ci: check that action.yml version and bundled-binary.sha256 are coherent#98
Open
kitsuyui wants to merge 1 commit into
Open
ci: check that action.yml version and bundled-binary.sha256 are coherent#98kitsuyui wants to merge 1 commit into
kitsuyui wants to merge 1 commit into
Conversation
Add scripts/check-version-sha256-coherence.sh and a version-coherence CI job that verifies the version= line in action.yml matches all four platform entries in bundled-binary.sha256. Without this check, a Renovate PR that updates only the version= line causes every consumer workflow to fail at the shasum verification step because the grep for the new version finds no matching checksum line. The new CI job fails fast on such PRs, making the incoherence visible before merge.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
scripts/check-version-sha256-coherence.shto verify theversion=line inaction.ymlmatches all four platform entries inbundled-binary.sha256version-coherenceCI job that runs this check on every pull requestProblem
The Renovate custom manager in
.github/renovate.json5tracksgitignore-in/gitignore-inreleases and updates theversion=vX.Y.Zline inaction.ymlvia regex. It does not updatebundled-binary.sha256.When such a Renovate PR merges,
action.ymlreferences the new version butbundled-binary.sha256still contains checksums for the previous version. At workflow runtime, the download step runs:Because the new-version filename is not in
bundled-binary.sha256, the grep produces an empty file andshasumfails with a verification error. Every consumer workflow breaks.CI previously had no check for this coherence invariant, so Renovate PRs passed green.
Changes
scripts/check-version-sha256-coherence.sh— readsversion=fromaction.yml, counts how many lines inbundled-binary.sha256contain that version string, and exits non-zero if the counts do not match..github/workflows/main.yml— newversion-coherencejob runs the script on every PR. A Renovate PR that touches onlyaction.ymlwill now fail this job, making the missing checksum update visible before merge.Verification
Runs cleanly on the current coherent state (v0.2.1):
Would fail if only
action.ymlwere bumped to a hypothetical v0.3.0:Trade-offs
The check reads local files only (no network) and runs in under a second. It does not prevent Renovate from opening the partial-update PR; it prevents the PR from merging unnoticed. The proper fix for a partial-update PR is to run
scripts/update-version.sh <new-version>.