Skip to content

Commit 3cdd8ab

Browse files
committed
Pin version and check checksum of yq dependency on Windows
1 parent f983b9d commit 3cdd8ab

1 file changed

Lines changed: 9 additions & 3 deletions

File tree

.github/workflows/build-wheel.yml

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -82,13 +82,19 @@ jobs:
8282
# see https://github.com/actions/runner-images/issues/7443.
8383
if: ${{ startsWith(inputs.host-platform, 'win') }}
8484
env:
85-
# doesn't seem there's an easy way to avoid hard-coding it?
86-
YQ_URL: https://github.com/mikefarah/yq/releases/latest/download/yq_windows_amd64.exe
85+
YQ_VERSION: v4.52.5
86+
YQ_SHA256: 47594981f3848a4b4447494adeca9555f908f7cf0a89c4da3fd0243a4631da1c
8787
YQ_DIR: yq_latest
8888
shell: pwsh -command ". '{0}'"
8989
run: |
90+
$yqUrl = "https://github.com/mikefarah/yq/releases/download/${env:YQ_VERSION}/yq_windows_amd64.exe"
9091
mkdir -Force -ErrorAction SilentlyContinue "${env:YQ_DIR}" | Out-Null
91-
Invoke-WebRequest -UseBasicParsing -OutFile "${env:YQ_DIR}/yq.exe" -Uri "$env:YQ_URL"
92+
Invoke-WebRequest -UseBasicParsing -OutFile "${env:YQ_DIR}/yq.exe" -Uri "$yqUrl"
93+
$hash = (Get-FileHash -Algorithm SHA256 "${env:YQ_DIR}/yq.exe").Hash.ToLower()
94+
if ($hash -ne $env:YQ_SHA256) {
95+
Write-Error "SHA256 mismatch for yq: expected $env:YQ_SHA256, got $hash"
96+
exit 1
97+
}
9298
ls -l $env:YQ_DIR
9399
echo "$((Get-Location).Path)\\$env:YQ_DIR" >> $env:GITHUB_PATH
94100
$env:Path += ";$((Get-Location).Path)\\$env:YQ_DIR"

0 commit comments

Comments
 (0)