From 7642aa484eee0ff3124abdbd50729abf373baa02 Mon Sep 17 00:00:00 2001
From: Eric Cornelissen <ericornelissen@gmail.com>
Date: Sat, 24 Feb 2024 18:32:40 +0100
Subject: [PATCH] Continuously validate ghasum checksums

Add a GitHub Actions workflows that continuously validates the ghasum
checksums for this project. This workflow is triggered whenever code has
been changed and validates all actions used in all workflows. This will
only result in a failed job when there is a problem, it won't prevent
running any action with a checksum mismatch.

This is implemented for two reasons. First it's another kind of
dogfeeding to gain experience with the tool. Second it's aimed towards
enforcing updating the checksums when Dependabot creates a Pull Request
to update an action. Because of the limitation noted above this is NOT
implemented to avoid running potentially compromised actions.
---
 .github/workflows/ghasum.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 .github/workflows/ghasum.yml

diff --git a/.github/workflows/ghasum.yml b/.github/workflows/ghasum.yml
new file mode 100644
index 0000000..3154c24
--- /dev/null
+++ b/.github/workflows/ghasum.yml
@@ -0,0 +1,22 @@
+name: ghasum
+on:
+  pull_request: ~
+  push:
+    branches:
+    - main
+
+permissions: read-all
+
+jobs:
+  verify:
+    name: Verify
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4.1.1
+    - name: Install Go
+      uses: actions/setup-go@v5.0.0
+      with:
+        go-version-file: go.mod
+    - name: Verify checksums
+      run: go run ./cmd/ghasum verify -cache /home/runner/work/_actions