feat: check binary hash

sweatco · May 21, 2024 · 5467349 · 5467349
1 parent 72918a5
commit 5467349
Show file tree

Hide file tree

Showing 6 changed files with 56 additions and 8 deletions.
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Actor
         run: echo ${{ github.actor }}
@@ -30,7 +30,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Lint
         run: make lint
@@ -39,17 +39,28 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Integration tests
         run: make integration
 
+  check-binary-hash:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Hash
+        run: make hash
+
+      - name: Commit Hash
+        run: echo ${{ github.event.pull_request.head.sha }}
+
   push:
-    needs: [ build, lint, integration-tests ]
+    needs: [ build, lint, integration-tests, check-binary-hash ]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal token
           fetch-depth: 0 # otherwise, you will failed to push refs to dest repo

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -13,15 +13,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Build
         run: make build
 
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Lint
         run: make lint
@@ -30,7 +30,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Integration tests
         run: make integration
+
+  check-binary-hash:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Hash
+        run: make hash
+
+      - name: Commit Hash
+        run: echo ${{ github.event.pull_request.head.sha }}
diff --git a/.gitignore b/.gitignore
@@ -33,3 +33,5 @@ node_modules
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
+
+/res/sweat_claim_commit.wasm
diff --git a/Makefile b/Makefile
@@ -37,6 +37,9 @@ fmt: ##@Chores Format the code using rustfmt nightly.
 lint: ##@Chores Run lint checks with Clippy.
 	./scripts/lint.sh
 
+hash: ##@Chores Check if contract in commit has valid hash.
+	./scripts/check-contract-hash.sh
+
 HELP_FUN = \
     %help; while(<>){push@{$$help{$$2//'options'}},[$$1,$$3] \
     if/^([\w-_]+)\s*:.*\#\#(?:@(\w+))?\s(.*)$$/}; \

diff --git a/res/sweat_claim.wasm b/res/sweat_claim.wasm
diff --git a/scripts/check-contract-hash.sh b/scripts/check-contract-hash.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -eox pipefail
+
+contract_name="sweat_claim"
+
+commit="./res/${contract_name}_commit.wasm"
+docker="./res/${contract_name}.wasm"
+
+cp $docker $commit
+
+make build-in-docker
+
+commit_hash=$(openssl dgst -sha256 "$commit" | awk '{print $2}')
+docker_hash=$(openssl dgst -sha256 "$docker" | awk '{print $2}')
+
+if [ "$commit_hash" = "$docker_hash" ]; then
+  echo "Binary hashes match."
+else
+  echo "The contract in commit hash does not match with hash of contract build in docker. You must call \`make dock\` command before submitting a PR." >&2
+  exit 1
+fi