Fix/binary sha verification (#49)

* build: add checksum verification for downloaded binaries

Pin versions and add SHA256 checksum verification for all binaries
downloaded.

Signed-off-by: Zespre Chang <zespre.chang@suse.com>

* fix: ignore prealloc lint for allErrs

Signed-off-by: Zespre Chang <zespre.chang@suse.com>

* fix: address PR review comments on checksum verification

Fix typo in Dockerfile comment, use mktemp for safe temp file handling
in the Helm install target, and add shasum fallback for macOS
portability.

Signed-off-by: Zespre Chang <zespre.chang@suse.com>

---------

Signed-off-by: Zespre Chang <zespre.chang@suse.com>

Author: starbops

.github/workflows/pull-request.yml

@@ -26,7 +26,7 @@ jobs:
       - name: Run linter
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
         with:
-          version: v2.8.0
+          version: v2.11.4
 
   test:
     name: Test

.github/workflows/test-chart.yml

@@ -24,9 +24,19 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - name: Install the latest version of kind
+      - name: Install kind v0.31.0
         run: |
-          curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-$(go env GOARCH)
+          KIND_VERSION=v0.31.0
+          KIND_SHA256_AMD64=eb244cbafcc157dff60cf68693c14c9a75c4e6e6fedaf9cd71c58117cb93e3fa
+          KIND_SHA256_ARM64=8e1014e87c34901cc422a1445866835d1e666f2a61301c27e722bdeab5a1f7e4
+          ARCH=$(go env GOARCH)
+          case "${ARCH}" in
+            amd64) KIND_SHA256=${KIND_SHA256_AMD64} ;;
+            arm64) KIND_SHA256=${KIND_SHA256_ARM64} ;;
+            *) echo "Unsupported architecture: ${ARCH}" && exit 1 ;;
+          esac
+          curl -Lo ./kind "https://kind.sigs.k8s.io/dl/${KIND_VERSION}/kind-linux-${ARCH}"
+          echo "${KIND_SHA256}  ./kind" | sha256sum -c -
           chmod +x ./kind
           sudo mv ./kind /usr/local/bin/kind
 

.github/workflows/test-e2e.yml

@@ -24,9 +24,19 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - name: Install the latest version of kind
+      - name: Install kind v0.31.0
         run: |
-          curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-$(go env GOARCH)
+          KIND_VERSION=v0.31.0
+          KIND_SHA256_AMD64=eb244cbafcc157dff60cf68693c14c9a75c4e6e6fedaf9cd71c58117cb93e3fa
+          KIND_SHA256_ARM64=8e1014e87c34901cc422a1445866835d1e666f2a61301c27e722bdeab5a1f7e4
+          ARCH=$(go env GOARCH)
+          case "${ARCH}" in
+            amd64) KIND_SHA256=${KIND_SHA256_AMD64} ;;
+            arm64) KIND_SHA256=${KIND_SHA256_ARM64} ;;
+            *) echo "Unsupported architecture: ${ARCH}" && exit 1 ;;
+          esac
+          curl -Lo ./kind "https://kind.sigs.k8s.io/dl/${KIND_VERSION}/kind-linux-${ARCH}"
+          echo "${KIND_SHA256}  ./kind" | sha256sum -c -
           chmod +x ./kind
           sudo mv ./kind /usr/local/bin/kind
 

