ci: verify self-update scripts stay in sync with their .sha256 sidecars (DEVA11Y-475)

Crash0v3rrid3 · claude · Crash0v3rrid3 · commit 870b4f71bfee · 2026-06-22T14:34:05.000+05:30
Addresses PR #30 review (Sunny, condition 2): adds a GitHub Actions workflow that runs on any PR/main push touching scripts/, failing when a launcher script is missing its .sha256 sidecar or when a sidecar is out of date. Self-update verifies each fetched script against its committed sidecar, so a script edit without a sidecar regen would otherwise silently break self-update (checksum mismatch -> update refused) for all users. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
diff --git a/.github/workflows/verify-selfupdate-checksums.yml b/.github/workflows/verify-selfupdate-checksums.yml
@@ -0,0 +1,66 @@
+name: Verify self-update checksums
+
+# Self-update fetches each launcher script from `main` and verifies it against a
+# committed `<script>.sha256` sidecar. If a script is edited without regenerating
+# its sidecar, self-update silently breaks for every user (checksum mismatch →
+# update refused). This workflow fails the PR/push when a sidecar is missing or
+# out of sync, keeping the two in lockstep. (DEVA11Y-475 review follow-up.)
+
+on:
+  pull_request:
+    paths:
+      - 'scripts/**'
+      - '.github/workflows/verify-selfupdate-checksums.yml'
+  push:
+    branches: [main]
+    paths:
+      - 'scripts/**'
+      - '.github/workflows/verify-selfupdate-checksums.yml'
+
+jobs:
+  verify-sidecars:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Verify scripts and .sha256 sidecars are in sync
+        run: |
+          set -uo pipefail
+          shopt -s globstar nullglob
+          status=0
+
+          # 1. Every self-updating script must have a sidecar.
+          for script in scripts/**/*.sh; do
+            if [ ! -f "${script}.sha256" ]; then
+              echo "::error file=${script}::Missing checksum sidecar ${script}.sha256. Generate it from the script's directory: shasum -a 256 <name>.sh | awk '{print \$1\"  <name>.sh\"}' > <name>.sh.sha256"
+              status=1
+            fi
+          done
+
+          # 2. Every sidecar must match its script.
+          sidecars=(scripts/**/*.sha256)
+          if [ ${#sidecars[@]} -eq 0 ]; then
+            echo "::error::No .sha256 sidecars found under scripts/."
+            exit 1
+          fi
+          for sidecar in "${sidecars[@]}"; do
+            dir=$(dirname "$sidecar")
+            script="${sidecar%.sha256}"
+            if [ ! -f "$script" ]; then
+              echo "::error file=${sidecar}::Sidecar references missing script ${script}."
+              status=1
+              continue
+            fi
+            # Sidecars store "<sha256>  <basename>", so verify from the script's dir.
+            if ( cd "$dir" && sha256sum -c "$(basename "$sidecar")" ); then
+              echo "OK: $sidecar"
+            else
+              echo "::error file=${script}::Checksum mismatch — regenerate ${sidecar} after editing ${script} (run from ${dir}): shasum -a 256 <name>.sh | awk '{print \$1\"  <name>.sh\"}' > <name>.sh.sha256"
+              status=1
+            fi
+          done
+
+          if [ "$status" -ne 0 ]; then
+            echo "::error::Self-update checksum verification failed. Regenerate the affected .sha256 sidecar(s) and commit them."
+          fi
+          exit "$status"
