Skip to content

Commit d22ac57

Browse files
ciaranraciaranra
committed
Fix Windows integrity check
1 parent 2502a6c commit d22ac57

1 file changed

Lines changed: 36 additions & 12 deletions

File tree

scripts/dependency-integrity-check.sh

Lines changed: 36 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -166,16 +166,16 @@ while IFS= read -r file; do
166166
done < <(collect_files -g 'Cargo.toml')
167167

168168
if ((${#cargo_manifests[@]} > 0)); then
169-
if rg -n --pcre2 '^\s*(tag|branch)\s*=' "${cargo_manifests[@]}"; then
169+
if rg -n '^[[:space:]]*(tag|branch)[[:space:]]*=' "${cargo_manifests[@]}"; then
170170
fail "Cargo git dependencies must use full immutable rev pins, not tag/branch"
171171
fi
172-
if rg -n --pcre2 '^\s*rev\s*=\s*"[0-9a-f]{1,39}"' "${cargo_manifests[@]}"; then
172+
if rg -n '^[[:space:]]*rev[[:space:]]*=[[:space:]]*"[0-9a-f]{1,39}"' "${cargo_manifests[@]}"; then
173173
fail "Cargo git dependency rev pins must use full 40-character commit SHAs"
174174
fi
175175
fi
176176

177-
if rg -n --pcre2 'git\+.*[?&](tag|branch)=' Cargo.lock >/dev/null 2>&1; then
178-
rg -n --pcre2 'git\+.*[?&](tag|branch)=' Cargo.lock || true
177+
if rg -n 'git\+.*[?&](tag|branch)=' Cargo.lock >/dev/null 2>&1; then
178+
rg -n 'git\+.*[?&](tag|branch)=' Cargo.lock || true
179179
fail "Cargo.lock contains git sources resolved from mutable tag/branch refs"
180180
elif rg -n 'git\+' Cargo.lock >/dev/null 2>&1; then
181181
echo "Cargo git sources are pinned by commit."
@@ -215,7 +215,7 @@ else
215215
printf '%s\n' "$root" >>"$actual_unsafe_roots_file"
216216
fi
217217
done < <(
218-
rg -l --pcre2 '\bunsafe\b' \
218+
rg -l '\bunsafe\b' \
219219
crates python go julia exp \
220220
--glob '*.rs' \
221221
--glob '*.c' \
@@ -271,7 +271,7 @@ fi
271271

272272
section "Remote shell bootstrap posture"
273273
remote_shell_bootstraps="$(
274-
rg -n --pcre2 '(curl|wget)[^\n|]*\|[^\n]*(sh|bash)' \
274+
rg -n '(curl|wget)[^\n|]*\|[^\n]*(sh|bash)' \
275275
.github/workflows \
276276
julia/PECOS.jl/deps/build_tarballs.jl \
277277
|| true
@@ -374,25 +374,49 @@ else
374374
fi
375375

376376
section "GitHub Actions lock enforcement"
377-
if rg -n --pcre2 '^\s*(run:\s*)?cargo (build|check|clippy|run|install)(?! --locked)' .github/workflows; then
377+
cargo_workflow_commands="$(
378+
rg -n '^[[:space:]]*(run:[[:space:]]*)?cargo (build|check|clippy|run|install)([[:space:]]|$)' .github/workflows |
379+
rg -v '^[^:]+:[0-9]+:[[:space:]]*(run:[[:space:]]*)?cargo (build|check|clippy|run|install)[[:space:]]+--locked([[:space:]]|$)' ||
380+
true
381+
)"
382+
if [[ -n "$cargo_workflow_commands" ]]; then
383+
printf '%s\n' "$cargo_workflow_commands"
378384
fail "workflow Cargo build/check/run/install commands must use --locked"
379385
else
380386
echo "Workflow Cargo build/check/run/install commands use --locked."
381387
fi
382388

383-
if rg -n --pcre2 '^\s*(run:\s*)?uv sync(?!.*--locked)' .github/workflows; then
389+
uv_sync_without_lock="$(
390+
rg -n '^[[:space:]]*(run:[[:space:]]*)?uv sync([[:space:]]|$)' .github/workflows |
391+
rg -v -- '--locked' ||
392+
true
393+
)"
394+
if [[ -n "$uv_sync_without_lock" ]]; then
395+
printf '%s\n' "$uv_sync_without_lock"
384396
fail "workflow uv sync commands must use --locked"
385397
else
386398
echo "Workflow uv sync commands use --locked."
387399
fi
388400

389-
if rg -n --pcre2 '^\s*(run:\s*)?uv lock(?!.*--check)' .github/workflows; then
401+
uv_lock_without_check="$(
402+
rg -n '^[[:space:]]*(run:[[:space:]]*)?uv lock([[:space:]]|$)' .github/workflows |
403+
rg -v -- '--check' ||
404+
true
405+
)"
406+
if [[ -n "$uv_lock_without_check" ]]; then
407+
printf '%s\n' "$uv_lock_without_check"
390408
fail "workflows must not regenerate uv.lock; use uv lock --check"
391409
else
392410
echo "Workflows validate uv.lock instead of regenerating it."
393411
fi
394412

395-
if rg -n --pcre2 '^\s*(run:\s*)?uv run(?! --frozen)' .github/workflows; then
413+
uv_run_without_frozen="$(
414+
rg -n '^[[:space:]]*(run:[[:space:]]*)?uv run([[:space:]]|$)' .github/workflows |
415+
rg -v '^[^:]+:[0-9]+:[[:space:]]*(run:[[:space:]]*)?uv run[[:space:]]+--frozen([[:space:]]|$)' ||
416+
true
417+
)"
418+
if [[ -n "$uv_run_without_frozen" ]]; then
419+
printf '%s\n' "$uv_run_without_frozen"
396420
fail "workflow uv run commands must use --frozen"
397421
else
398422
echo "Workflow uv run commands use --frozen."
@@ -416,7 +440,7 @@ if ((${#missing_top_level_permissions[@]} > 0)); then
416440
fail "workflow files must declare top-level read-only permissions"
417441
fi
418442

419-
writable_permissions="$(rg -n '^\s*(contents|packages|id-token|pull-requests|actions|security-events): write\s*$' .github/workflows || true)"
443+
writable_permissions="$(rg -n '^[[:space:]]*(contents|packages|id-token|pull-requests|actions|security-events): write[[:space:]]*$' .github/workflows | sed 's#\\#/#g' || true)"
420444
unexpected_writable_permissions="$(
421445
printf '%s\n' "$writable_permissions" | awk -F: '
422446
$1 == ".github/workflows/julia-update-hash.yml" &&
@@ -433,7 +457,7 @@ if [[ -n "$unexpected_writable_permissions" ]]; then
433457
printf '%s\n' "$unexpected_writable_permissions"
434458
fail "unexpected writable workflow permission found"
435459
elif [[ -n "$writable_permissions" ]]; then
436-
echo "Only expected write permissions found in the tag-only Julia hash updater."
460+
echo "Only expected write permissions found."
437461
else
438462
echo "No writable workflow permissions found."
439463
fi

0 commit comments

Comments
 (0)