Dockerfile

@@ -55,14 +55,39 @@ ENV KUBECTL_VERSION=v1.33.7
 ENV KUBEVIRT_VERSION=v1.7.1
 ENV YQ_VERSION=v4.52.4
 ENV WHARFIE_VERSION=v0.7.0
+
+# SHA256 checksums for verifying downloaded binaries (per architecture)
+# To update: download the new binary and run `sha256sum <binary>`.
+# kubectl: checksums available at https://dl.k8s.io/release/<ver>/bin/linux/<arch>/kubectl.sha256
+# virtctl: checksums available at https://github.com/kubevirt/kubevirt/releases/tag/<ver>
+# yq: checksums available at https://github.com/mikefarah/yq/releases/download/<ver>/checksums
+# wharfie: checksums at https://github.com/rancher/wharfie/releases/download/<ver>/sha256sum-<arch>.txt
+ENV KUBECTL_SHA256_AMD64=471d94e208a89be62eb776700fc8206cbef11116a8de2dc06fc0086b0015375b
+ENV KUBECTL_SHA256_ARM64=fa7ee98fdb6fba92ae05b5e0cde0abd5972b2d9a4a084f7052a1fd0dce6bc1de
+ENV VIRTCTL_SHA256_AMD64=e0efcfc708067fa45232f3bab9cb2de3dbcd812d4c9aab88c727025fb213079f
+ENV VIRTCTL_SHA256_ARM64=7737d967bc8512abedfdaa8a61a3512f93894c12162f9dde4fab73402a4f42d5
+ENV YQ_SHA256_AMD64=0c4d965ea944b64b8fddaf7f27779ee3034e5693263786506ccd1c120f184e8c
+ENV YQ_SHA256_ARM64=4c2cc022a129be5cc1187959bb4b09bebc7fb543c5837b93001c68f97ce39a5d
+ENV WHARFIE_SHA256_AMD64=e5ff747b2f9f4155ce7b68917bac9dbe8a6a85727a94b0c8e6faca9252931e91
+ENV WHARFIE_SHA256_ARM64=b8e02fe61d4f8cb1bd7927fd5e34b49b4dcf802c52670adfaa4527ed3d9afc41
+
 RUN zypper rm -y container-suseconnect && \
     zypper --no-gpg-checks ref && \
     zypper in -y curl e2fsprogs rsync awk zstd jq helm zip unzip nginx util-linux && \
     zypper clean -a && \
-    curl -sfL https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl -o /usr/bin/kubectl && chmod +x /usr/bin/kubectl && \
-    curl -sfL https://github.com/kubevirt/kubevirt/releases/download/${KUBEVIRT_VERSION}/virtctl-${KUBEVIRT_VERSION}-linux-${TARGETARCH} -o /usr/bin/virtctl && chmod +x /usr/bin/virtctl && \
-    curl -sfL https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${TARGETARCH} -o /usr/bin/yq && chmod +x /usr/bin/yq && \
-    curl -sfL https://github.com/rancher/wharfie/releases/download/${WHARFIE_VERSION}/wharfie-${TARGETARCH} -o /usr/bin/wharfie && chmod +x /usr/bin/wharfie
+    case "${TARGETARCH}" in \
+      amd64) KUBECTL_SHA256=${KUBECTL_SHA256_AMD64}; VIRTCTL_SHA256=${VIRTCTL_SHA256_AMD64}; YQ_SHA256=${YQ_SHA256_AMD64}; WHARFIE_SHA256=${WHARFIE_SHA256_AMD64} ;; \
+      arm64) KUBECTL_SHA256=${KUBECTL_SHA256_ARM64}; VIRTCTL_SHA256=${VIRTCTL_SHA256_ARM64}; YQ_SHA256=${YQ_SHA256_ARM64}; WHARFIE_SHA256=${WHARFIE_SHA256_ARM64} ;; \
+      *) echo "Unsupported architecture: ${TARGETARCH}" && exit 1 ;; \
+    esac && \
+    curl -sfL https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl -o /usr/bin/kubectl && \
+    echo "${KUBECTL_SHA256}  /usr/bin/kubectl" | sha256sum -c - && chmod +x /usr/bin/kubectl && \
+    curl -sfL https://github.com/kubevirt/kubevirt/releases/download/${KUBEVIRT_VERSION}/virtctl-${KUBEVIRT_VERSION}-linux-${TARGETARCH} -o /usr/bin/virtctl && \
+    echo "${VIRTCTL_SHA256}  /usr/bin/virtctl" | sha256sum -c - && chmod +x /usr/bin/virtctl && \
+    curl -sfL https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${TARGETARCH} -o /usr/bin/yq && \
+    echo "${YQ_SHA256}  /usr/bin/yq" | sha256sum -c - && chmod +x /usr/bin/yq && \
+    curl -sfL https://github.com/rancher/wharfie/releases/download/${WHARFIE_VERSION}/wharfie-${TARGETARCH} -o /usr/bin/wharfie && \
+    echo "${WHARFIE_SHA256}  /usr/bin/wharfie" | sha256sum -c - && chmod +x /usr/bin/wharfie
 
