registry-testing/.github/workflows/verify-zip-sha256.yml at 603c6371e0a39b47e8656ece20a988ed9fa156de · shauryemahajanSF/registry-testing · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
name: Verify ZIP sha256 matches manifest.json

on:
  pull_request:
    types: [opened, reopened, synchronize, edited, ready_for_review]

jobs:
  verify-zip-sha:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout PR HEAD
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Verify sha256 for changed ZIPs
        shell: bash
        env:
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        run: |
          set -euo pipefail

          echo "Base: $BASE_SHA"
          echo "Head: $HEAD_SHA"

          # Gather changed files between base and head (null-delimited for safety)
          changed_zips=()
          while IFS= read -r -d '' f; do
            if [[ "$f" == *.zip ]]; then
              changed_zips+=("$f")
            fi
          done < <(git diff --name-only -z "$BASE_SHA" "$HEAD_SHA")

          if [[ ${#changed_zips[@]} -eq 0 ]]; then
            echo "No .zip files changed in this PR. Nothing to verify."
            exit 0
          fi

          echo "Changed ZIP files:"
          printf ' - %s\n' "${changed_zips[@]}"

          # Verify each zip
          for zip_path in "${changed_zips[@]}"; do
            # If the zip doesn't exist in the PR head (e.g., deleted/renamed away), skip it.
            if [[ ! -f "$zip_path" ]]; then
              echo "Skipping (not present in PR head): $zip_path"
              continue
            fi

            dir="$(dirname "$zip_path")"
            manifest_path="$dir/manifest.json"

            if [[ ! -f "$manifest_path" ]]; then
              echo "::error file=$manifest_path::manifest.json not found next to ZIP ($zip_path)"
              exit 1
            fi

            # Compute checksum of the ZIP
            computed="$(sha256sum "$zip_path" | awk '{print $1}' | tr '[:upper:]' '[:lower:]')"

            # Read sha256 from manifest.json
            manifest_sha="$(jq -r '.sha256 // empty' "$manifest_path" | tr '[:upper:]' '[:lower:]')"
            if [[ -z "$manifest_sha" || "$manifest_sha" == "null" ]]; then
              echo "::error file=$manifest_path::Missing or empty \"sha256\" field in manifest.json"
              exit 1
            fi

            echo "ZIP:      $zip_path"
            echo "Manifest: $manifest_path"
            echo "Computed: $computed"
            echo "Manifest: $manifest_sha"

            if [[ "$computed" != "$manifest_sha" ]]; then
              echo "::error file=$manifest_path::sha256 mismatch for $zip_path (computed=$computed, manifest=$manifest_sha)"
              exit 1
            fi

            echo "✅ sha256 matches for $zip_path"
          done

          echo "All changed ZIPs verified successfully."