From f33408f0d667111966b3b9e3c31c952e2d7f26f2 Mon Sep 17 00:00:00 2001 From: Parfii-bot Date: Wed, 22 Apr 2026 20:42:58 +0800 Subject: [PATCH] fix(v0.21.2): pin actionlint v1.7.12 sha256 constants (was SKIP placeholders) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes the one outstanding item from v0.21.1 wave-audit: SEC-H1 agent left SHA256_* vars as 'SKIP' because no WebFetch available this session. Sources verified via live curl: https://github.com/rhysd/actionlint/releases/download/v1.7.12/actionlint_1.7.12_checksums.txt Pinned hashes (4 platforms): darwin_amd64: 5b44c3bc...c644 darwin_arm64: aba9ced2...953f linux_amd64: 8aca8db9...a3d8 linux_arm64: 325e971b...f0c6 End-to-end verified locally (darwin_arm64): HOME=/tmp/aln-test bash scripts/install-actionlint.sh → SHA-256 verified: aba9ced2... → actionlint -version: 1.7.12 installed by downloading from release page Header comment updated: [UNVERIFIED] → [VERIFIED 2026-04-22 via curl ...]. ACTIONLINT_SHA256_OVERRIDE env var still works (for CI with different pins). Co-Authored-By: Claude Opus 4.7 (1M context) --- scripts/install-actionlint.sh | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/scripts/install-actionlint.sh b/scripts/install-actionlint.sh index 2580929..b8cb3a9 100755 --- a/scripts/install-actionlint.sh +++ b/scripts/install-actionlint.sh @@ -21,10 +21,8 @@ # checksums page is temporarily unreachable. CI should treat `SKIP` as a # pre-commit failure (audit hygiene). # -# [UNVERIFIED IN THIS SESSION] — the four SHA256_* values below were -# inserted by this patch without live WebFetch. They are marked SKIP so -# the installer does not enforce them; the env override -# `ACTIONLINT_SHA256_OVERRIDE` can inject the real hash at CI time. +# [VERIFIED 2026-04-22 via curl https://github.com/rhysd/actionlint/releases/download/v1.7.12/actionlint_1.7.12_checksums.txt] +# The four SHA256_* values below are pinned to upstream checksums.txt rows. set -eu @@ -33,11 +31,11 @@ INSTALL_DIR="${HOME}/.local/bin" BIN="${INSTALL_DIR}/actionlint" # Per (OS, ARCH) SHA-256 hashes. See comment block above. -# Marked SKIP pending a live upstream fetch. -SHA256_DARWIN_AMD64="SKIP" -SHA256_DARWIN_ARM64="SKIP" -SHA256_LINUX_AMD64="SKIP" -SHA256_LINUX_ARM64="SKIP" +# [VERIFIED: https://github.com/rhysd/actionlint/releases/download/v1.7.12/actionlint_1.7.12_checksums.txt] +SHA256_DARWIN_AMD64="5b44c3bc2255115c9b69e30efc0fecdf498fdb63c5d58e17084fd5f16324c644" +SHA256_DARWIN_ARM64="aba9ced2dee8d27fecca3dc7feb1a7f9a52caefa1eb46f3271ea66b6e0e6953f" +SHA256_LINUX_AMD64="8aca8db96f1b94770f1b0d72b6dddcb1ebb8123cb3712530b08cc387b349a3d8" +SHA256_LINUX_ARM64="325e971b6ba9bfa504672e29be93c24981eeb1c07576d730e9f7c8805afff0c6" if command -v actionlint >/dev/null 2>&1; then printf 'actionlint already on PATH: %s\n' "$(command -v actionlint)"