Skip to content
This repository was archived by the owner on Jul 2, 2026. It is now read-only.

Release Dry-Run

Release Dry-Run #1

name: Release Dry-Run
# Weekly sanity-check that every hook's pinned upstream URL still resolves and
# the recorded sha256 still matches the bytes upstream is serving. Catches URL
# drift, retracted releases, and unannounced re-tags before consumers hit them.
on:
schedule:
- cron: "0 7 * * 1" # Mondays 07:00 UTC
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
permissions:
contents: read
jobs:
fetch-checksums:
name: fetch-checksums
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Install uv
uses: astral-sh/setup-uv@v6
with:
enable-cache: true
- name: Set up Python 3.14
run: uv python install 3.14
- name: Install task
uses: arduino/setup-task@v2
with:
version: 3.x
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup
run: uv sync --group dev
- name: Re-fetch every hook's checksums
run: task fetch-checksums
- name: Diff against committed checksums.txt
run: |
if ! git diff --exit-code -- 'hooks/*/checksums.txt'; then
echo "::error::checksums.txt drift detected — upstream may have re-tagged or moved an asset."
exit 1
fi