From 7931a241e7bb90fcc9421559ca4dce75ebea500c Mon Sep 17 00:00:00 2001 From: zhom <2717306+zhom@users.noreply.github.com> Date: Wed, 8 Apr 2026 18:52:39 +0400 Subject: [PATCH] chore: aws integrity checks --- .github/workflows/publish-repos.yml | 12 +++++++----- scripts/publish-repo.sh | 4 ++++ 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish-repos.yml b/.github/workflows/publish-repos.yml index 6d6d61b..97c8529 100644 --- a/.github/workflows/publish-repos.yml +++ b/.github/workflows/publish-repos.yml @@ -40,11 +40,11 @@ jobs: echo "tag=${TAG}" >> "$GITHUB_OUTPUT" fi - - name: Normalize R2 endpoint - # The R2_ENDPOINT_URL secret may be stored with or without a scheme. - # `aws s3 --endpoint-url` rejects values without `https://`, so we - # prepend it once here and export via $GITHUB_ENV so every later step - # inherits the normalised value. Keep this step before any `aws` call. + - name: Configure aws-cli for R2 + # aws-cli v2.23+ sends integrity checksums by default; Cloudflare R2 + # rejects those headers with `Unauthorized` on ListObjectsV2. + # Also normalise the endpoint URL (must start with https://). + # Both values propagate to later steps via $GITHUB_ENV. env: RAW_ENDPOINT: ${{ secrets.R2_ENDPOINT_URL }} run: | @@ -53,6 +53,8 @@ jobs: endpoint="https://$endpoint" fi echo "R2_ENDPOINT=$endpoint" >> "$GITHUB_ENV" + echo "AWS_REQUEST_CHECKSUM_CALCULATION=WHEN_REQUIRED" >> "$GITHUB_ENV" + echo "AWS_RESPONSE_CHECKSUM_VALIDATION=WHEN_REQUIRED" >> "$GITHUB_ENV" - name: Install tools run: | diff --git a/scripts/publish-repo.sh b/scripts/publish-repo.sh index 97acb24..c7b5434 100755 --- a/scripts/publish-repo.sh +++ b/scripts/publish-repo.sh @@ -27,6 +27,10 @@ done export AWS_ACCESS_KEY_ID="$R2_ACCESS_KEY_ID" export AWS_SECRET_ACCESS_KEY="$R2_SECRET_ACCESS_KEY" export AWS_DEFAULT_REGION="auto" +# aws-cli v2.23+ sends integrity checksums by default; R2 rejects them +# with `Unauthorized` on ListObjectsV2. Disable. +export AWS_REQUEST_CHECKSUM_CALCULATION="WHEN_REQUIRED" +export AWS_RESPONSE_CHECKSUM_VALIDATION="WHEN_REQUIRED" # Ensure endpoint URL has https:// prefix R2_ENDPOINT="$R2_ENDPOINT_URL"