feat: add artifact integrity verification in workflows

Author: IShix-g

.github/workflows/reusable-build-package.yaml

@@ -66,8 +66,11 @@ on:
         description: 'Export path where the package was generated'
         value: ${{ jobs.build-package.outputs.export-path }}
       artifact-url:
-        description: 'URL to download an Artifact.'
+        description: 'URL to download an Artifact'
         value: ${{ jobs.build-package.outputs.artifact-url }}
+      artifact-digest:
+        description: 'SHA-256 digest of an Artifact'
+        value: ${{ jobs.build-package.outputs.artifact-digest }}
 
 env:
   TARGET_PLATFORM: StandaloneLinux64
@@ -88,6 +91,7 @@ jobs:
       package-name: ${{ steps.path-normalizer.outputs.normalized-package-name }}
       export-path: ${{ steps.path-normalizer.outputs.export-path }}
       artifact-url: ${{ steps.upload-artifact.outputs.artifact-url }}
+      artifact-digest: ${{ steps.upload-artifact.outputs.artifact-digest }}
     steps:
       - name: Normalize Path
         id: path-normalizer
@@ -155,4 +159,4 @@ jobs:
         with:
           name: ${{ steps.path-normalizer.outputs.normalized-package-name }}
           path: ${{ steps.path-normalizer.outputs.export-path }}
-          retention-days: ${{ inputs.retention-days }}
+          retention-days: ${{ inputs.retention-days }}

.github/workflows/reusable-release-package-upload.yaml

@@ -11,6 +11,10 @@ on:
         description: 'The name of the package uploaded as an artifact.'
         required: true
         type: string
+      artifact-digest:
+        description: 'SHA-256 digest of an Artifact. https://github.com/actions/upload-artifact?tab=readme-ov-file#outputs'
+        required: true
+        type: string
       dry-run:
         description: 'true = dry-run: The upload will not actually be performed.'
         required: false
@@ -30,13 +34,43 @@ jobs:
           name: ${{ inputs.artifact-package-name }}
           path: ./artifacts
 
+      - name: Define Path for Artifact File
+        id: artifact-path
+        run: |
+          file="${{ inputs.artifact-package-name }}"
+          echo "path=./artifacts/$file" >> "$GITHUB_OUTPUT"
+
+      - name: Verify Artifact Exists
+        run: |
+          artifact_file="${{ steps.artifact-path.outputs.path }}"
+          if [ ! -f "$artifact_file" ]; then
+            echo "::error file=$artifact_file::Artifact file not found!"
+            exit 1
+          fi
+            echo "Artifact exists: $artifact_file"
+
+      - name: Verify Artifact Integrity
+        run: |
+          artifact_file="${{ steps.artifact-path.outputs.path }}"
+          calculated_hash=$(sha256sum "$artifact_file" | awk '{ print $1 }')
+          uploaded_hash="${{ inputs.artifact_digest }}"
+
+          echo "Uploaded hash: $uploaded_hash"
+          echo "Calculated hash: $calculated_hash"
+
+          if [ "$calculated_hash" != "$uploaded_hash" ]; then
+            echo "::error::Artifact integrity check failed! Hash mismatch."
+            exit 1
+          fi
+            echo "Artifact Verified: Integrity check passed. Hash matches."
+
       - name: Upload Package
         if: ${{ !inputs.dry-run }}
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           file="${{ inputs.artifact-package-name }}"
-          file_path="./artifacts/$file"
+          file_path="${{ steps.artifact-path.outputs.path }}"
           tag="${{ inputs.release-tag }}"
           gh release upload "$tag" "$file_path"
           echo "::notice title=Uploaded asset::$file"
@@ -45,6 +79,6 @@ jobs:
         if: ${{ inputs.dry-run }}
         run: |
           file="${{ inputs.artifact-package-name }}"
-          file_path="./artifacts/$file"
+          file_path="${{ steps.artifact-path.outputs.path }}"
           tag="${{ inputs.release-tag }}"
           echo "::notice title=Dry Run::Simulating upload of '$file_path' to release tag '$tag'."