diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml index 0edc8b5..a8610c3 100644 --- a/code-scanning/detekt.yml +++ b/code-scanning/detekt.yml @@ -53,21 +53,30 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - DETEKT_DOWNLOAD_URL=$( gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' + gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' query getReleaseAssetDownloadUrl($tagName: String!) { repository(name: "detekt", owner: "detekt") { release(tagName: $tagName) { - # it doesn't look like there is an alternative semantics for this with a specific SHA, is this release tag immutable? releaseAssets(name: "detekt", first: 1) { nodes { downloadUrl } } + tagCommit { + oid + } } } } - ' | \ - jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' ) + ' 1> gh_response.json + + DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json) + if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then + echo "Release tag doesn't match expected commit SHA" + exit 1 + fi + + DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json) echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL" # Sets up the detekt cli