fix: use hardcoded checksum for minisign verification (#16)

ramonclaudio · web-flow · commit eea3bb3a421c · 2025-09-07T11:19:43.000-04:00
* fix: use hardcoded checksum for minisign verification

The minisign releases provide .minisig signature files, not .sha256 checksums.
This fix uses a hardcoded SHA256 checksum to verify the minisign binary download
since the .sha256 file doesn't exist at the expected GitHub URL.

* fix: add concurrency control to prevent duplicate CI runs

Add concurrency groups to CI and Security workflows to prevent duplicate
runs when PRs are created and merged. The workflows will now cancel
in-progress runs when new commits are pushed, saving CI resources.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,6 +7,10 @@ on:
     branches: [ "main" ]
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -66,13 +66,11 @@ jobs:
         run: |
           # Download minisign with checksum verification
           curl -LO https://github.com/jedisct1/minisign/releases/download/0.12/minisign-0.12-linux.tar.gz
-          curl -LO https://github.com/jedisct1/minisign/releases/download/0.12/minisign-0.12-linux.tar.gz.sha256
-          # Fix checksum format (file contains only hash, not "hash  filename" format)
-          echo "$(cat minisign-0.12-linux.tar.gz.sha256)  minisign-0.12-linux.tar.gz" > minisign-0.12-linux.tar.gz.sha256
-          sha256sum -c minisign-0.12-linux.tar.gz.sha256
+          # Verify against known checksum (minisign doesn't provide .sha256 files, only .minisig signatures)
+          echo "9a599b48ba6eb7b1e80f12f36b94ceca7c00b7a5173c95c3efc88d9822957e73  minisign-0.12-linux.tar.gz" | sha256sum -c
           tar xzf minisign-0.12-linux.tar.gz
           sudo mv minisign-linux/x86_64/minisign /usr/local/bin/
-          rm -f minisign-0.12-linux.tar.gz minisign-0.12-linux.tar.gz.sha256
+          rm -f minisign-0.12-linux.tar.gz
           
       - name: Setup minisign keys
         run: |
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -8,6 +8,10 @@ on:
   schedule:
     - cron: '0 6 * * 1'  # Weekly on Monday at 6 AM UTC
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
