chore: standardize yq installation in workflows

yousef-cohere · yousef-cohere · commit 1826b0a074c9 · 2026-04-22T11:50:16.000-04:00
- Updated the yq installation steps in both peerpods-chart_image.yaml and publish-cohere-release.yaml to use a consistent method with version and checksum verification.
- This change enhances security and reliability by ensuring the correct version of yq is installed and verified before use.
diff --git a/.github/workflows/peerpods-chart_image.yaml b/.github/workflows/peerpods-chart_image.yaml
@@ -60,10 +60,15 @@ jobs:
           fetch-depth: 0
 
       - name: Install yq
+        # Keep in sync with the pin in publish-cohere-release.yaml.
+        env:
+          YQ_VERSION: v4.44.3
+          YQ_SHA256: a2c097180dd884a8d50c956ee16a9cec070f30a7947cf4ebf87d5f36213e9ed7
         run: |
-          echo "Installing yq..."
-          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
-          sudo chmod +x /usr/local/bin/yq
+          curl -fsSLo /tmp/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64"
+          echo "${YQ_SHA256}  /tmp/yq" | sha256sum --check --strict
+          sudo install -m 0755 /tmp/yq /usr/local/bin/yq
+          rm /tmp/yq
           yq --version
 
       - name: Read versions from Chart.yaml and versions.yaml
diff --git a/.github/workflows/publish-cohere-release.yaml b/.github/workflows/publish-cohere-release.yaml
@@ -185,9 +185,16 @@ jobs:
           fetch-depth: 0
 
       - name: Install yq
+        # Keep in sync with the pin in peerpods-chart_image.yaml.
+        env:
+          YQ_VERSION: v4.44.3
+          YQ_SHA256: a2c097180dd884a8d50c956ee16a9cec070f30a7947cf4ebf87d5f36213e9ed7
         run: |
-          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
-          sudo chmod +x /usr/local/bin/yq
+          curl -fsSLo /tmp/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64"
+          echo "${YQ_SHA256}  /tmp/yq" | sha256sum --check --strict
+          sudo install -m 0755 /tmp/yq /usr/local/bin/yq
+          rm /tmp/yq
+          yq --version
 
       - name: Patch values.yaml with release image tags
         env:
