test(release): validate native workflow evidence refs

Author: iexitdev

scripts/record-native-workflow-evidence.mjs

@@ -19,6 +19,12 @@ const writeJson = async (repoRoot, relativePath, value) =>
 const getToday = () => new Date().toISOString().slice(0, 10);
 
 const isExternalEvidenceLink = (value) => /^https?:\/\//.test(value);
+const githubActionsRunPattern =
+  /^https:\/\/github\.com\/[^/]+\/[^/]+\/actions\/runs\/(\d+)(?:\/.*)?$/;
+const gitCommitPattern = /^[0-9a-f]{6,40}$/i;
+
+const getGithubActionsRunId = (value) =>
+  value.match(githubActionsRunPattern)?.[1];
 
 const pathExists = async (repoRoot, relativePath) => {
   try {
@@ -82,12 +88,24 @@ const assertRequired = (options) => {
   }
 };
 
+const assertWorkflowReference = ({ commit, runUrl }) => {
+  if (!gitCommitPattern.test(commit)) {
+    throw new Error("--commit must be a short or full git commit SHA");
+  }
+
+  if (!getGithubActionsRunId(runUrl)) {
+    throw new Error("--run-url must be a GitHub Actions run URL");
+  }
+};
+
 const assertArtifactEvidenceExists = async ({
   androidArtifact,
   iosArtifact,
-  repoRoot
+  repoRoot,
+  runUrl
 }) => {
   const missing = [];
+  const runId = getGithubActionsRunId(runUrl);
 
   for (const artifact of [iosArtifact, androidArtifact]) {
     if (
@@ -105,6 +123,26 @@ const assertArtifactEvidenceExists = async ({
       )}`
     );
   }
+
+  const mismatchedArtifacts = [iosArtifact, androidArtifact].filter(
+    (artifact) => {
+      if (!isExternalEvidenceLink(artifact)) {
+        return false;
+      }
+
+      const artifactRunId = getGithubActionsRunId(artifact);
+
+      return artifactRunId && artifactRunId !== runId;
+    }
+  );
+
+  if (mismatchedArtifacts.length > 0) {
+    throw new Error(
+      `GitHub artifact URLs must belong to ${runUrl}: ${mismatchedArtifacts.join(
+        ", "
+      )}`
+    );
+  }
 };
 
 export const listNativeWorkflowEvidence = async ({
@@ -136,10 +174,12 @@ export const recordNativeWorkflowEvidence = async ({
     runUrl
   };
   assertRequired(options);
+  assertWorkflowReference({ commit, runUrl });
   await assertArtifactEvidenceExists({
     androidArtifact,
     iosArtifact,
-    repoRoot
+    repoRoot,
+    runUrl
   });
 
   const manifest = await readJson(repoRoot, manifestPath);

scripts/record-native-workflow-evidence.test.mjs

@@ -58,6 +58,46 @@ describe("native workflow evidence recorder", () => {
     ).rejects.toThrow("--android-artifact, --ios-artifact required");
   });
 
+  it("requires a git commit SHA and GitHub Actions run URL", async () => {
+    await expect(
+      recordNativeWorkflowEvidence({
+        androidArtifact:
+          "https://github.com/example/repo/actions/runs/1/artifacts/android",
+        commit: "not a sha",
+        iosArtifact:
+          "https://github.com/example/repo/actions/runs/1/artifacts/ios",
+        repoRoot,
+        runUrl: "https://github.com/example/repo/actions/runs/1"
+      })
+    ).rejects.toThrow("--commit must be a short or full git commit SHA");
+
+    await expect(
+      recordNativeWorkflowEvidence({
+        androidArtifact:
+          "https://github.com/example/repo/actions/runs/1/artifacts/android",
+        commit: "abc123",
+        iosArtifact:
+          "https://github.com/example/repo/actions/runs/1/artifacts/ios",
+        repoRoot,
+        runUrl: "https://example.test/native-run"
+      })
+    ).rejects.toThrow("--run-url must be a GitHub Actions run URL");
+  });
+
+  it("requires GitHub artifact URLs to belong to the recorded run", async () => {
+    await expect(
+      recordNativeWorkflowEvidence({
+        androidArtifact:
+          "https://github.com/example/repo/actions/runs/2/artifacts/android",
+        commit: "abc123",
+        iosArtifact:
+          "https://github.com/example/repo/actions/runs/1/artifacts/ios",
+        repoRoot,
+        runUrl: "https://github.com/example/repo/actions/runs/1"
+      })
+    ).rejects.toThrow("GitHub artifact URLs must belong");
+  });
+
   it("records a green workflow run without mutating during dry-run", async () => {
     const tempRepo = await createTempRepo();
     const result = await recordNativeWorkflowEvidence({