Supply chain component version fixes

[bk201]

Pin various components to fixed versions.

[Copilot]

Pull request overview

Pins several build and CI dependencies to fixed versions and adds checksum verification to improve supply-chain integrity.

Changes:

• Pin downloaded CLI tools (wharfie, yq, helm, terraform, dapper) to explicit versions and add checksum verification.
• Replace golangci-lint install script usage with a versioned go install.
• Pin rancher-eio/read-vault-secrets GitHub Action to a specific commit SHA across workflows.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
package/harvester-os/Dockerfile	Pins wharfie version and adds SHA256 verification for downloaded binary
Makefile	Pins dapper download to v0.6.0 and adds SHA512 verification
Dockerfile.dapper	Pins yq, golangci-lint, and helm with checksum verification for downloaded artifacts
.github/workflows/vagrant-install.yaml	Pins Terraform version and verifies downloaded zip checksum
.github/workflows/fossa.yml	Pins read-vault-secrets action to a specific commit
.github/workflows/build.yml	Pins read-vault-secrets action to a specific commit

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

${!WHARFIE_SUM} relies on Bash-specific indirect parameter expansion, but this Dockerfile doesn't set SHELL to bash. On base images where /bin/sh isn't bash, the build will fail at checksum verification. Consider switching to a POSIX-compatible selection (e.g., case "$ARCH" ...) or explicitly setting SHELL ["/bin/bash", "-c"] before this RUN.

Suggested change

	RUN curl -sfL https://github.com/rancher/wharfie/releases/download/${WHARFIE_VERSION}/wharfie-${ARCH} -o /usr/bin/wharfie \
	&& echo "${!WHARFIE_SUM}" /usr/bin/wharfie | sha256sum -c - \
	&& chmod +x /usr/bin/wharfie
	RUN set -e; \
	case "$ARCH" in \
	amd64) sum="$WHARFIE_SUM_amd64" ;; \
	arm64) sum="$WHARFIE_SUM_arm64" ;; \
	*) echo "Unsupported architecture: $ARCH" >&2; exit 1 ;; \
	esac; \
	curl -sfL "https://github.com/rancher/wharfie/releases/download/${WHARFIE_VERSION}/wharfie-${ARCH}" -o /usr/bin/wharfie; \
	echo "$sum /usr/bin/wharfie" | sha256sum -c -; \
	chmod +x /usr/bin/wharfie

[Copilot]

${!YQ_SUM} uses Bash-only indirect expansion, but the Dockerfile doesn't set SHELL to bash. If /bin/sh isn't bash, checksum verification will fail. Prefer a POSIX-compatible approach (e.g., case "$ARCH" to choose the expected sum) or set SHELL to bash explicitly.

[Copilot]

RUN echo ${HELM_URL} references HELM_URL, but that variable is no longer defined in this Dockerfile. This looks like leftover debug output and also adds an extra image layer; remove it or reintroduce the missing variable definition if it's still needed.

Suggested change

RUN echo ${HELM_URL}

[bk201]

Fixed.

[Copilot]

${!HELM_SUM} relies on Bash-specific indirect parameter expansion. Since this Dockerfile doesn't set SHELL to bash, builds can break on images where /bin/sh isn't bash. Use a POSIX-compatible checksum selection (e.g., case "$ARCH") or set SHELL to bash before this step.