Update proto artifact interface, retrieve artifact digests, return indicator of mismatch failure

packages/artifact/src/internal/download/download-artifact.ts

@@ -1,11 +1,15 @@
 import fs from 'fs/promises'
+import * as crypto from 'crypto'
+import * as stream from 'stream'
+
 import * as github from '@actions/github'
 import * as core from '@actions/core'
 import * as httpClient from '@actions/http-client'
 import unzip from 'unzip-stream'
 import {
   DownloadArtifactOptions,
-  DownloadArtifactResponse
+  DownloadArtifactResponse,
+  StreamExtractResponse
 } from '../shared/interfaces'
 import {getUserAgentString} from '../shared/user-agent'
 import {getGitHubWorkspaceDir} from '../shared/config'
@@ -37,12 +41,14 @@ async function exists(path: string): Promise<boolean> {
   }
 }
 
-async function streamExtract(url: string, directory: string): Promise<void> {
+async function streamExtract(
+  url: string,
+  directory: string
+): Promise<StreamExtractResponse> {
   let retryCount = 0
   while (retryCount < 5) {
     try {
-      await streamExtractExternal(url, directory)
-      return
+      return await streamExtractExternal(url, directory)
     } catch (error) {
       retryCount++
       core.debug(
@@ -59,7 +65,7 @@ async function streamExtract(url: string, directory: string): Promise<void> {
 export async function streamExtractExternal(
   url: string,
   directory: string
-): Promise<void> {
+): Promise<StreamExtractResponse> {
   const client = new httpClient.HttpClient(getUserAgentString())
   const response = await client.get(url)
   if (response.message.statusCode !== 200) {
@@ -69,6 +75,7 @@ export async function streamExtractExternal(
   }
 
   const timeout = 30 * 1000 // 30 seconds
+  let sha256Digest: string | undefined = undefined
 
   return new Promise((resolve, reject) => {
     const timerFn = (): void => {
@@ -78,7 +85,14 @@ export async function streamExtractExternal(
     }
     const timer = setTimeout(timerFn, timeout)
 
-    response.message
+    const hashStream = crypto.createHash('sha256').setEncoding('hex')
+    const passThrough = new stream.PassThrough()
+
+    response.message.pipe(passThrough)
+    passThrough.pipe(hashStream)
+    const extractStream = passThrough
+
+    extractStream
       .on('data', () => {
         timer.refresh()
       })
@@ -92,7 +106,14 @@ export async function streamExtractExternal(
       .pipe(unzip.Extract({path: directory}))
       .on('close', () => {
         clearTimeout(timer)
-        resolve()
+        if (hashStream) {
+          hashStream.end()
+          sha256Digest = hashStream.read() as string
+          core.debug(
+            `SHA256 digest of downloaded artifact zip is ${sha256Digest}`
+          )
+        }
+        resolve({sha256Digest: `sha256:${sha256Digest}`})
       })
       .on('error', (error: Error) => {
         reject(error)
@@ -111,6 +132,8 @@ export async function downloadArtifactPublic(
 
   const api = github.getOctokit(token)
 
+  let digestMismatch = false
+
   core.info(
     `Downloading artifact '${artifactId}' from '${repositoryOwner}/${repositoryName}'`
   )
@@ -140,13 +163,20 @@ export async function downloadArtifactPublic(
 
   try {
     core.info(`Starting download of artifact to: ${downloadPath}`)
-    await streamExtract(location, downloadPath)
+    const extractResponse = await streamExtract(location, downloadPath)
     core.info(`Artifact download completed successfully.`)
+    if (options?.expectedHash) {
+      if (options?.expectedHash !== extractResponse.sha256Digest) {
+        digestMismatch = true
+        core.debug(`Computed digest: ${extractResponse.sha256Digest}`)
+        core.debug(`Expected digest: ${options.expectedHash}`)
+      }
+    }
   } catch (error) {
     throw new Error(`Unable to download and extract artifact: ${error.message}`)
   }
 
-  return {downloadPath}
+  return {downloadPath, digestMismatch}
 }
 
 export async function downloadArtifactInternal(
@@ -157,6 +187,8 @@ export async function downloadArtifactInternal(
 
   const artifactClient = internalArtifactTwirpClient()
 
+  let digestMismatch = false
+
   const {workflowRunBackendId, workflowJobRunBackendId} =
     getBackendIdsFromToken()
 
@@ -192,13 +224,20 @@ export async function downloadArtifactInternal(
 
   try {
     core.info(`Starting download of artifact to: ${downloadPath}`)
-    await streamExtract(signedUrl, downloadPath)
+    const extractResponse = await streamExtract(signedUrl, downloadPath)
     core.info(`Artifact download completed successfully.`)
+    if (options?.expectedHash) {
+      if (options?.expectedHash !== extractResponse.sha256Digest) {
+        digestMismatch = true
+        core.debug(`Computed digest: ${extractResponse.sha256Digest}`)
+        core.debug(`Expected digest: ${options.expectedHash}`)
+      }
+    }
   } catch (error) {
     throw new Error(`Unable to download and extract artifact: ${error.message}`)
   }
 
