Pin Rust toolchain and apt to snapshot.debian.org for reproducibility #198
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Workflow Verification | |
| permissions: | |
| contents: read | |
| on: | |
| pull_request: | |
| branches: [ main ] | |
| push: | |
| branches: [ main ] | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| jobs: | |
| verify-workflows: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Check workflow permissions | |
| run: | | |
| set -e | |
| missing=0 | |
| for f in .github/workflows/*.yml; do | |
| if ! grep -q '^[[:space:]]*permissions:' "$f"; then | |
| echo "Workflow $f missing 'permissions' key" | |
| missing=1 | |
| fi | |
| done | |
| if [ "$missing" = 1 ]; then | |
| echo "One or more workflows are missing the 'permissions' stanza." | |
| exit 1 | |
| fi | |
| verify-checksums: | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: 'Download Verification' | |
| run: | | |
| set -ex | |
| # ensure clean state and perform an initial download (should succeed) | |
| rm -f build/dash/0.5.13.tar.gz | |
| sh shvr.sh download dash_0.5.13 | |
| - name: 'Corrupt checksum and assert download fails' | |
| run: | | |
| set -ex | |
| # backup checksum file | |
| cp checksums/sources/dash/0.5.13.tar.gz.sha256sums checksums/sources/dash/0.5.13.tar.gz.sha256sums.bak | |
| # corrupt checksum: replace hash with ones; keep filename | |
| printf '1111111111111111111111111111111111111111111111111111111111111111 %s\n' "0.5.13.tar.gz" > checksums/sources/dash/0.5.13.tar.gz.sha256sums | |
| # remove any existing artifact to force re-download | |
| rm -f build/dash/0.5.13.tar.gz | |
| set +e | |
| # attempt download once; if the worker network is flaky this may fail | |
| # for reasons other than checksum mismatch. Capture logs and RC so we | |
| # can differentiate mismatch from other failures. | |
| # run the download and capture the exit code; write logs to file | |
| sh shvr.sh download dash_0.5.13 > download.log 2>&1 | |
| rc=$? | |
| # show the log to the step output so it appears in CI | |
| cat download.log | |
| set -e | |
| if [ "$rc" -eq 0 ]; then | |
| echo "Expected checksum verification to fail but it succeeded" >&2 | |
| exit 1 | |
| fi | |
| # ensure the failure was due to checksum mismatch; depending on the | |
| # runner and sha256sum version we may see one of multiple messages: | |
| # - our own 'sha256sum mismatch for ...' message | |
| # - a 'filename: FAILED' message emitted by 'sha256sum -c' | |
| # If neither is present then this is likely a transient network or | |
| # download tool error; fail the CI with the full log to help debug. | |
| grep -q "sha256sum mismatch" download.log || grep -q ": FAILED" download.log || (cat download.log && exit 1) | |
| - name: 'Restore checksum and verify success' | |
| run: | | |
| set -ex | |
| mv checksums/sources/dash/0.5.13.tar.gz.sha256sums.bak checksums/sources/dash/0.5.13.tar.gz.sha256sums | |
| rm -f build/dash/0.5.13.tar.gz | |
| sh shvr.sh download dash_0.5.13 |