Skip to content

Add setup-gomplate input and install gomplate with checksum verification #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
andrewb1269 merged 3 commits into from
Apr 14, 2026
Merged

Add setup-gomplate input and install gomplate with checksum verification #51

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
93b91b0
Initial plan
Copilot Apr 14, 2026
a255c20
feat: add setup-gomplate input and installation step
Copilot Apr 14, 2026
378a913
chore: improve gomplate download failure diagnostics
Copilot Apr 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ jobs:
setup-task: true
task-version: '3.50.0'
task-retries: '3'
setup-gomplate: true

- name: Verify Setup
run: |
Expand Down Expand Up @@ -109,6 +110,9 @@ jobs:
echo "Swift SDKs: ${{ steps.test-all.outputs.swift-sdks }}"
swift --version
echo "::endgroup::"
echo "::group::Verify Gomplate Installation"
gomplate --version
echo "::endgroup::"

test-checkout:
name: Test Checkout Action
Expand Down Expand Up @@ -358,3 +362,25 @@ jobs:
- name: Verify Task Installation
run: |
task --version

test-setup-gomplate:
name: Test Setup Gomplate
runs-on: ubuntu-latest
steps:
- name: Harden Runner
id: harden-runner
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit

- name: Checkout Repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Run Setup Gomplate Action
uses: ./
with:
setup-gomplate: true

- name: Verify Gomplate Installation
run: |
gomplate --version
11 changes: 10 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Common steps for initializing a job for GitHub actions. This composite action co
- Security hardening with Step Security's Harden Runner
- Repository checkout with configurable options
- Multi-language support (Node.js, Java, Python, Go, Rust, Swift)
- Build tool setup (Gradle)
- Build tool setup (Gradle, Task, gomplate)
- Automatic caching for dependencies and build artifacts

## Usage
Expand Down Expand Up @@ -109,6 +109,15 @@ Common steps for initializing a job for GitHub actions. This composite action co
| task-retries | Number of retries to set up task | No | 3 |
| checkout-token | Personal access token (PAT) used to fetch the repository | No | - |

**Gomplate**

| Input | Description | Required | Default |
|----------------|--------------------------|----------|---------|
| setup-gomplate | Whether to setup gomplate | No | false |

> [!NOTE]
> `setup-gomplate` currently installs the Linux AMD64 gomplate release artifact.

### Outputs

**Checkout Outputs**
Expand Down
33 changes: 33 additions & 0 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,10 @@ inputs:
description: 'Whether to setup Task'
required: false
default: 'false'
setup-gomplate:
description: 'Whether to setup gomplate'
required: false
default: 'false'
task-version:
description: 'Task version to use'
required: false
Expand Down Expand Up @@ -393,6 +397,35 @@ runs:
repo-token: ${{ inputs.checkout-token }}
max-retries: ${{ inputs.task-retries }}

- name: Set Up Gomplate Parameters
id: setup-gomplate-params
if: ${{ inputs.setup-gomplate == 'true' }}
shell: bash
run: |
echo "::group::Setting up gomplate"
echo "Version: v5.0.0"
echo "::endgroup::"

- name: Install Gomplate
id: setup-gomplate
if: ${{ inputs.setup-gomplate == 'true' }}
shell: bash
run: |
GOMPLATE_VERSION="v5.0.0"
GOMPLATE_RELEASE_URL="https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}"

curl -sSfL "${GOMPLATE_RELEASE_URL}/gomplate_linux-amd64" \
-o /tmp/gomplate || { echo "Failed to download gomplate binary"; exit 1; }
curl -sSfL "${GOMPLATE_RELEASE_URL}/checksums-${GOMPLATE_VERSION}_sha256.txt" \
-o /tmp/gomplate_checksums.txt || { echo "Failed to download gomplate checksums"; exit 1; }
EXPECTED_SHA="$(grep 'bin/gomplate_linux-amd64$' /tmp/gomplate_checksums.txt | awk '{print $1}')"
if [ -z "${EXPECTED_SHA}" ]; then
echo "Unable to find checksum for gomplate_linux-amd64"
Comment on lines +416 to +423
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The checksum lookup is grepping for bin/gomplate_linux-amd64, but the downloaded asset name is gomplate_linux-amd64. Unless the upstream checksums file actually includes the bin/ prefix, this will make EXPECTED_SHA empty and the step will always fail. Consider matching the exact asset filename present in the checksums file (and/or supporting both formats) to make the verification reliable.

Suggested change
curl -sSfL "${GOMPLATE_RELEASE_URL}/gomplate_linux-amd64" \
-o /tmp/gomplate || { echo "Failed to download gomplate binary"; exit 1; }
curl -sSfL "${GOMPLATE_RELEASE_URL}/checksums-${GOMPLATE_VERSION}_sha256.txt" \
-o /tmp/gomplate_checksums.txt || { echo "Failed to download gomplate checksums"; exit 1; }
EXPECTED_SHA="$(grep 'bin/gomplate_linux-amd64$' /tmp/gomplate_checksums.txt | awk '{print $1}')"
if [ -z "${EXPECTED_SHA}" ]; then
echo "Unable to find checksum for gomplate_linux-amd64"
GOMPLATE_ASSET="gomplate_linux-amd64"
curl -sSfL "${GOMPLATE_RELEASE_URL}/${GOMPLATE_ASSET}" \
-o /tmp/gomplate || { echo "Failed to download gomplate binary"; exit 1; }
curl -sSfL "${GOMPLATE_RELEASE_URL}/checksums-${GOMPLATE_VERSION}_sha256.txt" \
-o /tmp/gomplate_checksums.txt || { echo "Failed to download gomplate checksums"; exit 1; }
EXPECTED_SHA="$(awk -v asset="${GOMPLATE_ASSET}" '$2 == asset || $2 == "bin/" asset { print $1; exit }' /tmp/gomplate_checksums.txt)"
if [ -z "${EXPECTED_SHA}" ]; then
echo "Unable to find checksum for ${GOMPLATE_ASSET}"

Copilot uses AI. Check for mistakes.
exit 1
fi
echo "${EXPECTED_SHA} /tmp/gomplate" | sha256sum -c - || { echo "Gomplate checksum verification failed"; exit 1; }
sudo install -m 755 /tmp/gomplate /usr/local/bin/gomplate
Comment on lines +409 to +427
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This install path is Linux/AMD64-specific (gomplate_linux-amd64, sha256sum, /usr/local/bin, sudo). If a workflow runs this composite action on macOS/Windows or non-amd64 Linux with setup-gomplate: true, it will fail in a non-obvious way. Consider adding an explicit runner.os / architecture guard with a clear error message (or skipping) to match the documented scope.

Copilot uses AI. Check for mistakes.

branding:
icon: 'arrow-up-right'
color: 'green'
Loading