This repository was archived by the owner on Jul 2, 2026. It is now read-only.
Checksums drift #50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Checksums drift | |
| # Periodically re-fetch hooks/*/checksums.txt against the currently-pinned | |
| # upstream versions. If anything changes, upstream rebuilt the release asset | |
| # under the same tag (oxc-project does this occasionally), and our hooks | |
| # would start failing with "sha256 mismatch" until someone manually re-runs | |
| # scripts/fetch_checksums.py. This workflow catches drift automatically and | |
| # opens a PR. | |
| on: | |
| schedule: | |
| # Daily at 06:00 UTC. | |
| - cron: "0 6 * * *" | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| concurrency: | |
| group: ${{ github.workflow }} | |
| cancel-in-progress: true | |
| jobs: | |
| refresh: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/create-github-app-token@v2 | |
| id: app-token | |
| with: | |
| app-id: ${{ secrets.BOT_APP_ID }} | |
| private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }} | |
| owner: xberg-io | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ steps.app-token.outputs.token }} | |
| persist-credentials: true | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v8.2.0 | |
| with: | |
| enable-cache: true | |
| - name: Set up Python 3.14 | |
| run: uv python install 3.14 | |
| - name: Install deps | |
| run: uv sync --no-install-project --no-install-workspace --group dev | |
| - name: Refresh all checksums | |
| run: uv run --frozen --no-sync python scripts/fetch_checksums.py --force | |
| - name: Detect drift | |
| id: drift | |
| run: | | |
| if git diff --quiet hooks/; then | |
| echo "drift=false" >> "$GITHUB_OUTPUT" | |
| echo "No checksum drift detected." | |
| else | |
| echo "drift=true" >> "$GITHUB_OUTPUT" | |
| echo "Drift detected in:" | |
| git diff --name-only hooks/ | |
| fi | |
| - name: Open PR with refreshed checksums | |
| if: steps.drift.outputs.drift == 'true' | |
| uses: peter-evans/create-pull-request@v8 | |
| with: | |
| token: ${{ steps.app-token.outputs.token }} | |
| commit-message: | | |
| chore: refresh upstream checksums | |
| Upstream rebuilt one or more release assets under their existing | |
| tag. Refresh hooks/*/checksums.txt so hook sha256 verification | |
| keeps matching what the GitHub release CDN currently serves. | |
| branch: chore/refresh-checksums | |
| delete-branch: true | |
| title: "chore: refresh upstream checksums (drift detected)" | |
| body: | | |
| Detected drift between `hooks/*/checksums.txt` and the sha256 | |
| of the assets currently served by upstream. This happens when | |
| an upstream project rebuilds a release asset under its existing | |
| tag (oxc-project does this from time to time). | |
| Without this refresh, every consumer would see `sha256 mismatch` | |
| errors when prek/pre-commit runs the affected hook. | |
| --- | |
| Generated by [`.github/workflows/checksums-drift.yml`](.github/workflows/checksums-drift.yml). | |
| labels: dependencies |