add sha validation

OpenNefia · Jan 11, 2022 · bc92afa · bc92afa
1 parent 17d6d2b
commit bc92afa
Show file tree

Hide file tree

Showing 7 changed files with 52 additions and 9 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -23,3 +23,4 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           args: --check ./test
+          sha256: a20c3d177866129f701fed3693825a4050ad45c32dda5369de8365aff4dba635
diff --git a/action.yml b/action.yml
@@ -13,6 +13,9 @@ inputs:
     required: true
   version:
     description: 'The version of StyLua to run'
+  sha256:
+    description: 'sha256sum of the release .zip for the current platform'
+    required: true
 runs:
-  using: 'node12'
+  using: 'node16'
   main: 'dist/index.js'
diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -29,10 +29,10 @@
     "@actions/exec": "^1.0.4",
     "@actions/github": "^4.0.0",
     "@actions/tool-cache": "^1.6.1",
+    "@types/node": "^17.0.8",
     "semver": "^7.3.5"
   },
   "devDependencies": {
-    "@types/node": "^15.0.2",
     "@types/semver": "^7.3.5",
     "@typescript-eslint/parser": "^4.23.0",
     "@vercel/ncc": "^0.28.5",

diff --git a/src/main.ts b/src/main.ts
@@ -1,13 +1,27 @@
 import * as core from '@actions/core'
 import {exec} from '@actions/exec'
 import * as tc from '@actions/tool-cache'
+import {promises} from 'fs'
 import * as semver from 'semver'
 import stylua from './stylua'
+import * as crypto from 'crypto'
+
+async function sha256(file: string): Promise<string> {
+  // encode as UTF-8
+  const msgBuffer = await promises.readFile(file)
+
+  // hash the message
+  const hashBuffer = crypto.createHash('sha256')
+  hashBuffer.update(msgBuffer)
+
+  return hashBuffer.digest('hex')
+}
 
 async function run(): Promise<void> {
   try {
     const token = core.getInput('token')
     let version = semver.clean(core.getInput('version'))
+    const neededSha = core.getInput('sha256')
 
     let releases
     if (!version || version === '') {
@@ -56,6 +70,13 @@ async function run(): Promise<void> {
       core.debug(`Chose asset ${asset.browser_download_url}`)
 
       const downloadedPath = await tc.downloadTool(asset.browser_download_url)
+
+      const sha = await sha256(downloadedPath)
+
+      if (sha !== neededSha) {
+        throw new Error(`found sha ${sha} != needed sha ${neededSha}`)
+      }
+
       const extractedPath = await tc.extractZip(downloadedPath)
       await tc.cacheDir(extractedPath, 'stylua', version)
       core.addPath(extractedPath)
@@ -70,7 +91,8 @@ async function run(): Promise<void> {
 
     await exec(`stylua ${args}`)
   } catch (error) {
-    core.setFailed(error.message)
+    const {message} = error as Error
+    core.setFailed(`${message}`)
   }
 }