Describe the feature you'd like
You're downloading yt-dlp, deno, and ffmpeg from random but popular sources, without any verification that they're what they say they are, with GH actions actively pushing to the release channels that you're sourcing from. Hopefully I don't have to explain the possible worst case scenario here. I don't know if there's any way of verifying the ffmpeg source you're pulling from (☹️) but there's signed SHA512 hashes of yt-dlp and SHA256 hashes of Deno. Checking the hashes should be an easy win, and checking the signature on the hashes would be an even better win.
Describe alternatives you've considered
No response
Additional context
No response
Describe the feature you'd like
You're downloading yt-dlp, deno, and ffmpeg from random but popular sources, without any verification that they're what they say they are, with GH actions actively pushing to the release channels that you're sourcing from. Hopefully I don't have to explain the possible worst case scenario here. I don't know if there's any way of verifying the ffmpeg source you're pulling from (☹️ ) but there's signed SHA512 hashes of yt-dlp and SHA256 hashes of Deno. Checking the hashes should be an easy win, and checking the signature on the hashes would be an even better win.
Describe alternatives you've considered
No response
Additional context
No response