Move provider checksum verification from unit test to codegen sanity check

Instead of a separate test that downloads large archives on every test
run, verify the checksum inline during codegen: FetchProviderChecksums
now downloads the linux_amd64 zip and verifies it matches the parsed
SHA256SUMS entry. This runs once during `go run .` (provider version
bump) rather than on every `make test`.

Co-authored-by: Isaac

Author: shreyas-goenka

bundle/deploy/terraform/pkg_test.go

@@ -58,20 +58,6 @@ func TestTerraformArchiveChecksums(t *testing.T) {
 	downloadAndChecksum(t, armUrl, tv.ChecksumLinuxArm64)
 }
 
-func TestTerraformProviderArchiveChecksums(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping slow test in short mode")
-	}
-
-	metadata, err := NewTerraformMetadata(t.Context())
-	require.NoError(t, err)
-
-	amdUrl := fmt.Sprintf("https://github.com/databricks/terraform-provider-databricks/releases/download/v%s/terraform-provider-databricks_%s_linux_amd64.zip", metadata.ProviderVersion, metadata.ProviderVersion)
-	armUrl := fmt.Sprintf("https://github.com/databricks/terraform-provider-databricks/releases/download/v%s/terraform-provider-databricks_%s_linux_arm64.zip", metadata.ProviderVersion, metadata.ProviderVersion)
-
-	downloadAndChecksum(t, amdUrl, metadata.ProviderChecksum.LinuxAmd64)
-	downloadAndChecksum(t, armUrl, metadata.ProviderChecksum.LinuxArm64)
-}
 
 func TestGetTerraformVersionDefault(t *testing.T) {
 	// Verify that the default version is used

bundle/internal/tf/codegen/schema/checksum.go

@@ -2,7 +2,11 @@ package schema
 
 import (
 	"bufio"
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
+	"io"
+	"log"
 	"net/http"
 	"strings"
 )
@@ -16,7 +20,8 @@ type ProviderChecksums struct {
 
 // FetchProviderChecksums downloads the SHA256SUMS file from the GitHub release
 // for the given provider version and extracts checksums for the linux_amd64 and
-// linux_arm64 archives.
+// linux_arm64 archives. It also downloads the linux_amd64 zip to verify that
+// the parsed checksum is correct.
 // https://github.com/databricks/terraform-provider-databricks/releases
 func FetchProviderChecksums(version string) (*ProviderChecksums, error) {
 	url := fmt.Sprintf(
@@ -63,5 +68,44 @@ func FetchProviderChecksums(version string) (*ProviderChecksums, error) {
 		return nil, fmt.Errorf("checksum not found for %s in SHA256SUMS", arm64Suffix)
 	}
 
+	// Sanity check: download the linux_amd64 zip and verify the checksum matches.
+	err = verifyProviderChecksum(version, "linux_amd64", checksums.LinuxAmd64)
+	if err != nil {
+		return nil, err
+	}
+
 	return checksums, nil
 }
+
+// verifyProviderChecksum downloads the provider zip for the given platform and
+// verifies it matches the expected SHA256 checksum.
+func verifyProviderChecksum(version, platform, expectedChecksum string) error {
+	url := fmt.Sprintf(
+		"https://github.com/databricks/terraform-provider-databricks/releases/download/v%s/terraform-provider-databricks_%s_%s.zip",
+		version, version, platform,
+	)
+
+	log.Printf("verifying checksum for %s provider archive", platform)
+	resp, err := http.Get(url)
+	if err != nil {
+		return fmt.Errorf("downloading provider archive for checksum verification: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("downloading provider archive for checksum verification: HTTP %s", resp.Status)
+	}
+
+	hash := sha256.New()
+	if _, err := io.Copy(hash, resp.Body); err != nil {
+		return fmt.Errorf("computing checksum for provider archive: %w", err)
+	}
+
+	actualChecksum := hex.EncodeToString(hash.Sum(nil))
+	if actualChecksum != expectedChecksum {
+		return fmt.Errorf("checksum mismatch for %s provider archive: expected %s, got %s", platform, expectedChecksum, actualChecksum)
+	}
+
+	log.Printf("checksum verified for %s provider archive", platform)
+	return nil
+}