keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(v0.21.2): pin actionlint v1.7.12 sha256 constants (was SKIP placeholders)

Browse source 
Closes the one outstanding item from v0.21.1 wave-audit: SEC-H1 agent
left SHA256_* vars as 'SKIP' because no WebFetch available this session.

Sources verified via live curl:
  https://github.com/rhysd/actionlint/releases/download/v1.7.12/actionlint_1.7.12_checksums.txt

Pinned hashes (4 platforms):
  darwin_amd64: 5b44c3bc...c644
  darwin_arm64: aba9ced2...953f
  linux_amd64:  8aca8db9...a3d8
  linux_arm64:  325e971b...f0c6

End-to-end verified locally (darwin_arm64):
  HOME=/tmp/aln-test bash scripts/install-actionlint.sh
  → SHA-256 verified: aba9ced2...
  → actionlint -version: 1.7.12 installed by downloading from release page

Header comment updated: [UNVERIFIED] → [VERIFIED 2026-04-22 via curl ...].

ACTIONLINT_SHA256_OVERRIDE env var still works (for CI with different pins).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Parfii-bot 2026-04-22 20:42:58 +08:00
parent 64aa34afe6
commit f33408f0d6
1 changed files with 7 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
scripts/install-actionlint.sh
View file

@ -21,10 +21,8 @@
# checksums page is temporarily unreachable. CI should treat `SKIP` as a
# pre-commit failure (audit hygiene).
#
# [UNVERIFIED IN THIS SESSION] — the four SHA256_* values below were
# inserted by this patch without live WebFetch. They are marked SKIP so
# the installer does not enforce them; the env override
# `ACTIONLINT_SHA256_OVERRIDE` can inject the real hash at CI time.
# [VERIFIED 2026-04-22 via curl https://github.com/rhysd/actionlint/releases/download/v1.7.12/actionlint_1.7.12_checksums.txt]
# The four SHA256_* values below are pinned to upstream checksums.txt rows.
set -eu
@ -33,11 +31,11 @@ INSTALL_DIR="${HOME}/.local/bin"
BIN="${INSTALL_DIR}/actionlint"
# Per (OS, ARCH) SHA-256 hashes. See comment block above.
# Marked SKIP pending a live upstream fetch.
SHA256_DARWIN_AMD64="SKIP"
SHA256_DARWIN_ARM64="SKIP"
SHA256_LINUX_AMD64="SKIP"
SHA256_LINUX_ARM64="SKIP"
# [VERIFIED: https://github.com/rhysd/actionlint/releases/download/v1.7.12/actionlint_1.7.12_checksums.txt]
SHA256_DARWIN_AMD64="5b44c3bc2255115c9b69e30efc0fecdf498fdb63c5d58e17084fd5f16324c644"
SHA256_DARWIN_ARM64="aba9ced2dee8d27fecca3dc7feb1a7f9a52caefa1eb46f3271ea66b6e0e6953f"
SHA256_LINUX_AMD64="8aca8db96f1b94770f1b0d72b6dddcb1ebb8123cb3712530b08cc387b349a3d8"
SHA256_LINUX_ARM64="325e971b6ba9bfa504672e29be93c24981eeb1c07576d730e9f7c8805afff0c6"
if command -v actionlint >/dev/null 2>&1; then
printf 'actionlint already on PATH: %s\n' "$(command -v actionlint)"