|
| 1 | +#!/usr/bin/env bash |
| 2 | + |
| 3 | +# MIT License |
| 4 | +# |
| 5 | +# Copyright (c) 2026 Olivier Mengué and contributors. |
| 6 | +# |
| 7 | +# Permission is hereby granted, free of charge, to any person obtaining a copy |
| 8 | +# of this software and associated documentation files (the "Software"), to deal |
| 9 | +# in the Software without restriction, including without limitation the rights |
| 10 | +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
| 11 | +# copies of the Software, and to permit persons to whom the Software is |
| 12 | +# furnished to do so, subject to the following conditions: |
| 13 | +# |
| 14 | +# The above copyright notice and this permission notice shall be included in all |
| 15 | +# copies or substantial portions of the Software. |
| 16 | +# |
| 17 | +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
| 18 | +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
| 19 | +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
| 20 | +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
| 21 | +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
| 22 | +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
| 23 | +# SOFTWARE. |
| 24 | + |
| 25 | +# |
| 26 | +# Verify that hashes of GitHub actions match the declared tag in attached comment. |
| 27 | +# |
| 28 | + |
| 29 | +set -euo pipefail |
| 30 | + |
| 31 | +declare -A seen |
| 32 | +status=0 |
| 33 | + |
| 34 | +for w in .github/workflows/*.yml |
| 35 | +do |
| 36 | + sed -n -e '/uses: / s!^ *-\{0,1\} uses: \([^@]*\)@\([0-9a-f][0-9a-f]*\) *# *\(v.*\)$!\1 \2 \3!p' "$w" | while read -r action hash tag |
| 37 | + do |
| 38 | + if (( ${seen["$action-$hash-$tag"]:-0} )); then |
| 39 | + printf "\e[1;32m%s: %s@%s == %s\e[m\n" "$w" "$action" "$tag" "$hash" |
| 40 | + continue |
| 41 | + fi |
| 42 | + seen["$action-$hash-$tag"]=1 |
| 43 | + |
| 44 | + if eval "$( curl -s -H "Accept: application/vnd.github+json" \ |
| 45 | + "https://api.github.com/repos/$action/commits/$tag" | jq -r '.sha == "'"$hash"'"' )" |
| 46 | + then |
| 47 | + printf "\e[1;32m%s: %s@%s == %s\e[m\n" "$w" "$action" "$tag" "$hash" |
| 48 | + else |
| 49 | + printf "\e[1;31m%s: %s@%s != %s\e[m\n" "$w" "$action" "$tag" "$hash" |
| 50 | + status=1 |
| 51 | + fi |
| 52 | + done |
| 53 | +done |
| 54 | + |
| 55 | +exit $status |
0 commit comments