mdsmith/action.yml at main · jeduden/mdsmith · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
name: mdsmith Markdown linter
description: >-
  Install the mdsmith Markdown linter from a checksum-verified
  release binary and optionally run it.
author: jeduden
branding:
  icon: check-square
  color: purple

inputs:
  version:
    description: >-
      mdsmith release to install: a release tag such as "v0.41.0", or "latest"
      to fetch the most recent release.
    required: false
    default: latest
  args:
    description: >-
      Arguments passed to mdsmith after install, split on whitespace
      (for example "check ."). Leave empty to only put mdsmith on PATH.
    required: false
    default: ""
  working-directory:
    description: Directory the mdsmith command runs in when "args" is set.
    required: false
    default: "."

outputs:
  version:
    description: The version string reported by the installed mdsmith binary.
    value: ${{ steps.install.outputs.version }}

runs:
  using: composite
  steps:
    - id: install
      shell: bash
      # Inputs flow in through env, never interpolated into the script body,
      # so a crafted input cannot inject shell commands.
      env:
        MDSMITH_VERSION: ${{ inputs.version }}
      # The binary is downloaded over HTTPS and SHA256-verified against the
      # release checksums.txt before its directory is appended to PATH, so the
      # github-path write is safe to ignore.
      run: | # zizmor: ignore[github-env]
        set -euo pipefail

        # Map the runner OS/arch onto the published release-asset name.
        case "$RUNNER_OS" in
          Linux)   os=linux ;  ext="" ;;
          macOS)   os=darwin ; ext="" ;;
          Windows) os=windows; ext=".exe" ;;
          *) echo "::error::unsupported runner OS: $RUNNER_OS"; exit 1 ;;
        esac
        case "$RUNNER_ARCH" in
          X64)   arch=amd64 ;;
          ARM64) arch=arm64 ;;
          *) echo "::error::unsupported runner arch: $RUNNER_ARCH"; exit 1 ;;
        esac
        if [ "$os" = windows ] && [ "$arch" != amd64 ]; then
          echo "::error::mdsmith ships a windows-amd64 build only, not windows-$arch"
          exit 1
        fi
        asset="mdsmith-${os}-${arch}${ext}"

        if [ "$MDSMITH_VERSION" = latest ]; then
          base="https://github.com/jeduden/mdsmith/releases/latest/download"
        else
          base="https://github.com/jeduden/mdsmith/releases/download/${MDSMITH_VERSION}"
        fi

        # Normalize the runner temp path's backslashes to forward slashes.
        # Windows runners hand back a backslash path, and GNU coreutils
        # escapes a backslash in a checksummed path by prefixing the hash
        # with one — which would break the comparison below. The
        # forward-slash form also resolves cleanly for the PATH write.
        dest="${RUNNER_TEMP//\\//}/mdsmith-bin"
        mkdir -p "$dest"
        curl -fsSL --retry 3 --retry-delay 2 "${base}/${asset}" -o "${dest}/${asset}"
        curl -fsSL --retry 3 --retry-delay 2 "${base}/checksums.txt" -o "${dest}/checksums.txt"

        # Verify the download against the release checksums file. macOS runners
        # have shasum but not GNU sha256sum, so fall back to it.
        # Pull the expected hash for our asset. Match the filename as the last
        # field, tolerating the binary-mode "*" prefix, and stop at the first
        # match. awk exits 0 even on no match, so the empty check below still
        # runs — a grep | head pipeline would trip pipefail + set -e first and
        # skip the friendly error.
        expected="$(awk -v a="$asset" '{n = $NF; sub(/^\*/, "", n); if (n == a) {print $1; exit}}' "${dest}/checksums.txt")"
        if [ -z "$expected" ]; then
          echo "::error::${asset} not listed in checksums.txt"
          exit 1
        fi
        if command -v sha256sum >/dev/null 2>&1; then
          actual="$(sha256sum "${dest}/${asset}" | awk '{print $1}')"
        else
          actual="$(shasum -a 256 "${dest}/${asset}" | awk '{print $1}')"
        fi
        if [ "$expected" != "$actual" ]; then
          echo "::error::checksum mismatch for ${asset}: expected ${expected}, got ${actual}"
          exit 1
        fi

        bin="mdsmith${ext}"
        mv "${dest}/${asset}" "${dest}/${bin}"
        chmod +x "${dest}/${bin}"
        echo "$dest" >> "$GITHUB_PATH"
        # Capture first so a non-zero `mdsmith version` aborts here (set -e)
        # rather than leaving a half-written heredoc in GITHUB_OUTPUT. The
        # heredoc keeps the write correct even if version output ever grows
        # past the single line it prints today.
        ver="$("${dest}/${bin}" version)"
        {
          echo "version<<__MDS_EOF__"
          echo "$ver"
          echo "__MDS_EOF__"
        } >> "$GITHUB_OUTPUT"

    - if: ${{ inputs.args != '' }}
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      env:
        MDSMITH_ARGS: ${{ inputs.args }}
      # MDSMITH_ARGS is intentionally unquoted so the shell word-splits it
      # into separate arguments (and expands any globs), e.g. "check .".
      run: mdsmith $MDSMITH_ARGS