Avoid flaky ort downloads in Linux CI #490
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -33,7 +33,7 @@ jobs: | |
| - platform: macos-latest-xlarge | ||
| args: --target universal-apple-darwin | ||
| - platform: ubuntu-latest-8-cores | ||
| args: --verbose | ||
|
|
||
| runs-on: ${{ matrix.platform }} | ||
| steps: | ||
|
|
@@ -97,6 +97,19 @@ jobs: | |
| libayatana-appindicator3-dev \ | ||
| librsvg2-dev | ||
|
|
||
| - name: Provide ONNX Runtime (Linux) | ||
| if: matrix.platform == 'ubuntu-latest-8-cores' | ||
| run: | | ||
| ORT_VERSION=1.22.0 | ||
| ORT_ROOT="$RUNNER_TEMP/onnxruntime" | ||
| mkdir -p "$ORT_ROOT" | ||
| curl -fL --retry 5 --retry-delay 2 --retry-all-errors \ | ||
| "https://github.com/microsoft/onnxruntime/releases/download/v${ORT_VERSION}/onnxruntime-linux-x64-${ORT_VERSION}.tgz" \ | ||
| | tar -xz -C "$ORT_ROOT" | ||
| echo "ORT_LIB_LOCATION=$ORT_ROOT/onnxruntime-linux-x64-${ORT_VERSION}" >> "$GITHUB_ENV" | ||
| echo "ORT_SKIP_DOWNLOAD=true" >> "$GITHUB_ENV" | ||
|
Comment on lines
+100
to
+110
There was a problem hiding this comment. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Verify whether ONNX Runtime download steps currently have checksum validation.
rg -n --iglob '.github/workflows/*.yml' 'Provide ONNX Runtime|onnxruntime-linux-x64-|ORT_SHA256|sha256sum|shasum'Repository: OpenSecretCloud/Maple Length of output: 214 🏁 Script executed: #!/bin/bash
# First, find workflow files in .github/workflows/
fd -e yml -e yaml . .github/workflows/ 2>/dev/null || fd -e yml -e yaml . .github/ 2>/dev/null || find .github -name "*release*" -type f 2>/dev/nullRepository: OpenSecretCloud/Maple Length of output: 384 🏁 Script executed: #!/bin/bash
# Read the file to check its size and content around lines 100-110
wc -l .github/workflows/release.yml
echo "---"
# Read lines 95-115 to see context around the specified lines
sed -n '95,115p' .github/workflows/release.ymlRepository: OpenSecretCloud/Maple Length of output: 950 🏁 Script executed: #!/bin/bash
# Search the entire release.yml file for checksum/hash/integrity verification
echo "=== Searching for checksum validation in release.yml ==="
rg -i 'sha256|checksum|sha1|integrity|verify.*hash' .github/workflows/release.yml
echo "=== Searching for 'ORT_SHA256' or similar patterns ==="
rg 'ORT_SHA256|ORT.*HASH' .github/workflows/release.yml
echo "=== Count of tar invocations with piped curl ==="
rg 'curl.*\|.*tar' .github/workflows/release.yml -A 2Repository: OpenSecretCloud/Maple Length of output: 589 🌐 Web query:
💡 Result: No official checksums (SHA256 or otherwise) for ONNX Runtime v1.22.0 release assets are published on the GitHub releases page or in related official documentation. The release page at https://github.com/microsoft/onnxruntime/releases/tag/v1.22.0 lists the binary assets (e.g., onnxruntime-linux-x64-1.22.0.tgz, onnxruntime-win-x64-1.22.0.zip) with file sizes and download counts, but does not provide checksums. This is consistent across other ONNX Runtime releases, such as v1.24.2, where only assets and sizes are listed without hashes. Users should verify downloads using GitHub's built-in checksum verification if available or compute their own SHA256 sums after downloading from the official source. Citations:
🌐 Web query:
💡 Result: To verify the integrity of a GitHub release asset downloaded in GitHub Actions without relying on a separate checksum file, use GitHub's built-in features: asset digests (SHA-256 hashes exposed via the Releases API since June 2025) and GitHub CLI's gh release verify-asset command, which validates against cryptographically signed attestations. ## Step 1: Download the Asset Use a third-party action like dsaltares/fetch-gh-release-asset (widely used, supports private repos): yaml - name: Download asset uses: dsaltares/fetch-gh-release-asset@v2 with: version: 'v1.0.0' # or 