-  return {downloadPath}
+  return {downloadPath, digestMismatch}
 }
 
 async function resolveOrCreateDirectory(

packages/artifact/src/internal/find/get-artifact.ts

@@ -68,7 +68,10 @@ export async function getArtifactPublic(
       name: artifact.name,
       id: artifact.id,
       size: artifact.size_in_bytes,
-      createdAt: artifact.created_at ? new Date(artifact.created_at) : undefined
+      createdAt: artifact.created_at
+        ? new Date(artifact.created_at)
+        : undefined,
+      digest: artifact.digest
     }
   }
 }
@@ -115,7 +118,8 @@ export async function getArtifactInternal(
       size: Number(artifact.size),
       createdAt: artifact.createdAt
         ? Timestamp.toDate(artifact.createdAt)
-        : undefined
+        : undefined,
+      digest: artifact.digest?.value
     }
   }
 }

packages/artifact/src/internal/find/list-artifacts.ts

@@ -41,14 +41,17 @@ export async function listArtifactsPublic(
   const github = getOctokit(token, opts, retry, requestLog)
 
   let currentPageNumber = 1
-  const {data: listArtifactResponse} =
-    await github.rest.actions.listWorkflowRunArtifacts({
+
+  const {data: listArtifactResponse} = await github.request(
+    'GET /repos/{owner}/{repo}/actions/runs/{run_id}/artifacts',
+    {
       owner: repositoryOwner,
       repo: repositoryName,
       run_id: workflowRunId,
       per_page: paginationCount,
       page: currentPageNumber
-    })
+    }
+  )
 
   let numberOfPages = Math.ceil(
     listArtifactResponse.total_count / paginationCount
@@ -67,7 +70,10 @@ export async function listArtifactsPublic(
       name: artifact.name,
       id: artifact.id,
       size: artifact.size_in_bytes,
-      createdAt: artifact.created_at ? new Date(artifact.created_at) : undefined
+      createdAt: artifact.created_at
+        ? new Date(artifact.created_at)
+        : undefined,
+      digest: (artifact as ArtifactResponse).digest
     })
   }
 
@@ -80,14 +86,16 @@ export async function listArtifactsPublic(
     currentPageNumber++
     debug(`Fetching page ${currentPageNumber} of artifact list`)
 
-    const {data: listArtifactResponse} =
-      await github.rest.actions.listWorkflowRunArtifacts({
+    const {data: listArtifactResponse} = await github.request(
+      'GET /repos/{owner}/{repo}/actions/runs/{run_id}/artifacts',
+      {
         owner: repositoryOwner,
         repo: repositoryName,
         run_id: workflowRunId,
         per_page: paginationCount,
         page: currentPageNumber
-      })
+      }
+    )
 
     for (const artifact of listArtifactResponse.artifacts) {
       artifacts.push({
@@ -96,7 +104,8 @@ export async function listArtifactsPublic(
         size: artifact.size_in_bytes,
         createdAt: artifact.created_at
           ? new Date(artifact.created_at)
-          : undefined
+          : undefined,
+        digest: (artifact as ArtifactResponse).digest
       })
     }
   }
@@ -132,7 +141,8 @@ export async function listArtifactsInternal(
     size: Number(artifact.size),
     createdAt: artifact.createdAt
       ? Timestamp.toDate(artifact.createdAt)
-      : undefined
+      : undefined,
+    digest: artifact.digest?.value
   }))
 
   if (latest) {
@@ -146,6 +156,18 @@ export async function listArtifactsInternal(
   }
 }
 
+/**
+ * This exists so that we don't have to use 'any' when receiving the artifact list from the GitHub API.
+ * The digest field is not present in OpenAPI/types at time of writing, which necessitates this change.
+ */
+interface ArtifactResponse {
+  name: string
+  id: number
+  size_in_bytes: number
+  created_at?: string
+  digest?: string
+}
+
 /**
  * Filters a list of artifacts to only include the latest artifact for each name
  * @param artifacts The artifacts to filter

packages/artifact/src/internal/shared/interfaces.ts

@@ -91,6 +91,11 @@ export interface DownloadArtifactResponse {
    * The path where the artifact was downloaded to
    */
   downloadPath?: string
+
+  /**
+   * Returns true if the digest of the downloaded artifact does not match the expected hash
+   */
+  digestMismatch?: boolean
 }
 
 /**
@@ -101,6 +106,19 @@ export interface DownloadArtifactOptions {
    * Denotes where the artifact will be downloaded to. If not specified then the artifact is download to GITHUB_WORKSPACE
    */
   path?: string
+
+  /**
+   * The hash that was computed for the artifact during upload. Don't provide this unless you want to verify the hash.
+   * If the hash doesn't match, the download will fail.
+   */
+  expectedHash?: string
+}
+
+export interface StreamExtractResponse {
+  /**
+   * The SHA256 hash of the downloaded file
+   */
+  sha256Digest?: string
 }
 
 /**
@@ -126,6 +144,11 @@ export interface Artifact {
    * The time when the artifact was created
    */
   createdAt?: Date
+
+  /**
+   * The digest of the artifact, computed at time of upload.
+   */
+  digest?: string
 }
 
 // FindOptions are for fetching Artifact(s) out of the scope of the current run.