This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Verify ZIP sha256 matches manifest.json | |
| on: | |
| pull_request: | |
| types: [opened, reopened, synchronize, edited, ready_for_review] | |
| jobs: | |
| verify-zip-sha: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout PR HEAD | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Verify sha256 for changed ZIPs | |
| shell: bash | |
| env: | |
| BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| run: | | |
| set -euo pipefail | |
| echo "Base: $BASE_SHA" | |
| echo "Head: $HEAD_SHA" | |
| # Gather changed files between base and head (null-delimited for safety) | |
| changed_zips=() | |
| while IFS= read -r -d '' f; do | |
| if [[ "$f" == *.zip ]]; then | |
| changed_zips+=("$f") | |
| fi | |
| done < <(git diff --name-only -z "$BASE_SHA" "$HEAD_SHA") | |
| if [[ ${#changed_zips[@]} -eq 0 ]]; then | |
| echo "No .zip files changed in this PR. Nothing to verify." | |
| exit 0 | |
| fi | |
| echo "Changed ZIP files:" | |
| printf ' - %s\n' "${changed_zips[@]}" | |
| # Verify each zip | |
| for zip_path in "${changed_zips[@]}"; do | |
| # If the zip doesn't exist in the PR head (e.g., deleted/renamed away), skip it. | |
| if [[ ! -f "$zip_path" ]]; then | |
| echo "Skipping (not present in PR head): $zip_path" | |
| continue | |
| fi | |
| dir="$(dirname "$zip_path")" | |
| manifest_path="$dir/manifest.json" | |
| if [[ ! -f "$manifest_path" ]]; then | |
| echo "::error file=$manifest_path::manifest.json not found next to ZIP ($zip_path)" | |
| exit 1 | |
| fi | |
| # Compute checksum of the ZIP | |
| computed="$(sha256sum "$zip_path" | awk '{print $1}' | tr '[:upper:]' '[:lower:]')" | |
| # Read sha256 from manifest.json | |
| manifest_sha="$(jq -r '.sha256 // empty' "$manifest_path" | tr '[:upper:]' '[:lower:]')" | |
| if [[ -z "$manifest_sha" || "$manifest_sha" == "null" ]]; then | |
| echo "::error file=$manifest_path::Missing or empty \"sha256\" field in manifest.json" | |
| exit 1 | |
| fi | |
| echo "ZIP: $zip_path" | |
| echo "Manifest: $manifest_path" | |
| echo "Computed: $computed" | |
| echo "Manifest: $manifest_sha" | |
| if [[ "$computed" != "$manifest_sha" ]]; then | |
| echo "::error file=$manifest_path::sha256 mismatch for $zip_path (computed=$computed, manifest=$manifest_sha)" | |
| exit 1 | |
| fi | |
| echo "✅ sha256 matches for $zip_path" | |
| done | |
| echo "All changed ZIPs verified successfully." |