Skip to content

Commit 7122e61

Browse files
authored
clarify frontmatter hash role: stale lock detection, not tamper protection (#24198)
1 parent cb732db commit 7122e61

2 files changed

Lines changed: 12 additions & 10 deletions

File tree

actions/setup/js/check_workflow_timestamp_api.cjs

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,12 @@
22
/// <reference types="@actions/github-script" />
33

44
/**
5-
* Check workflow lock file integrity using frontmatter hash validation.
5+
* Check for a stale workflow lock file using frontmatter hash comparison.
66
* This script verifies that the stored frontmatter hash in the lock file
7-
* matches the recomputed hash from the source .md file, regardless of
8-
* commit timestamps.
7+
* matches the recomputed hash from the source .md file, detecting cases where
8+
* the workflow was edited without recompiling the lock file. It does not
9+
* provide tamper protection — use code review to guard against intentional
10+
* modifications.
911
*
1012
* Supports both same-repo and cross-repo reusable workflow scenarios:
1113
* - Primary: GitHub API (uses GITHUB_WORKFLOW_REF to identify source repo)
@@ -33,7 +35,7 @@ async function main() {
3335
const workflowMdPath = `.github/workflows/${workflowBasename}.md`;
3436
const lockFilePath = `.github/workflows/${workflowFile}`;
3537

36-
core.info(`Checking workflow lock file integrity using frontmatter hash:`);
38+
core.info(`Checking for stale lock file using frontmatter hash:`);
3739
core.info(` Source: ${workflowMdPath}`);
3840
core.info(` Lock file: ${lockFilePath}`);
3941

@@ -193,11 +195,11 @@ async function main() {
193195
if (!hashComparison) {
194196
// Could not compute hash - be conservative and fail
195197
core.warning("Could not compare frontmatter hashes - assuming lock file is outdated");
196-
const warningMessage = `Lock file '${lockFilePath}' integrity check failed! Could not verify frontmatter hash for '${workflowMdPath}'. Run 'gh aw compile' to regenerate the lock file.`;
198+
const warningMessage = `Lock file '${lockFilePath}' is outdated or unverifiable! Could not verify frontmatter hash for '${workflowMdPath}'. Run 'gh aw compile' to regenerate the lock file.`;
197199

198200
let summary = core.summary
199201
.addRaw("### ⚠️ Workflow Lock File Warning\n\n")
200-
.addRaw("**WARNING**: Lock file integrity check failed. Could not verify frontmatter hash.\n\n")
202+
.addRaw("**WARNING**: Could not verify whether lock file is up to date. Frontmatter hash check failed.\n\n")
201203
.addRaw("**Files:**\n")
202204
.addRaw(`- Source: \`${workflowMdPath}\`\n`)
203205
.addRaw(`- Lock: \`${lockFilePath}\`\n\n`)

docs/src/content/docs/reference/frontmatter-hash-specification.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,9 @@ This document specifies the algorithm for computing a deterministic hash of agen
1010
## Purpose
1111

1212
The frontmatter hash provides:
13-
1. **Change detection**: Verify that workflow configuration has not changed between compilation and execution
13+
1. **Stale lock detection**: Identify when the compiled lock file is out of sync with the source workflow (e.g. after editing the `.md` file without recompiling)
1414
2. **Reproducibility**: Ensure identical configurations produce identical hashes across languages (Go and JavaScript)
15-
3. **Security**: Detect unauthorized modifications to workflow frontmatter
15+
3. **Change detection**: Verify that workflow configuration has not changed between compilation and execution
1616

1717
## Hash Algorithm
1818

@@ -196,8 +196,8 @@ Both Go and JavaScript implementations MUST:
196196
## Security Considerations
197197

198198
- The hash is **not cryptographically secure** for authentication (no HMAC/signing)
199-
- The hash **detects accidental or malicious changes** to frontmatter after compilation
200-
- The hash **does not protect** against modifications before compilation
199+
- The hash is designed to **detect stale lock files** — it catches cases where the frontmatter has changed since the lock file was last compiled
200+
- The hash **does not guarantee tamper protection**: anyone with write access to the repository can modify both the `.md` source and the `.lock.yml` file together, bypassing detection
201201
- Always validate workflow sources through proper code review processes
202202

203203
## Versioning

0 commit comments

Comments
 (0)