env:VERSION" --repo chains-project/ghasum --pattern "$ARTIFACT"
+        if ((Get-FileHash -Algorithm SHA256 "$ARTIFACT").Hash -ne "$env:CHECKSUM") {
+          Write-Error 'Checksum mismatch!'
+          exit 1
+        } else {
+          Write-Host 'Checksum match'
+        }
 
-    - name: Verifying action checksums
-      if: inputs.mode == 'verify'
+    # macOS
+    - name: Pick the ghasum CLI (amd64)
+      if: runner.os == 'macOS' && runner.arch == 'X64'
+      id: pick-macos-amd64
+      shell: bash
+      run: echo 'artifact=ghasum_darwin_amd64.tar.gz' >>"$GITHUB_OUTPUT"
+    - name: Pick the ghasum CLI (arm64)
+      if: runner.os == 'macOS' && runner.arch == 'ARM64'
+      id: pick-macos-arm64
+      shell: bash
+      run: echo 'artifact=ghasum_darwin_arm64.tar.gz' >>"$GITHUB_OUTPUT"
+    - name: Download the ghasum CLI
+      if: runner.os == 'macOS'
+      shell: bash
+      working-directory: /tmp/ghasum
+      env:
+        ARTIFACT: ${{ steps.pick-macos-amd64.outputs.artifact || steps.pick-macos-arm64.outputs.artifact }}
+        GH_TOKEN: ${{ github.token }}
+        VERSION: ${{ inputs.version }}
+      run: |
+        gh release download "$VERSION" --repo chains-project/ghasum --pattern "$ARTIFACT"
+        shasum --check --ignore-missing checksums-sha512.txt
+        tar -xf "$ARTIFACT"
+    - name: Verify the action checksums
+      if: runner.os == 'macOS' && inputs.mode == 'verify'
+      shell: bash
       env:
         JOB: ${{ github.job }}
         WORKFLOW: ${{ github.workflow_ref }}
       run: |
-        # Verify the action checksums
-        WORKFLOW=$(echo "${WORKFLOW}" | cut -d '@' -f 1 | cut -d '/' -f 3-5)
-        ./ghasum verify -cache /home/runner/work/_actions -no-evict -offline "${WORKFLOW}:${JOB}"
+        WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5)
+        /tmp/ghasum/ghasum verify -cache /Users/runner/work/_actions -no-evict -offline "$WORKFLOW:$JOB"
+    - name: Updating action checksums
+      if: runner.os == 'macOS' && inputs.mode == 'update'
       shell: bash
+      run: |
+        /tmp/ghasum/ghasum update -force
 
-    - name: Updating action checksums
-      if: inputs.mode == 'update'
+    # Linux
+    - name: Pick the ghasum CLI (amd64)
+      if: runner.os == 'Linux' && runner.arch == 'X64'
+      id: pick-linux-amd64
+      shell: bash
+      run: echo 'artifact=ghasum_linux_amd64.tar.gz' >>"$GITHUB_OUTPUT"
+    - name: Pick the ghasum CLI (arm64)
+      if: runner.os == 'Linux' && runner.arch == 'ARM64'
+      id: pick-linux-arm64
+      shell: bash
+      run: echo 'artifact=ghasum_linux_arm64.tar.gz' >>"$GITHUB_OUTPUT"
+    - name: Download the ghasum CLI
+      if: runner.os == 'Linux'
+      shell: bash
+      working-directory: /tmp/ghasum
+      env:
+        ARTIFACT: ${{ steps.pick-linux-amd64.outputs.artifact || steps.pick-linux-arm64.outputs.artifact }}
+        GH_TOKEN: ${{ github.token }}
+        VERSION: ${{ inputs.version }}
+      run: |
+        gh release download "$VERSION" --repo chains-project/ghasum --pattern "$ARTIFACT"
+        shasum --check --ignore-missing checksums-sha512.txt
+        tar -xf "$ARTIFACT"
+    - name: Verify the action checksums
+      if: runner.os == 'Linux' && inputs.mode == 'verify'
+      shell: bash
+      env:
+        JOB: ${{ github.job }}
+        WORKFLOW: ${{ github.workflow_ref }}
       run: |
-        # Update the action checksums
-        ./ghasum update -force
+        WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5)
+        /tmp/ghasum/ghasum verify -cache /home/runner/work/_actions -no-evict -offline "$WORKFLOW:$JOB"
+    - name: Updating action checksums
+      if: runner.os == 'Linux' && inputs.mode == 'update'
       shell: bash
+      run: |
+        /tmp/ghasum/ghasum update -force
 
