Skip to content

Make dedicated build dependencies function per variant #3

Make dedicated build dependencies function per variant

Make dedicated build dependencies function per variant #3

name: Workflow Verification
permissions:
contents: read
on:
pull_request:
branches: [ main ]
push:
branches: [ main ]
workflow_dispatch:
jobs:
verify-workflows:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v3
- name: Check workflow permissions
run: |
set -e
missing=0
for f in .github/workflows/*.yml; do
if ! grep -q '^[[:space:]]*permissions:' "$f"; then
echo "Workflow $f missing 'permissions' key"
missing=1
fi
done
if [ "$missing" = 1 ]; then
echo "One or more workflows are missing the 'permissions' stanza."
exit 1
fi
verify-checksums:
runs-on: ubuntu-24.04
timeout-minutes: 15
steps:
- uses: actions/checkout@v3
- name: 'Download Verification'
run: |
set -ex
# ensure clean state and perform an initial download (should succeed)
rm -f build/dash/0.5.13.tar.gz
sh shvr.sh download dash_0.5.13
- name: 'Corrupt checksum and assert download fails'
run: |
set -ex
# backup checksum file
cp checksums/sources/dash/0.5.13.tar.gz.sha256sums checksums/sources/dash/0.5.13.tar.gz.sha256sums.bak
# corrupt checksum: replace hash with ones; keep filename
printf '1111111111111111111111111111111111111111111111111111111111111111 %s\n' "0.5.13.tar.gz" > checksums/sources/dash/0.5.13.tar.gz.sha256sums
# remove any existing artifact to force re-download
rm -f build/dash/0.5.13.tar.gz
set +e
# attempt download once; if the worker network is flaky this may fail
# for reasons other than checksum mismatch. Capture logs and RC so we
# can differentiate mismatch from other failures.
# run the download and capture the exit code; write logs to file
sh shvr.sh download dash_0.5.13 > download.log 2>&1
rc=$?
# show the log to the step output so it appears in CI
cat download.log
set -e
if [ "$rc" -eq 0 ]; then
echo "Expected checksum verification to fail but it succeeded" >&2
exit 1
fi
# ensure the failure was due to checksum mismatch; depending on the
# runner and sha256sum version we may see one of multiple messages:
# - our own 'sha256sum mismatch for ...' message
# - a 'filename: FAILED' message emitted by 'sha256sum -c'
# If neither is present then this is likely a transient network or
# download tool error; fail the CI with the full log to help debug.
grep -q "sha256sum mismatch" download.log || grep -q ": FAILED" download.log || (cat download.log && exit 1)
- name: 'Restore checksum and verify success'
run: |
set -ex
mv checksums/sources/dash/0.5.13.tar.gz.sha256sums.bak checksums/sources/dash/0.5.13.tar.gz.sha256sums
rm -f build/dash/0.5.13.tar.gz
sh shvr.sh download dash_0.5.13