Skip to content

fix(ci): pin sfw download tag, swap SOCKET_API_TOKEN secret#1252

Merged
John-David Dalton (jdalton) merged 2 commits intov1.xfrom
jdd/v1x-sfw-pin-checksum-fix
Apr 22, 2026
Merged

fix(ci): pin sfw download tag, swap SOCKET_API_TOKEN secret#1252
John-David Dalton (jdalton) merged 2 commits intov1.xfrom
jdd/v1x-sfw-pin-checksum-fix

Conversation

@jdalton
Copy link
Copy Markdown
Contributor

@jdalton John-David Dalton (jdalton) commented Apr 22, 2026
edited
Loading

Summary

Two small CI fixes for v1.x:

  1. Pin sfw / sfw-free downloads to a version tag so upstream releases stop breaking our hardcoded checksums.
  2. Swap the SOCKET_CLI_API_TOKEN secret reference to SOCKET_API_TOKEN to match the renamed repo secret.

1. Pin sfw download to a tag

  • Our CI downloads sfw / sfw-free from the releases/latest endpoint, then checks it against a SHA256 we hardcoded. When a new sfw release ships upstream, latest starts returning new bytes but our hardcoded SHA256 still points at the old bytes, so every job fails with a checksum mismatch.
  • This PR pins the download to a specific version tag (v1.7.2) so the bytes we download always match the SHA256 we're checking.
  • Bumped the pinned checksums to the v1.7.2 values so we're on the latest release.

What changed

  • Added SFW_FREE_VERSION and SFW_ENTERPRISE_VERSION variables at the top of each download step (both set to 1.7.2 right now).
  • Changed the gh api call from repos/.../releases/latest to repos/.../releases/tags/v${SFW_VERSION}.
  • Added a small check that errors out if the asset isn't found at that tag (before it would silently curl an empty URL).
  • Updated all 10 SHA256s (5 platforms × 2 tracks) to the v1.7.2 values.

Where

Three workflows on v1.x:

  • .github/workflows/ci.yml — 3 copies of the same download block (matrix jobs)
  • .github/workflows/provenance.yml — 1 block
  • .github/workflows/e2e-tests.yml — 1 block (free-only, no enterprise branch)

The duplication is on purpose on v1.x — we inlined everything to avoid pulling in shared/reusable workflow changes.

Why this is safe

Next time someone bumps sfw, they have to update SFW_FREE_VERSION / SFW_ENTERPRISE_VERSION AND all the SHA256s in the same commit. If they forget one, CI fails on that commit instead of mysteriously breaking a week later when upstream ships.

2. Swap SOCKET_CLI_API_TOKEN secret ref to SOCKET_API_TOKEN

Repo-level secret was renamed to SOCKET_API_TOKEN. Only the secrets.* reference in .github/workflows/e2e-tests.yml changes — the env var name the CLI reads (SOCKET_CLI_API_TOKEN) stays the same.

Test plan

  • CI green on this PR (ci.yml exercises both enterprise and free paths)
  • Provenance workflow runs fine on next publish
  • E2E tests still run with the renamed secret

@jdalton
fix(ci): pin sfw download to tagged version, fix checksum drift
a0d97bc 
The sfw / sfw-free downloads fetched releases/latest at runtime but
verified against hardcoded SHA256s in the same file. Any upstream
release immediately broke every consumer because the downloaded bytes
no longer matched the pinned checksum. Backporting the socket-registry
fix (1ab0cfbf) to v1.x.

Fix:

- Introduce SFW_FREE_VERSION / SFW_ENTERPRISE_VERSION env vars at the
  top of each download step. Same value today (1.7.2) but the two
  tracks can diverge independently. Bumping a tool requires updating
  the matching version AND every platform's SHA256 in the same commit.
- Switch from gh api repos/.../releases/latest to
  gh api repos/.../releases/tags/v${SFW_VERSION} so the download path
  is pinned to the same tag the checksums reference. A new upstream
  release can no longer break CI.
- Guard against an empty DOWNLOAD_URL (asset missing from the pinned
  tag) with a clear error instead of silently piping curl nothing.
- Refresh all SHA256s (5 platforms x 2 tracks: sfw-free and
  firewall-release enterprise) to the v1.7.2 bytes.

Applied to all three workflows on v1.x (inlined, not shared):
- .github/workflows/ci.yml (3 identical blocks)
- .github/workflows/provenance.yml (1 block)
- .github/workflows/e2e-tests.yml (1 block, free-only)

The duplication is intentional on v1.x to avoid coupling to reusable
workflow changes.
@jdalton
chore(ci): swap SOCKET_CLI_API_TOKEN secret ref to SOCKET_API_TOKEN
b3a19c9 
Repo-level secret renamed to SOCKET_API_TOKEN. Only the secrets.*
reference changes — the env var name the CLI reads (SOCKET_CLI_API_TOKEN)
stays the same.
@jdalton John-David Dalton (jdalton) changed the title fix(ci): pin sfw download to a version so checksums stop breaking fix(ci): pin sfw download tag, swap SOCKET_API_TOKEN secret Apr 22, 2026
@jdalton John-David Dalton (jdalton) merged commit 877eca6 into v1.x Apr 22, 2026
12 checks passed
@jdalton John-David Dalton (jdalton) deleted the jdd/v1x-sfw-pin-checksum-fix branch April 22, 2026 13:38
@jdalton John-David Dalton (jdalton) mentioned this pull request Apr 22, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtorp Martin Torp (mtorp) mtorp approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jdalton @mtorp