Missing checksum validation when downloading qlty binary

[labac-p]

Hi team,

I noticed that the qlty-action currently downloads the qlty CLI binary without performing any kind of checksum verification (e.g., SHA256). This poses a potential security risk, as the binary could be tampered with during transmission or replaced if the source is compromised.

Why this matters:

• Without checksum validation, there’s no guarantee that the binary being executed is authentic or unmodified.
• It increases the risk of supply chain attacks, especially in CI/CD environments where automated trust is essential.

Suggested solution:

• Provide and verify a checksum (e.g., SHA256 hash) for the binary after downloading.
• Consider publishing checksums alongside the release assets and verifying them in the action workflow.

Implementing checksum verification would enhance the security and reliability of this GitHub Action.

[brynary]

@labac-p -- Yes, absolutely. We had not implemented this yet because we first wanted to add signed attestations for the Qlty CLI. We are now publishing attestations for the CLI release archives, so we will now add verification. This will provide a check for both authentication and integrity.