From 5a2cebbb8a2fdc8f6a80898cf6d4177079d0803f Mon Sep 17 00:00:00 2001
From: lcatlett <lindsey.catlett@gmail.com>
Date: Tue, 1 Apr 2025 19:53:06 -0400
Subject: [PATCH 1/2] Improve version detection and input parameters

---
 action.yml | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/action.yml b/action.yml
index f181760..fd07991 100644
--- a/action.yml
+++ b/action.yml
@@ -10,11 +10,12 @@ inputs:
   terminus-version:
     description: |
       The full version of Terminus to install. If omitted, the latest version is used.
+      For deterministic builds, specifying a version is recommended.
     required: false
   disable-cache:
     description: Disable session cache and force a new session to be initiated.
     required: false
-    default: false
+    default: "false"
 
 runs:
   using: composite
@@ -23,12 +24,25 @@ runs:
       if: ${{ ! inputs.terminus-version }}
       shell: bash
       run: |
-        TERMINUS_RELEASE=$(
-          curl --silent \
+        echo "Attempting to find latest Terminus version..."
+        # Try to get the latest release from GitHub API with proper error handling
+        if ! TERMINUS_RELEASE=$(curl --silent --fail --max-time 10 \
             --header 'authorization: Bearer ${{ github.token }}' \
             "https://api.github.com/repos/pantheon-systems/terminus/releases/latest" \
-            | perl -nle'print $& while m#"tag_name": "\K[^"]*#g'
-        )
+            | perl -nle'print $& while m#"tag_name": "\K[^"]*#g'); then
+          echo "::error::Failed to connect to GitHub API to determine latest Terminus version."
+          echo "::error::Please specify a terminus-version input parameter for deterministic builds."
+          exit 1
+        fi
+
+        # Validate we got a proper version string (should be semver format)
+        if [[ -z "$TERMINUS_RELEASE" || ! "$TERMINUS_RELEASE" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+          echo "::error::Unable to determine a valid Terminus version from GitHub API."
+          echo "::error::Please specify a terminus-version input parameter for deterministic builds."
+          exit 1
+        fi
+
+        echo "Latest Terminus version detected: $TERMINUS_RELEASE"
         echo "TERMINUS_RELEASE=$TERMINUS_RELEASE" >> $GITHUB_ENV
 
     - name: Install Terminus

From 436002cba9d559a7559167b28f04587086d241ed Mon Sep 17 00:00:00 2001
From: lcatlett <lindsey.catlett@gmail.com>
Date: Tue, 1 Apr 2025 19:53:58 -0400
Subject: [PATCH 2/2] Add download validation, checksum verification, and
 installation verification

---
 action.yml | 42 +++++++++++++++++++++++++++++++++++++++---
 1 file changed, 39 insertions(+), 3 deletions(-)

diff --git a/action.yml b/action.yml
index fd07991..4f53ecb 100644
--- a/action.yml
+++ b/action.yml
@@ -48,12 +48,48 @@ runs:
     - name: Install Terminus
       shell: bash
       run: |
-        mkdir $HOME/terminus && cd $HOME/terminus
+        mkdir -p $HOME/terminus && cd $HOME/terminus
         echo "Installing Terminus v$TERMINUS_RELEASE"
-        curl -L https://github.com/pantheon-systems/terminus/releases/download/$TERMINUS_RELEASE/terminus.phar --output terminus
+
+        # Download Terminus with validation
+        if ! curl --fail -L https://github.com/pantheon-systems/terminus/releases/download/$TERMINUS_RELEASE/terminus.phar --output terminus; then
+          echo "::error::Failed to download Terminus v$TERMINUS_RELEASE"
+          exit 1
+        fi
+
+        # Download checksum for verification
+        if curl --fail -L https://github.com/pantheon-systems/terminus/releases/download/$TERMINUS_RELEASE/terminus.phar.sha256 --output terminus.sha256; then
+          echo "Verifying download integrity..."
+          # Fix the checksum file format if needed (ensure it only contains hash and filename)
+          sed -i.bak 's/^.*\([0-9a-f]\{64\}\).*$/\1  terminus/g' terminus.sha256
+          if ! sha256sum -c terminus.sha256; then
+            echo "::error::Checksum verification failed! The downloaded file may be corrupted."
+            exit 1
+          fi
+          echo "Integrity verification passed."
+        else
+          echo "::warning::Could not download checksum file. Skipping integrity check."
+        fi
+
+        # Basic file type verification
+        file_info=$(file terminus)
+        if ! echo "$file_info" | grep -q -E 'PHP script|executable|.+ASCII.+PHP'; then
+          echo "::error::Downloaded file is not a PHP script or executable. Got: $file_info"
+          exit 1
+        fi
+
+        # Make executable and create symlink
         chmod +x terminus
-        sudo ln -s $HOME/terminus/terminus /usr/local/bin/terminus
+        sudo ln -sf $HOME/terminus/terminus /usr/local/bin/terminus
         mkdir -p $HOME/.terminus/{cache,plugins}
+
+        # Verify installation
+        echo "Verifying Terminus installation..."
+        if ! terminus --version; then
+          echo "::error::Terminus installation verification failed."
+          exit 1
+        fi
+        echo "Terminus installation successful."
       env:
         TERMINUS_RELEASE: ${{ inputs.terminus-version || env.TERMINUS_RELEASE }}