Skip to content

Commit d490877

Browse files
committed
Housekeeping: checksums, workflow permissions, README.md
- Add a test to prevent us from writing workflows with no explicit permissions. - Add explicit permissions to all workflows. - Move `checksums/` to `checksum/sources/` in preparation for true artifact checksums and reproducibility. - README.md updates.
1 parent 91f0101 commit d490877

File tree

566 files changed

+53
-25
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

566 files changed

+53
-25
lines changed

.github/workflows/docker-all.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,9 @@
33

44
name: Push alganet/shell-versions:all
55

6+
permissions:
7+
contents: read
8+
69
on:
710
push:
811
branches:

.github/workflows/docker-latest.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,9 @@
33

44
name: Push alganet/shell-versions:latest
55

6+
permissions:
7+
contents: read
8+
69
on:
710
push:
811
branches:

.github/workflows/docker-test.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
# SPDX-License-Identifier: ISC
33

44
name: Push alganet/shell-versions:test
5+
56
permissions:
67
contents: read
78

.github/workflows/test-verification.yml

Lines changed: 25 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Checksum Verification
22

3+
permissions:
4+
contents: read
5+
36
on:
47
pull_request:
58
branches: [ main ]
@@ -8,6 +11,25 @@ on:
811
workflow_dispatch:
912

1013
jobs:
14+
verify-workflows:
15+
runs-on: ubuntu-24.04
16+
steps:
17+
- uses: actions/checkout@v3
18+
- name: Check workflow permissions
19+
run: |
20+
set -e
21+
missing=0
22+
for f in .github/workflows/*.yml; do
23+
if ! grep -q '^[[:space:]]*permissions:' "$f"; then
24+
echo "Workflow $f missing 'permissions' key"
25+
missing=1
26+
fi
27+
done
28+
if [ "$missing" -eq 1 ]; then
29+
echo "One or more workflows are missing the 'permissions' stanza."
30+
exit 1
31+
fi
32+
1133
verify-checksums:
1234
runs-on: ubuntu-24.04
1335
timeout-minutes: 15
@@ -25,9 +47,9 @@ jobs:
2547
run: |
2648
set -ex
2749
# backup checksum file
28-
cp checksums/dash/0.5.13.tar.gz.sha256sums checksums/dash/0.5.13.tar.gz.sha256sums.bak
50+
cp checksums/sources/dash/0.5.13.tar.gz.sha256sums checksums/sources/dash/0.5.13.tar.gz.sha256sums.bak
2951
# corrupt checksum: replace hash with ones; keep filename
30-
printf '1111111111111111111111111111111111111111111111111111111111111111 %s\n' "0.5.13.tar.gz" > checksums/dash/0.5.13.tar.gz.sha256sums
52+
printf '1111111111111111111111111111111111111111111111111111111111111111 %s\n' "0.5.13.tar.gz" > checksums/sources/dash/0.5.13.tar.gz.sha256sums
3153
# remove any existing artifact to force re-download
3254
rm -f build/dash/0.5.13.tar.gz
3355
set +e
@@ -55,6 +77,6 @@ jobs:
5577
- name: 'Restore checksum and verify success'
5678
run: |
5779
set -ex
58-
mv checksums/dash/0.5.13.tar.gz.sha256sums.bak checksums/dash/0.5.13.tar.gz.sha256sums
80+
mv checksums/sources/dash/0.5.13.tar.gz.sha256sums.bak checksums/sources/dash/0.5.13.tar.gz.sha256sums
5981
rm -f build/dash/0.5.13.tar.gz
6082
sh shvr.sh download dash_0.5.13

README.md

Lines changed: 0 additions & 17 deletions

checksums/README.md

Lines changed: 16 additions & 0 deletions
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.

0 commit comments

Comments
 (0)