ci(lint): cache dprint plugins and pin plugin integrity checksum#180
Open
DevSecNinja wants to merge 1 commit into
Open
ci(lint): cache dprint plugins and pin plugin integrity checksum#180DevSecNinja wants to merge 1 commit into
DevSecNinja wants to merge 1 commit into
Conversation
Cache ~/.cache/dprint in the dprint job so the markdown WASM plugin is fetched and compiled once instead of on every run (the cause of multi-minute dprint hangs when plugins.dprint.dev is slow). Pin the plugin with its sha256 integrity checksum so a tampered or swapped plugin is rejected, and add a Renovate custom manager that tracks dprint plugin versions against their GitHub releases. Renovate cannot recompute the WASM checksum, so a plugin-bump PR will fail the dprint check until the hash is refreshed with 'dprint config update'.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The reusable
lint.ymldprintjob intermittently hangs (2 min → up to the 6 h default)because
dprintdownloads and compiles themarkdownWASM plugin fromplugins.dprint.devon every run and the plugin cache is never persisted. This PR adds the caching + integrity
piece, split out from #179 (which keeps the pure
install_args/timeout hygiene).What changed
.github/workflows/lint.yml— cache~/.cache/dprintin thedprintjob, keyed on the hashof the repo's dprint config. The markdown WASM plugin is fetched + compiled once and reused,
removing the per-run network dependency that causes the hang.
config-sync/files/dprint.json(synced to all consumer repos) — pin the plugin with itssha256 integrity checksum (
markdown-0.21.1.wasm@<sha256>) so a tampered or swapped plugin isrejected. Verified locally: correct hash → exit 0, wrong hash → exit 12.
.renovate/customManagers.json5— new custom manager tracks dprint plugin versions againsttheir GitHub releases (
dprint/dprint-plugin-<name>), so version bumps still surfaceautomatically.
Renovate has no native dprint manager and cannot recompute the WASM sha256. So when the
custom manager opens a plugin-version bump, the
@<sha256>becomes stale and thedprintcheckon that PR fails until the hash is refreshed with
dprint config update. That red check isthe intended signal. If fully hands-off plugin updates are preferred over integrity pinning, drop
the
@<sha256>fromconfig-sync/files/dprint.json— the cache alone still fixes the hang.The new
actions/cacheaction is SHA-pinned (v5.0.5) and kept current by the GitHub Actionsmanager.
Validation
actionlint✅ ·yamllint✅ · dprint config parse ✅ ·customManagers.json5JSON5 ✅ ·regex extracts
markdown→dprint/dprint-plugin-markdown@0.21.1✅. Committed throughlefthook hooks (no
--no-verify).