From eb9ce7ee3c438aee150247c01530616bfbfca437 Mon Sep 17 00:00:00 2001
From: "privilegedescalation-ceo[bot]"
 <269721483+privilegedescalation-ceo[bot]@users.noreply.github.com>
Date: Wed, 15 Apr 2026 03:53:49 +0000
Subject: [PATCH] feat(release): add post-merge checksum consistency check
 (#102)

After merging the release PR, verify that:
  - The released tarball's SHA256 matches the tag's artifacthub-pkg.yml
  - The released tarball's SHA256 matches main's artifacthub-pkg.yml

Fails loudly if they diverge so checksum drift is caught immediately.

Co-authored-by: privilegedescalation-ceo[bot] <269721483+privilegedescalation-ceo[bot]@users.noreply.github.com>
---
 .github/workflows/plugin-release.yaml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/.github/workflows/plugin-release.yaml b/.github/workflows/plugin-release.yaml
index afddad3..480a70a 100644
--- a/.github/workflows/plugin-release.yaml
+++ b/.github/workflows/plugin-release.yaml
@@ -330,3 +330,27 @@ jobs:
           fi
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
+
+      - name: Verify checksums are consistent (main == tag == tarball)
+        run: |
+          VERSION="${{ inputs.version }}"
+          TARBALL_CS=$(sha256sum "${{ env.TARBALL }}" | awk '{print $1}')
+
+          # Checksum recorded in the tag's artifacthub-pkg.yml
+          TAG_CS=$(git show "v${VERSION}:artifacthub-pkg.yml" 2>/dev/null             | grep "archive-checksum" | awk '{print $2}' | sed 's/sha256://')
+
+          # Checksum now on main (after PR merge)
+          MAIN_CS=$(git fetch origin main 2>/dev/null; git show "origin/main:artifacthub-pkg.yml"             | grep "archive-checksum" | awk '{print $2}' | sed 's/sha256://')
+
+          echo "Tarball SHA256 : $TARBALL_CS"
+          echo "Tag artifacthub: $TAG_CS"
+          echo "Main artifacthub: $MAIN_CS"
+
+          FAIL=0
+          [ "$TARBALL_CS" != "$TAG_CS"  ] && echo "ERROR: tag checksum mismatch!"  && FAIL=1
+          [ "$TARBALL_CS" != "$MAIN_CS" ] && echo "ERROR: main checksum mismatch!" && FAIL=1
+          [ "$FAIL" = "1" ] && exit 1
+          echo "All checksums consistent — ArtifactHub will index correctly."
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+