 RUN useradd -r -u 1000 -U -s /sbin/nologin -d /nonexistent upgrade-toolkit
 

Makefile

@@ -217,7 +217,7 @@ CONTROLLER_TOOLS_VERSION ?= v0.18.0
 ENVTEST_VERSION ?= $(shell go list -m -f "{{ .Version }}" sigs.k8s.io/controller-runtime | awk -F'[v.]' '{printf "release-%d.%d", $$2, $$3}')
 #ENVTEST_K8S_VERSION is the version of Kubernetes to use for setting up ENVTEST binaries (i.e. 1.31)
 ENVTEST_K8S_VERSION ?= $(shell go list -m -f "{{ .Version }}" k8s.io/api | awk -F'[v.]' '{printf "1.%d", $$3}')
-GOLANGCI_LINT_VERSION ?= v2.8.0
+GOLANGCI_LINT_VERSION ?= v2.11.4
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
@@ -280,11 +280,24 @@ HELM_EXTRA_ARGS ?=
 install-external-crds: ## Install external stub CRDs required by Kind-based CI tests.
 	kubectl apply -f hack/external-stub-crds.yaml
 
+HELM_INSTALL_SCRIPT_SHA ?= 5ae85868d45ca7bb9ac3ef7a10e0db54b8a8695c
+HELM_INSTALL_SCRIPT_CHECKSUM ?= b68c5f694cff19f14ee8a5784ffd3de27fa7034ec8f973d703fc6fb85496ced7
+
 .PHONY: install-helm
-install-helm: ## Install the latest version of Helm.
+install-helm: ## Install Helm using a pinned installer script.
 	@command -v $(HELM) >/dev/null 2>&1 || { \
 		echo "Installing Helm..." && \
-		curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-4 | bash; \
+		tmp_script=$$(mktemp) && \
+		trap 'rm -f $$tmp_script' EXIT INT HUP TERM && \
+		curl -fsSL "https://raw.githubusercontent.com/helm/helm/$(HELM_INSTALL_SCRIPT_SHA)/scripts/get-helm-4" -o $$tmp_script && \
+		if command -v sha256sum >/dev/null 2>&1; then \
+			echo "$(HELM_INSTALL_SCRIPT_CHECKSUM)  $$tmp_script" | sha256sum -c -; \
+		elif command -v shasum >/dev/null 2>&1; then \
+			echo "$(HELM_INSTALL_SCRIPT_CHECKSUM)  $$tmp_script" | shasum -a 256 -c -; \
+		else \
+			echo "WARNING: no sha256sum or shasum found, skipping checksum verification" >&2; \
+		fi && \
+		bash $$tmp_script; \
 	}
 
 .PHONY: helm-deploy

internal/webhook/v1beta1/upgradeplan_webhook.go

@@ -102,7 +102,7 @@ func (v *UpgradePlanCustomValidator) ValidateCreate(ctx context.Context, obj run
 		return nil, nil
 	}
 
-	var allErrs field.ErrorList
+	var allErrs field.ErrorList //nolint:prealloc // each validator returns variable-length errors
 
 	allErrs = append(allErrs, validateVersionExists(ctx, v.Client, upgradePlan)...)
 	allErrs = append(allErrs, validateNoConcurrentUpgrade(ctx, v.Client, upgradePlan.Name)...)
@@ -137,7 +137,7 @@ func (v *UpgradePlanCustomValidator) ValidateUpdate(ctx context.Context, _, newO
 	}
 	upgradeplanlog.Info("Validation for UpgradePlan upon update", "name", newUpgradePlan.GetName())
 
-	var allErrs field.ErrorList
+	var allErrs field.ErrorList //nolint:prealloc // each validator returns variable-length errors
 
 	allErrs = append(allErrs, validateNodeUpgradeOption(ctx, v.Client, newUpgradePlan)...)