The composite action's scripts/install.sh pipes the release installer straight into sh:
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/untitaker/hyperlink/releases/download/$tag/hyperlink-installer.sh | sh
The cargo-dist installer does verify the downloaded binary against embedded checksums, so the binary is covered — but the installer script itself is fetched and executed unverified. Each release already ships sha256.sum and per-asset .sha256 files, so the action could download hyperlink-installer.sh to a file, check it against a published checksum, then run it — closing the one unverified step.
Context: this surfaces in downstream review at apache/infrastructure-actions#916, where every pinned-SHA bump of an allowlisted action is re-reviewed (rebuild/verify each download). The pattern is unchanged from the previously-approved 0.2.0, so it's not a regression — just flagging it as a hardening opportunity.
Happy to send a PR if a checksum-then-run flow works for you.
The composite action's
scripts/install.shpipes the release installer straight intosh:The cargo-dist installer does verify the downloaded binary against embedded checksums, so the binary is covered — but the installer script itself is fetched and executed unverified. Each release already ships
sha256.sumand per-asset.sha256files, so the action could downloadhyperlink-installer.shto a file, check it against a published checksum, then run it — closing the one unverified step.Context: this surfaces in downstream review at apache/infrastructure-actions#916, where every pinned-SHA bump of an allowlisted action is re-reviewed (rebuild/verify each download). The pattern is unchanged from the previously-approved 0.2.0, so it's not a regression — just flagging it as a hardening opportunity.
Happy to send a PR if a checksum-then-run flow works for you.