Validate release zip artifacts in CI

mamoreau-devolutions · mamoreau-devolutions · commit c21e6f9d6a88 · 2026-03-14T09:37:29.000-04:00
diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
@@ -271,6 +271,12 @@ jobs:
 
           # Installer is created in output during the previous step
 
+      - name: Validate release zip
+        shell: pwsh
+        run: |
+          $Platform = '${{ matrix.platform }}'
+          .\scripts\verify-release-zip.ps1 -ZipPath "$PWD/output/UniGetUI.$Platform.zip" -FailOnUnexpectedFiles
+
       - name: Code-sign installer
         if: ${{ fromJSON(needs.preflight.outputs.dry-run) == false }}
         shell: pwsh
diff --git a/scripts/build.ps1 b/scripts/build.ps1
@@ -109,6 +109,9 @@ $ZipPath = Join-Path $OutputPath "UniGetUI.$Platform.zip"
 Write-Host "`n=== Creating zip: $ZipPath ===" -ForegroundColor Cyan
 Compress-Archive -Path (Join-Path $BinDir "*") -DestinationPath $ZipPath -CompressionLevel Optimal
 
+Write-Host "`n=== Validating release zip ===" -ForegroundColor Cyan
+& (Join-Path $PSScriptRoot "verify-release-zip.ps1") -ZipPath $ZipPath -FailOnUnexpectedFiles
+
 # --- Installer (Inno Setup) ---
 if (-not $SkipInstaller) {
     $IsccPath = $null
diff --git a/scripts/verify-release-zip.ps1 b/scripts/verify-release-zip.ps1
@@ -0,0 +1,61 @@
+#!/usr/bin/env pwsh
+<#
+.SYNOPSIS
+    Extracts a release zip and validates its packaged IntegrityTree.json.
+
+.PARAMETER ZipPath
+    Path to the release zip to validate.
+
+.PARAMETER FailOnUnexpectedFiles
+    Fail validation if extracted files exist outside IntegrityTree.json.
+#>
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory, Position = 0)]
+    [string] $ZipPath,
+
+    [switch] $FailOnUnexpectedFiles
+)
+
+$ErrorActionPreference = 'Stop'
+
+if (-not (Test-Path $ZipPath -PathType Leaf)) {
+    throw "The zip file '$ZipPath' does not exist."
+}
+
+$ZipPath = (Resolve-Path $ZipPath).Path
+$TreeValidatorPath = Join-Path $PSScriptRoot 'verify-integrity-tree.ps1'
+if (-not (Test-Path $TreeValidatorPath -PathType Leaf)) {
+    throw "Integrity validator not found at '$TreeValidatorPath'."
+}
+
+$TempExtractPath = Join-Path ([System.IO.Path]::GetTempPath()) ("unigetui-zip-verify-" + [guid]::NewGuid())
+New-Item $TempExtractPath -ItemType Directory | Out-Null
+
+try {
+    Expand-Archive -Path $ZipPath -DestinationPath $TempExtractPath -Force
+
+    $ValidationPath = $TempExtractPath
+    if (-not (Test-Path (Join-Path $ValidationPath 'IntegrityTree.json') -PathType Leaf)) {
+        $CandidateDirectories = @(Get-ChildItem $TempExtractPath -Directory | Where-Object {
+            Test-Path (Join-Path $_.FullName 'IntegrityTree.json') -PathType Leaf
+        })
+
+        if ($CandidateDirectories.Count -ne 1) {
+            throw "Could not locate IntegrityTree.json after extracting '$ZipPath'."
+        }
+
+        $ValidationPath = $CandidateDirectories[0].FullName
+    }
+
+    $ValidationParameters = @{ Path = $ValidationPath }
+    if ($FailOnUnexpectedFiles) {
+        $ValidationParameters.FailOnUnexpectedFiles = $true
+    }
+
+    & $TreeValidatorPath @ValidationParameters
+}
+finally {
+    Remove-Item $TempExtractPath -Recurse -Force -ErrorAction SilentlyContinue
+}