-    - name: Remove ghasum binary
+    # Windows
+    - name: Pick the ghasum CLI (amd64)
+      if: runner.os == 'Windows' && runner.arch == 'X64'
+      id: pick-windows-amd64
+      shell: pwsh
       run: |
-        rm -f ghasum ghasum_linux_amd64.tar.gz
+        'artifact=ghasum_windows_amd64.zip' >>"$env:GITHUB_OUTPUT"
+    - name: Pick the ghasum CLI (arm64)
+      if: runner.os == 'Windows' && runner.arch == 'ARM64'
+      id: pick-windows-arm64
+      shell: pwsh
+      run: |
+        'artifact=ghasum_windows_arm64.zip' >>"$env:GITHUB_OUTPUT"
+    - name: Download the ghasum CLI
+      if: runner.os == 'Windows'
+      shell: pwsh
+      working-directory: C:\ghasum
+      env:
+        ARTIFACT: ${{ steps.pick-windows-amd64.outputs.artifact || steps.pick-windows-arm64.outputs.artifact }}
+        GH_TOKEN: ${{ github.token }}
+        VERSION: ${{ inputs.version }}
+      run: |
+        gh release download "$env:VERSION" --repo chains-project/ghasum --pattern "$env:ARTIFACT"
+        $line = Get-Content checksums-sha512.txt | Where-Object { $_ -match "\b$env:ARTIFACT$" }
+        if (-not $line) {
+          Write-Error 'Checksum missing'
+          exit 2
+        } else {
+          if ($line -match "^([a-fA-F0-9]+)  $env:ARTIFACT$") {
+            $want = $matches[1]
+            $got = (Get-FileHash -Path $env:ARTIFACT -Algorithm SHA512).Hash
+            if ($got.ToLower() -ne $want.ToLower()) {
+              Write-Error 'Checksum mismatch'
+              exit 1
+            } else {
+              Write-Host 'Checksum match'
+              Expand-Archive -Path "$env:ARTIFACT" -DestinationPath .
+            }
+          } else {
+            Write-Error 'Checksums malformed'
+            exit 2
+          }
+        }
+    - name: Verify the action checksums
+      if: runner.os == 'Windows' && inputs.mode == 'verify'
+      shell: pwsh
+      env:
+        JOB: ${{ github.job }}
+        WORKFLOW: ${{ github.workflow_ref }}
+      run: |
+        $WorkflowParts = $env:WORKFLOW -split '@'
+        $WorkflowPath = ($WorkflowParts[0] -split '/')[2..4] -join '/'
+        if (Test-Path -Path 'C:\a\_actions') {
+          C:\ghasum\ghasum.exe verify -cache C:\a\_actions -no-evict -offline "${WorkflowPath}:$env:JOB"
+        } else {
+          C:\ghasum\ghasum.exe verify -cache D:\a\_actions -no-evict -offline "${WorkflowPath}:$env:JOB"
+        }
+    - name: Update the action checksums
+      if: runner.os == 'Windows' && inputs.mode == 'update'
+      shell: pwsh
+      run: |
+        C:\ghasum\ghasum.exe update -force
+
+    # Cleanup
+    - name: Cleanup (Unix)
+      if: runner.os == 'macOS' || runner.os == 'Linux'
       shell: bash
+      run: rm -rf /tmp/ghasum
+    - name: Cleanup (Windows)
+      if: runner.os == 'Windows'
+      shell: pwsh
+      run: Remove-Item -Recurse -Force -Path C:\ghasum