Skip to content

Commit 74e39ce

Browse files
potetopoteto
authored
[ci] Validate downloaded build artifact (facebook#31847)
Adds validation to download-build-artifacts to confirm that the downloaded artifact matches what was requested. --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/facebook/react/pull/31847). * facebook#31848 * __->__ facebook#31847 * facebook#31846
1 parent a34aa05 commit 74e39ce

File tree

1 file changed

+14
-3
lines changed

1 file changed

+14
-3
lines changed

scripts/release/shared-commands/download-build-artifacts.js

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
const {join} = require('path');
44
const theme = require('../theme');
55
const {exec} = require('child-process-promise');
6-
const {existsSync} = require('fs');
6+
const {existsSync, readFileSync} = require('fs');
77
const {logPromise} = require('../utils');
88

99
if (process.env.GH_TOKEN == null) {
@@ -80,7 +80,7 @@ async function getArtifact(workflowRunId, artifactName) {
8080
return artifact;
8181
}
8282

83-
async function processArtifact(artifact, releaseChannel) {
83+
async function processArtifact(artifact, commit, releaseChannel) {
8484
// Download and extract artifact
8585
const cwd = join(__dirname, '..', '..', '..');
8686
await exec(`rm -rf ./build`, {cwd});
@@ -117,6 +117,17 @@ async function processArtifact(artifact, releaseChannel) {
117117
await exec(`cp -r ./build/${sourceDir} ./build/node_modules`, {
118118
cwd,
119119
});
120+
121+
// Validate artifact
122+
const buildSha = readFileSync('./build/COMMIT_SHA', 'utf8').replace(
123+
/[\u0000-\u001F\u007F-\u009F]/g,
124+
''
125+
);
126+
if (buildSha !== commit) {
127+
throw new Error(
128+
`Requested commit sha does not match downloaded artifact. Expected: ${commit}, got: ${buildSha}`
129+
);
130+
}
120131
}
121132

122133
async function downloadArtifactsFromGitHub(commit, releaseChannel) {
@@ -141,7 +152,7 @@ async function downloadArtifactsFromGitHub(commit, releaseChannel) {
141152
workflowRun.id,
142153
'artifacts_combined'
143154
);
144-
await processArtifact(artifact, releaseChannel);
155+
await processArtifact(artifact, commit, releaseChannel);
145156
return;
146157
} else {
147158
console.log(

0 commit comments

Comments
 (0)