Missing integrity check for Hugo download in example workflow

[ulgens]

The GitHub workflow example from https://gohugo.io/host-and-deploy/host-on-github-pages/#step-4 downloads the hugo archive without any validation. Considering hugo release artifacts already include the related checksums, updating the example setup could be an easy win for supply chain security.

If this sounds useful, I can create a small PR built around the following additions:

curl -sLJO "https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_${HUGO_VERSION}_checksums.txt"
grep "hugo_extended_${HUGO_VERSION}_linux-amd64.tar.gz" "hugo_${HUGO_VERSION}_checksums.txt" | sha256sum --check

[jmooring]

Thanks for the suggestion. However, downloading the checksum file from the same source as the archive provides integrity (checking for corrupted downloads¹) but doesn't solve for supply chain security. If the source is compromised, both files are compromised.

To provide actual security, we would need to hardcode the checksum, which isn't sustainable for the docs. I’m open to a PR that adds a brief note to all relevant hosting guides (not just the GitHub Pages guide) mentioning that users can verify checksums for increased security, but I'd prefer to keep the primary workflow example as simple as possible.

Footnotes

1. In the case of a corrupted download the build fails, which is an acceptable outcome. ↩