-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signaling-only CI job to detect mismatching build artifact hashes early #1207
base: main
Are you sure you want to change the base?
Conversation
i really like the overview, concept ACK! |
Neat, Concept ACK |
This comment was marked as spam.
This comment was marked as spam.
Provides a text summary over who provided SHASUMs for each release and artifact. Can be used to detect hash mismatches. usage: main.py [-h] diffrange Output a SHASUM summary to stdout positional arguments: diffrange Only look at added or changed files in the diff-range options: -h, --help show this help message and exit
7904b58
to
090b0fd
Compare
return; | ||
} | ||
if (comment.length > 0) { | ||
github.rest.issues.createComment({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this require github permissions, or is it enabled by default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't have to configure the token when testing on my fork.
actions/github-script
uses the GITHUB_TOKEN
by default, which is available in GitHub Actions: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
ACK dcb80c3 |
To detect build non-determinism and mismatching artifact hashes early (#1203), this introduces a CI job that comments a visual summary of the SHASUMs for each added/changed release. Before merging, it can be quickly visually verified that there are no mismatches. The CI job does not fail on mismatches - it only signals that there's a problem. It also does not check signature validity.
For example, when a
noncodesigned.SHA256SUMS
file for24.2
is added, the CI job would comment on the PR:noncodesigned.SHA256SUMS
summary for release24.2
Details
Symbols: - all hashes match: `█` - missing hash: `X` - hash mismatch: one of `░`, `▞`, `▄`, `▀`, `▌`, `▐`, `▚`Username mapping:
Here, all rows having only
█
's means that there are no hash mismatches. Other examples can be found here: 0xB10C#2closes #1203