|
2 | 2 | /// <reference types="@actions/github-script" /> |
3 | 3 |
|
4 | 4 | /** |
5 | | - * Check workflow lock file integrity using frontmatter hash validation. |
| 5 | + * Check for a stale workflow lock file using frontmatter hash comparison. |
6 | 6 | * This script verifies that the stored frontmatter hash in the lock file |
7 | | - * matches the recomputed hash from the source .md file, regardless of |
8 | | - * commit timestamps. |
| 7 | + * matches the recomputed hash from the source .md file, detecting cases where |
| 8 | + * the workflow was edited without recompiling the lock file. It does not |
| 9 | + * provide tamper protection — use code review to guard against intentional |
| 10 | + * modifications. |
9 | 11 | * |
10 | 12 | * Supports both same-repo and cross-repo reusable workflow scenarios: |
11 | 13 | * - Primary: GitHub API (uses GITHUB_WORKFLOW_REF to identify source repo) |
@@ -33,7 +35,7 @@ async function main() { |
33 | 35 | const workflowMdPath = `.github/workflows/${workflowBasename}.md`; |
34 | 36 | const lockFilePath = `.github/workflows/${workflowFile}`; |
35 | 37 |
|
36 | | - core.info(`Checking workflow lock file integrity using frontmatter hash:`); |
| 38 | + core.info(`Checking for stale lock file using frontmatter hash:`); |
37 | 39 | core.info(` Source: ${workflowMdPath}`); |
38 | 40 | core.info(` Lock file: ${lockFilePath}`); |
39 | 41 |
|
@@ -193,11 +195,11 @@ async function main() { |
193 | 195 | if (!hashComparison) { |
194 | 196 | // Could not compute hash - be conservative and fail |
195 | 197 | core.warning("Could not compare frontmatter hashes - assuming lock file is outdated"); |
196 | | - const warningMessage = `Lock file '${lockFilePath}' integrity check failed! Could not verify frontmatter hash for '${workflowMdPath}'. Run 'gh aw compile' to regenerate the lock file.`; |
| 198 | + const warningMessage = `Lock file '${lockFilePath}' is outdated or unverifiable! Could not verify frontmatter hash for '${workflowMdPath}'. Run 'gh aw compile' to regenerate the lock file.`; |
197 | 199 |
|
198 | 200 | let summary = core.summary |
199 | 201 | .addRaw("### ⚠️ Workflow Lock File Warning\n\n") |
200 | | - .addRaw("**WARNING**: Lock file integrity check failed. Could not verify frontmatter hash.\n\n") |
| 202 | + .addRaw("**WARNING**: Could not verify whether lock file is up to date. Frontmatter hash check failed.\n\n") |
201 | 203 | .addRaw("**Files:**\n") |
202 | 204 | .addRaw(`- Source: \`${workflowMdPath}\`\n`) |
203 | 205 | .addRaw(`- Lock: \`${lockFilePath}\`\n\n`) |
|
0 commit comments