Skip to content
This repository was archived by the owner on Jul 2, 2026. It is now read-only.

Checksums drift

Checksums drift #50

name: Checksums drift
# Periodically re-fetch hooks/*/checksums.txt against the currently-pinned
# upstream versions. If anything changes, upstream rebuilt the release asset
# under the same tag (oxc-project does this occasionally), and our hooks
# would start failing with "sha256 mismatch" until someone manually re-runs
# scripts/fetch_checksums.py. This workflow catches drift automatically and
# opens a PR.
on:
schedule:
# Daily at 06:00 UTC.
- cron: "0 6 * * *"
workflow_dispatch:
permissions:
contents: write
pull-requests: write
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: true
jobs:
refresh:
runs-on: ubuntu-latest
steps:
- uses: actions/create-github-app-token@v2
id: app-token
with:
app-id: ${{ secrets.BOT_APP_ID }}
private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
owner: xberg-io
- uses: actions/checkout@v6
with:
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}
persist-credentials: true
- name: Install uv
uses: astral-sh/setup-uv@v8.2.0
with:
enable-cache: true
- name: Set up Python 3.14
run: uv python install 3.14
- name: Install deps
run: uv sync --no-install-project --no-install-workspace --group dev
- name: Refresh all checksums
run: uv run --frozen --no-sync python scripts/fetch_checksums.py --force
- name: Detect drift
id: drift
run: |
if git diff --quiet hooks/; then
echo "drift=false" >> "$GITHUB_OUTPUT"
echo "No checksum drift detected."
else
echo "drift=true" >> "$GITHUB_OUTPUT"
echo "Drift detected in:"
git diff --name-only hooks/
fi
- name: Open PR with refreshed checksums
if: steps.drift.outputs.drift == 'true'
uses: peter-evans/create-pull-request@v8
with:
token: ${{ steps.app-token.outputs.token }}
commit-message: |
chore: refresh upstream checksums
Upstream rebuilt one or more release assets under their existing
tag. Refresh hooks/*/checksums.txt so hook sha256 verification
keeps matching what the GitHub release CDN currently serves.
branch: chore/refresh-checksums
delete-branch: true
title: "chore: refresh upstream checksums (drift detected)"
body: |
Detected drift between `hooks/*/checksums.txt` and the sha256
of the assets currently served by upstream. This happens when
an upstream project rebuilds a release asset under its existing
tag (oxc-project does this from time to time).
Without this refresh, every consumer would see `sha256 mismatch`
errors when prek/pre-commit runs the affected hook.
---
Generated by [`.github/workflows/checksums-drift.yml`](.github/workflows/checksums-drift.yml).
labels: dependencies