search

macisamuele / language-formatters-pre-commit-hooks

Collection of custom pre-commit hooks.
Apache License 2.0
116 stars 58 forks source link

Checksum for downloaded jars #216

Closed mxr closed 5 months ago

mxr commented 6 months ago

Various hooks download jars if they aren't present. Would you consider adding the option to specify a file checksum in addition to a version, to ensure the integrity of downloaded jars? Then after the file is downloaded, the actual checksum would be compared to the one provided in the hook config

The hook config would look something like:

- repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
  rev: ${LATEST_SHA_OR_VERSION}
  hooks:
  - id: pretty-format-some-language
    args: [--autofix, --version=1.2.3, --checksum=a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447]
macisamuele commented 6 months ago

I'm not entirely sure about the general applicability in the context of tool downloaded jars. I'm wondering if it would be easier to run the sha check based on the values provided within the github release (assuming that they are present).

Still no strong objections on having such feature and eventually expanding from there.

Feel free to open a PR to support it

mxr commented 6 months ago

The GitHub release doesn't always have the SHA. I can work on a PR. Thanks!