Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

integrity check #3710

Closed
wants to merge 12 commits into from
+135 −0
Closed

integrity check #3710

Changes from 10 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
1974b21
integrity check
mgwalker Sep 16, 2023
58e1068
oop
mgwalker Sep 16, 2023
5cc6d3a
oop x 2
mgwalker Sep 16, 2023
f1e3669
oop x 3
mgwalker Sep 16, 2023
b3dc312
oop x 4
mgwalker Sep 16, 2023
e0cac17
oop x 5
mgwalker Sep 16, 2023
803f50a
oop x 6
mgwalker Sep 16, 2023
7a467a4
oop x 7
mgwalker Sep 16, 2023
f595f86
oop x 8
mgwalker Sep 17, 2023
906ac5b
oop x 9
mgwalker Sep 17, 2023
3f0c469
externalize script
mgwalker Oct 13, 2023
095eb1e
remove nondeterministic files from checks
mgwalker Oct 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 117 additions & 0 deletions .github/workflows/integrity-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
name: regular integrity check

on: [pull_request]

jobs:
build:
name: build
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3

- id: cache_key
run: echo "cache_key=${{ hashFiles('**/**') }}-v1" >> "$GITHUB_OUTPUT"

- uses: actions/cache@v3
id: cache
with:
path: .
key: ${{ steps.cache_key.outputs.cache_key }}

- if: steps.cache.outputs.cache-hit != true
uses: actions/setup-node@v3
with:
node-version: 18

- if: steps.cache.outputs.cache-hit != true
run: npm install

- if: steps.cache.outputs.cache-hit != true
env:
ELEVENTY_ENV: production
run: npm run build

- name: check integrity
uses: actions/github-script@v6
with:
script: |
const crypto = require("crypto");
const { promises: fs } = require("fs");
const path = require("path");

const walk = async (dir) => {
const entries = await fs.readdir(dir);
let ret = [];
for await (const entry of entries) {
const fullpath = path.join(dir, entry);
const info = await fs.stat(fullpath);
if (info.isDirectory()) {
ret = [...ret, ...(await walk(fullpath))];
} else {
ret = [...ret, fullpath];
}
}
return ret;
};

const md5 = (plaintext) => {
const hash = crypto.createHash("md5");
hash.update(plaintext);
return hash.digest().toString("hex");
};

const sleep = async (ms) =>
new Promise((resolve) => {
setTimeout(() => {
resolve();
}, ms);
});

(async () => {
const siteFiles = await walk("_site");
const hashes = await Promise.all(
siteFiles.map(async (filePath) => {
const file = await fs.readFile(filePath);
const hash = md5(file);
return [hash, filePath.replace(/^_site\//, "")];
})
);

const mismatch = [];

let on = 1;
for await (const [expectedHash, path] of hashes) {
const url = `https://handbook.tts.gsa.gov/${path}`;

if (process.env.CI === "true") {
console.log(`[${on} of ${hashes.length}]: ${url}`);
} else {
process.stdout.clearLine();
process.stdout.cursorTo(0);
process.stdout.write(`[${on} of ${hashes.length}]: ${url}`);
}
on += 1;

const remoteBuffer = await fetch(url)
.then((response) => response.arrayBuffer())
.then((blob) => Buffer.from(blob));
const remoteHash = md5(remoteBuffer);

if (expectedHash !== remoteHash) {
mismatch.push({ expectedHash, remoteHash, url });
}

await sleep(500);
}

if (mismatch.length > 0) {
mismatch.forEach(({ expectedHash, remoteHash, url }) => {
console.log(`UNEXPECTED HASH ON ${url}`);
console.log(` EXPECTED: ${expectedHash}`);
console.log(` RECEIVED: ${remoteHash}`);
console.log("".padStart(13 + expectedHash.length, "-"));
});
process.exit(400);
}
})();