v1.0.3

Summary

Fixes for issues reported by Publint, and fixes for use on Deno. Hashlock should now be usable via npx|bun x|pnpm dlx|yarnpkg, etc., and should function smoothly on Node v20+, Bun, and Deno.

Only imports were changed, via the node: prefix supported since Node 16. No underlying code was changed in this release.

What's Changed

• feat: support all runtimes by @sgammon in #29

Full Changelog: v1.0.2...v1.0.3

v1.0.2

This release fixes several package.json flaws reported by Publint. No changes have been made to the underlying code.

What's Changed

• fix: package exports for cli and types by @sgammon in #24

Full Changelog: v1.0.1...v1.0.2

v1.0.1

Full release with provenance, to NPM, GitHub Packages, and GitHub Releases. No code changed with this release.

What's Changed

• chore: version bump → 1.0.1 by @sgammon in #23

Full Changelog: v1.0.0...v1.0.1

v1.0.0

Initial Release

• feat: support for use as a github action
• feat: published library/cli at hashlock on npm
• feat: published library on github packages
• feat: standalone executable for linux and mac
• feat: provenance and signing for release artifacts

Hashlock RC6

Fixes for use as a JavaScript package, via CJS, ESM, and TypeScript.

• fix: use as package via esm
• fix: use as package via cjs
• fix: typescript type mappings
• fix: binary script mapping

Verify this release on Sigstore.

What's Changed

• fix: dual esm / cjs release support by @sgammon in #21

Full Changelog: v1.0.0-rc5...v1.0.0-rc6

Hashlock RC5

Release Candidate 5

• fix: usage from typescript
• fix: import/export paths
• fix: esm and cjs with jest
• fix: provenance and cleanroom npm publishing

Release Verification

• Verify this release on Sigstore

What's Changed

• chore(deps): Bump the actions-minor group with 1 update by @dependabot in #14
• chore(deps): Bump the actions-minor group with 1 update by @dependabot in #15
• chore(deps): Bump the actions-minor group with 2 updates by @dependabot in #18
• chore(deps-dev): Bump the npm-development group with 4 updates by @dependabot in #20

Full Changelog: v1.0.0-rc1...v1.0.0-rc5

Release Candidate 1

Verify Hashes Action

---

A very simple action:

find . -name "<filename>.{md5,sha,sha1,sha256,sha512} -exec \
  # (verify <filenames> within <hashfile>)

---

Getting Started

- name: 'Check: Hashes'
  uses: sgammon/verify-hashes@v1

This will check all files in your codebase that look like:

filename.ext
filename.ext.{md5,sha,sha1,sha256,sha512}

For example, say you have a hash file:

something.txt.sha256:

98ea6e4f216f2fb4b69fff9b3a44842c38686ca685f3f55dc48c5d3fb1107be4  something.txt

And you have the subject it asserts upon:

something.txt:

hi

This action will detect something.txt.sha256, find something.txt, hash it
according to SHA-256, and make sure the two match.

Usage

Input	Description	Default
paths	Paths to search under. See Paths.	.
strict	Activate strict mode. See below.	false
ignored	Paths to ignore. See Paths.	node_modules/
follow-symbolic-links	Controls link behavior with globs.	true
globs	Controls whether paths are interpreted as globs.	true
warn-only	Doesn't fail the build if hashes mismatch.	false

By default, the following cases will fail the action:

• There was a hash file, the subject file was found, the hash did not match
• There was a hash file, the subject file was not found
• There was a hash file, it was malformed or broken
• There was a hash file with no subject or the subject file is ambiguous

In strict mode, the following additional cases fail the action:

• There were no hash files found under any paths, or all of them were ignored

Examples

Fail if hash files are not found

Strict mode will fail if hash files are not found or all of them are ignored:

- name: 'Check: Hashes'
  uses: sgammon/verify-hashes@v1
  with:
    strict: true

Verify a specific set of hash files

Turn off globs to do that. Multi-line values are accepted for paths:

- name: 'Check: Hashes'
  uses: sgammon/verify-hashes@v1
  with:
    globs: false
    paths: |
      some/cool/hashfile.txt.sha256

Behavior

This section describes in detail how the action behaves.

Paths

By default, paths and ignored are treated as globs. Entries in ignored are
actually just globbed against each algorithm, same as paths, but with !
prepended. So, for example:

- name: 'Check: Hashes'
  uses: sgammon/verify-hashes@v1
  with:
    paths: hello
    ignored: goodbye

The effective glob is:

hello/**/*.{md5,sha,sha1,sha256,sha512}
!goodbye

Literal paths mode

When you pass globs: false, the paths entries become regular literal paths:

- name: 'Check: Hashes'
  uses: sgammon/verify-hashes@v1
  with:
    paths: |
      hello.sha256
      djkhaledanotherone.sha256
    globs: false

The effective paths are:

hello.sha256
djkhaledanotherone.sha256