Métriques du dépôt
- Stars
- (48 085 stars)
- Métriques de merge PR
- (Merge moyen 11j 1h) (45 PRs mergées en 30 j)
Description
Summary
The v0.39.0 release path is functional, but several release inputs are still floating:
- external GitHub Actions are referenced by mutable tags;
- the Rust toolchain is installed from
stable; - packaging tools are installed with
cargo installwithout--version/--locked; - some runner/container labels are floating (
*-latest,fedora:latest).
This is a release hardening and provenance issue, not an accusation of malware. I did not find evidence that the v0.39.0 assets differ from the GitHub Actions run artifacts.
Version / tag / commit
- Release:
v0.39.0 - Commit/tag target:
2fbc7514f6964acabcfac65501b8bb6b525e3aa8 - Release: https://github.com/rtk-ai/rtk/releases/tag/v0.39.0
- Producing Actions run: https://github.com/rtk-ai/rtk/actions/runs/25445836840
- Windows release asset:
rtk-x86_64-pc-windows-msvc.zip
Evidence
Source workflow references at v0.39.0:
.github/workflows/release.yml:41,:44,:48,:52,:57usemacos-latest,ubuntu-latest, andwindows-latestthrough the release matrix..github/workflows/release.yml:62usesactions/checkout@v4..github/workflows/release.yml:65usesdtolnay/rust-toolchain@stable..github/workflows/release.yml:103,:128,:158useactions/upload-artifact@v4..github/workflows/release.yml:119runscargo install cargo-deb..github/workflows/release.yml:136usescontainer: fedora:latest..github/workflows/release.yml:146runscargo install cargo-generate-rpm..github/workflows/release.yml:168usesactions/create-github-app-token@v3..github/workflows/release.yml:176usesactions/checkout@v4..github/workflows/release.yml:179usesactions/download-artifact@v4..github/workflows/release.yml:213usessoftprops/action-gh-release@v2..github/workflows/cd.yml:107usesactions/create-github-app-token@v3..github/workflows/cd.yml:114usesgoogleapis/release-please-action@v4..github/workflows/cd.yml:125calls the reusable release workflow..github/workflows/cd.yml:138,:145useactions/create-github-app-token@v3andactions/checkout@v4for thelatesttag update.
Run metadata for v0.39.0:
GET /repos/rtk-ai/rtk/actions/runs/25445836840showsrepository.full_name=rtk-ai/rtk,head_repository.full_name=rtk-ai/rtk,head_branch=master,head_sha=2fbc7514f6964acabcfac65501b8bb6b525e3aa8,referenced_workflows[0].path=rtk-ai/rtk/.github/workflows/release.yml@2fbc7514f6964acabcfac65501b8bb6b525e3aa8.- The release asset uploader is
rtk-release-bot[bot], matching the GitHub App token created in the release job. - The Windows build job log resolved
dtolnay/rust-toolchain@stableto action SHA29eef336d9b2848a0b548edc03f92a220660cdb8and Rust1.95.0 (59807616e 2026-04-14). - The release job log resolved
softprops/action-gh-release@v2to SHA3bb12739c298aeb8a4eeaf626c5b8d85266b0e65. - The release-please job log resolved
googleapis/release-please-action@v4to SHA5c625bfb5d1ff62eadeeb3772007f7f66fdcf071. - The DEB job installed
cargo-deb v3.7.0. - The RPM job installed
cargo-generate-rpm v0.21.0; the Fedora container installed Rust/Cargo1.95.0-1.fc44. checksums.txthas GitHub API digestsha256:772665bb94418715f4761931df79d4b4ca30ab738d0def3213a5c19d4b31648b; the downloaded file hashes to the same value.- Every checksum entry in
checksums.txtmatches the corresponding GitHub Release asset digest. - The Windows artifact downloaded from run
25445836840hashes toaad430c14d82b4470f14bdb9695e8cd97aeac97444bd087bd70be161ced09cb7, matching the published release asset digest. The containedrtk.exehashes to731583957e8cea7cfa858fb56835c001b71f75e595710a5441ebaee12fc6c83bwithout executing it.
Impact
The current release can be traced to a GitHub Actions run, but future releases remain sensitive to mutable external inputs. A tag move in an action, a new stable Rust release, a new crates.io packaging-tool release, or a changed latest runner/container image can alter release outputs without an explicit source diff in this repository.
That weakens reproducibility, incident response, and provenance review for security-sensitive binary releases.
Verification steps
No released binary needs to be executed.
- Inspect workflow source at
v0.39.0:gh api repos/rtk-ai/rtk/contents/.github/workflows/release.yml?ref=v0.39.0 -H "Accept: application/vnd.github.raw" - Inspect producing run metadata:
gh api repos/rtk-ai/rtk/actions/runs/25445836840 - Inspect job logs for resolved action SHAs/tool versions:
gh run view 25445836840 -R rtk-ai/rtk --job <job-id> --log - Compare release asset digests:
gh api repos/rtk-ai/rtk/releases/tags/v0.39.0 - Download
checksums.txtand compare its SHA256 and entries with the APIdigestfields. - Optionally download the Windows run artifact and hash the nested ZIP/EXE as files only.
Suggested mitigation
- Pin third-party and first-party actions by full commit SHA, with comments documenting the human-readable version tag.
- Replace
dtolnay/rust-toolchain@stablewith a pinned Rust version, for example viarust-toolchain.tomlor explicit action input. - Replace unversioned installs with pinned, locked installs, for example
cargo install cargo-deb --version 3.7.0 --lockedandcargo install cargo-generate-rpm --version 0.21.0 --lockedor a prebuilt pinned tool environment. - Avoid floating runner/container labels where practical: use explicit runner images such as
ubuntu-24.04/windows-2025and pin container images by digest instead offedora:latest. - Consider publishing provenance/SLSA attestations for release artifacts.