From be1264d4e770bd54353ecfb09d4261c2120f641f Mon Sep 17 00:00:00 2001
From: Jean-Paul van Ravensberg <14926452+DevSecNinja@users.noreply.github.com>
Date: Thu, 18 Jun 2026 12:28:59 +0000
Subject: [PATCH] ci(lint): cache dprint plugins and pin plugin integrity
 checksum

Cache ~/.cache/dprint in the dprint job so the markdown WASM plugin is fetched
and compiled once instead of on every run (the cause of multi-minute dprint
hangs when plugins.dprint.dev is slow). Pin the plugin with its sha256
integrity checksum so a tampered or swapped plugin is rejected, and add a
Renovate custom manager that tracks dprint plugin versions against their GitHub
releases. Renovate cannot recompute the WASM checksum, so a plugin-bump PR will
fail the dprint check until the hash is refreshed with 'dprint config update'.
---
 .github/workflows/lint.yml     |  8 ++++++++
 .renovate/customManagers.json5 | 15 +++++++++++++++
 config-sync/files/dprint.json  |  2 +-
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index ea9b139..a06b426 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -126,6 +126,14 @@ jobs:
           install_args: "dprint"
           version: ${{ inputs.mise-version }}
 
+      - name: Cache dprint plugins
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.cache/dprint
+          key: dprint-${{ runner.os }}-${{ hashFiles('**/dprint.json', '**/.dprint.json', '**/dprint.jsonc', '**/.dprint.jsonc') }}
+          restore-keys: |
+            dprint-${{ runner.os }}-
+
       - name: Check formatting with dprint
         env:
           CONFIG_DIR: ${{ inputs.lint-config-dir }}
diff --git a/.renovate/customManagers.json5 b/.renovate/customManagers.json5
index 981bdab..72a7485 100644
--- a/.renovate/customManagers.json5
+++ b/.renovate/customManagers.json5
@@ -70,5 +70,20 @@
       depNameTemplate: "DevSecNinja/dotfiles",
       datasourceTemplate: "github-releases",
     },
+    {
+      // Track dprint WASM plugin versions in dprint config files. The plugin
+      // URL is pinned with an integrity checksum (…wasm@<sha256>); Renovate can
+      // bump the version but cannot recompute the checksum, so a plugin update
+      // PR will fail the dprint check until the hash is refreshed with
+      // `dprint config update`. That red check is the intended signal.
+      customType: "regex",
+      description: "Update dprint WASM plugin versions in dprint config files",
+      managerFilePatterns: ["/(^|/)\\.?dprint\\.jsonc?$/"],
+      matchStrings: [
+        "https://plugins\\.dprint\\.dev/(?<depName>[a-z0-9-]+?)-(?<currentValue>\\d+\\.\\d+\\.\\d+)\\.wasm",
+      ],
+      depNameTemplate: "dprint/dprint-plugin-{{{depName}}}",
+      datasourceTemplate: "github-releases",
+    },
   ],
 }
diff --git a/config-sync/files/dprint.json b/config-sync/files/dprint.json
index 6a3764e..84d791a 100644
--- a/config-sync/files/dprint.json
+++ b/config-sync/files/dprint.json
@@ -3,6 +3,6 @@
   "includes": ["**/*.md"],
   "excludes": ["**/node_modules", "**/CHANGELOG.md", "**/release-notes.md"],
   "plugins": [
-    "https://plugins.dprint.dev/markdown-0.21.1.wasm"
+    "https://plugins.dprint.dev/markdown-0.21.1.wasm@064467750514c9ce5192b375582d762ec64cb3ba99673413fa86645d50406279"
   ]
 }