From 05b72baa643b2b16210473954d9b52fed3ce6d73 Mon Sep 17 00:00:00 2001
From: joe miller <joe@planetscale.com>
Date: Thu, 14 May 2026 23:11:09 +0000
Subject: [PATCH] ci: pin autotag binary by version + sha256
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace the deprecated `git.io/autotag-install` one-liner with a direct
download of `autotag_linux_amd64` from a pinned release, verified against a
hardcoded SHA-256.

Why:
- The installer is generated by godownloader (also deprecated upstream) and,
  while it does check the checksum file published with each GitHub release,
  those checksums are mutable — anyone who can publish a release can publish
  matching checksums. There's no way to pin an out-of-band expected SHA.
- autotag's maintainers are me and a couple of trusted ex-coworkers
  (incl. @will.milton) and I trust the code, but a compromise of the
  `autotag-dev` org or a maintainer account would silently flow into every
  pipeline that runs the installer. Hardcoding the SHA in our workflow makes
  that class of supply-chain attack fail loudly.
- autotag rarely changes and we only use its most basic functionality, so we
  don't upgrade often. Grabbing the new binary's SHA from `checksums.txt`
  on bump is a cheap one-time step for meaningful hardening.

See: https://github.com/autotag-dev/autotag/blob/main/README.md (CI install
section) for the recommended pattern.
---
 .github/workflows/release.yaml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index ba6747c2..4513b742 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -64,8 +64,18 @@ jobs:
           cache: false
 
       - name: install autotag binary
+        # To bump: update AUTOTAG_VERSION and fetch the new SHA from the release's
+        # checksums.txt (autotag_<version>_checksums.txt, line matching 'autotag_linux_amd64$').
+        env:
+          AUTOTAG_VERSION: 1.4.3
+          AUTOTAG_SHA256: 85e7ec97d732800bb838085fd3f2e19b2aa2ee3a8da0db7fd0aaf4113a279f3a
         run: |
-          curl -sL https://git.io/autotag-install | sh -s -- -b "${RUNNER_TEMP}/bin"
+          set -euo pipefail
+          mkdir -p "${RUNNER_TEMP}/bin"
+          curl -fsSLo "${RUNNER_TEMP}/bin/autotag" \
+            "https://github.com/autotag-dev/autotag/releases/download/v${AUTOTAG_VERSION}/autotag_linux_amd64"
+          echo "${AUTOTAG_SHA256}  ${RUNNER_TEMP}/bin/autotag" | sha256sum -c -
+          chmod +x "${RUNNER_TEMP}/bin/autotag"
           echo "${RUNNER_TEMP}/bin" >> $GITHUB_PATH
 
       - name: Install GoReleaser