chore: Cherry-picked changes from upstream

[github-actions]

Cherry-picked changes from upstream.

[github-actions]

🚀 PR Updated!

The PR has been updated with the latest cherry-picked commits.

@step-security/maintained-actions-dev Please review and approve the changes.

📦 Target Release Version: v2.4.0

⚠️ Completely Skipped Commits Due to only modifying files in: package.json, package-lock.json, yarn.lock, node_modules/, dist/, or .gitignore

• af4b5b2b4b504357648f42c0b6f8eac368f8effc

❗ Missing Files:

• CHANGELOG.md

🛑 Workflow Files (Cannot be auto-applied by GitHub Actions):

• .github/workflows/test.yml from commit ca0739281766113ba92486b7d71bcca5ce708a7a

[claude]

Claude finished @github-actions[bot]'s task —— View job

---

✅ PR Review Complete

I've thoroughly reviewed this cherry-pick PR and here's my comprehensive analysis:

Review Summary:

• Read and analyze all changed files
• Review action.yml changes for security and completeness
• Review src/index.ts changes for security issues
• Review dist/index.js changes for consistency
• Verify cherry-picked changes are complete and consistent
• Check for potential security vulnerabilities
• Provide comprehensive feedback and recommendations

---

🔍 Changes Analysis

This PR successfully cherry-picks checksum support functionality from upstream with the following changes:

1. action.yml: Added sha256 input parameter for binary verification
2. src/index.ts: Added SHA256 checksum validation logic (13 lines)
3. dist/index.js & dist/index.js.map: Properly rebuilt compiled outputs

---

🔒 Security Assessment

✅ SECURE - The cherry-picked changes are security-positive:

• Strong cryptographic validation: Uses Node.js crypto module for SHA256 hashing
• Proper error handling: Throws clear error on checksum mismatch
• No injection vulnerabilities: Hash comparison uses safe string equality
• Defense in depth: Adds integrity verification to binary downloads

Code Analysis (src/index.ts:229-242):

// compare with provided hash
const want = core.getInput('sha256')
if (want) {
  const hash = crypto.createHash('sha256')
  const fileBuffer = await fs.promises.readFile(miseBinPath)
  const got = hash.update(fileBuffer).digest('hex')
  if (got !== want) {
    throw new Error(
      `SHA256 mismatch: expected ${want}, got ${got} for ${miseBinPath}`
    )
  }
}

---

✅ Completeness Verification

Cherry-pick is COMPLETE and CONSISTENT:

• All related changes are included (action.yml + implementation + build)
• No missing dependencies or incomplete features
• Dist files properly rebuilt to match source changes
• No breaking changes to existing functionality

Commit Analysis:

• c3dc50d - Added action.yml input parameter
• a1838af - Added checksum validation logic
• cd62dc1 & 68c78dd - Rebuilt dist files correctly

---

📋 Recommendations

1. ✅ APPROVE - This cherry-pick is ready for merge
2. Testing: Consider adding tests for checksum validation functionality
3. Documentation: Update README/docs to mention new sha256 parameter
4. CHANGELOG: Add entry for checksum support feature (as noted in PR description)

---

🚨 Notes from PR Description

• Skipped commits: Only package.json/lock file changes (expected behavior)
• Missing CHANGELOG.md: Should be updated separately
• Workflow files: Cannot be auto-applied (manual intervention needed)

---

Overall Assessment: ✅ SECURE and COMPLETE

This cherry-pick successfully adds checksum verification functionality without introducing security vulnerabilities. The implementation follows security best practices and is ready for production use.

---