'latest' file: 'my-asset.zip' token: ${{ secrets.GITHUB_TOKEN }} This downloads to the current directory (e.g., ./my-asset.zip). ## Step 2: Verify Integrity Install gh CLI (pre-installed on GitHub-hosted runners) and run: yaml - name: Verify asset integrity run: gh release verify-asset v1.0.0 ./my-asset.zip env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} This command: - Fetches the release's signed attestation. - Computes the local file's digest. - Matches it against the expected digest and validates the signature/provenance. - Fails the workflow if tampered or mismatched. For latest release: gh release verify-asset ./my-asset.zip. ## Alternative: Manual Digest Check (No CLI) Fetch the expected SHA-256 digest from the API and compare: yaml - name: Get expected digest id: digest run: | curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ https://api.github.com/repos/${{ github.repository }}/releases/tags/v1.0.0 | \ jq -r '.assets[] | select(.name == "my-asset.zip") | .digest' | \ cut -d: -f2 > expected.sha256 shell: bash - name: Compute local digest and verify run: | sha256sum --check expected.sha256 <<< $(sha256sum ./my-asset.zip | cut -d' ' -f1) shell: bash Note: Digest format is sha256:. ## Key Benefits (No Separate Checksum File Needed) - Automatic Digests: GitHub computes SHA-256 for every asset at upload (immutable). - Attestations: gh release verify-asset provides end-to-end integrity + provenance. - API Access: asset.digest in Releases REST/GraphQL APIs. - Works for immutable releases (marked on GitHub UI). For official docs, see GitHub's "Verifying the integrity of a release" and Releases API (asset.digest field). Citations:
Use GitHub API digests to verify ONNX Runtime tarball integrity instead of piping through tar. The current download at lines 102–113 extracts the tarball without verification. While ONNX Runtime v1.22.0 does not publish official checksums, GitHub computes and exposes SHA-256 digests for all release assets via the Releases API (available since June 2025). Use either:
This eliminates the supply-chain risk without relying on externally-pinned checksums that ONNX Runtime doesn't provide. 🤖 Prompt for AI Agents |
||
| echo "LD_LIBRARY_PATH=$ORT_ROOT/onnxruntime-linux-x64-${ORT_VERSION}/lib${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" >> "$GITHUB_ENV" | ||
|
|
||
| - name: Install frontend dependencies | ||
| working-directory: ./frontend | ||
| run: bun install | ||
|
|
@@ -111,6 +124,8 @@ jobs: | |
| - name: Build Tauri App | ||
| uses: tauri-apps/tauri-action@v0 | ||
| env: | ||
| APPIMAGE_EXTRACT_AND_RUN: ${{ matrix.platform == 'ubuntu-latest-8-cores' && '1' || '' }} | ||
| NO_STRIP: ${{ matrix.platform == 'ubuntu-latest-8-cores' && 'true' || '' }} | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} | ||
| TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add integrity verification for downloaded ONNX Runtime archive.
This downloads and extracts unverified bytes directly into the build pipeline. Please pin and verify SHA-256 (or signature) before extraction to prevent artifact poisoning in CI.
🔒 Suggested hardening
- name: Provide ONNX Runtime (Linux) run: | ORT_VERSION=1.22.0 ORT_ROOT="$RUNNER_TEMP/onnxruntime" + ORT_ARCHIVE="$RUNNER_TEMP/onnxruntime-linux-x64-${ORT_VERSION}.tgz" + ORT_SHA256="<pin_official_sha256_here>" mkdir -p "$ORT_ROOT" curl -fL --retry 5 --retry-delay 2 --retry-all-errors \ "https://github.com/microsoft/onnxruntime/releases/download/v${ORT_VERSION}/onnxruntime-linux-x64-${ORT_VERSION}.tgz" \ - | tar -xz -C "$ORT_ROOT" + -o "$ORT_ARCHIVE" + echo "${ORT_SHA256} ${ORT_ARCHIVE}" | sha256sum -c - + tar -xzf "$ORT_ARCHIVE" -C "$ORT_ROOT" echo "ORT_LIB_LOCATION=$ORT_ROOT/onnxruntime-linux-x64-${ORT_VERSION}" >> "$GITHUB_ENV" echo "ORT_SKIP_DOWNLOAD=true" >> "$GITHUB_ENV"🤖 Prompt for AI Agents