Add CI validation for PHP/.NET SHA hashes (#2901)

Author: vijaysaayi

.github/workflows/validate-sha.yaml

@@ -0,0 +1,64 @@
+# Validates SHA hashes against official upstream sources.
+name: Validate SHA Hashes
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - 'platforms/**/versionsToBuild.txt'
+      - 'images/constants.yml'
+      - 'build/scripts/validate-*-sha.sh'
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Detect changed stacks
+        id: changes
+        run: |
+          BASE_REF="${{ github.base_ref }}"
+          BASE_REF="${BASE_REF:-main}"
+          git fetch origin "$BASE_REF" --depth=1 2>/dev/null || true
+          CHANGED=$(git diff --name-only "origin/$BASE_REF"...HEAD || git diff --name-only HEAD~1)
+          echo "php=$(echo "$CHANGED" | grep -qE '^(platforms/php/|images/constants.yml)' && echo true || echo false)" >> $GITHUB_OUTPUT
+          echo "dotnet=$(echo "$CHANGED" | grep -qE '^(platforms/dotnet/|images/constants.yml)' && echo true || echo false)" >> $GITHUB_OUTPUT
+
+      - name: Validate PHP SHA256
+        id: php
+        if: steps.changes.outputs.php == 'true'
+        run: ./build/scripts/validate-php-sha.sh images/constants.yml
+
+      - name: Validate .NET SHA512
+        id: dotnet
+        if: steps.changes.outputs.dotnet == 'true'
+        run: ./build/scripts/validate-dotnet-sha.sh images/constants.yml
+
+      - name: Post summary
+        if: always() && (steps.changes.outputs.php == 'true' || steps.changes.outputs.dotnet == 'true')
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const php = '${{ steps.changes.outputs.php }}' === 'true';
+            const dotnet = '${{ steps.changes.outputs.dotnet }}' === 'true';
+            const phpStatus = '${{ steps.php.outcome }}';
+            const dotnetStatus = '${{ steps.dotnet.outcome }}';
+            const icon = s => s === 'success' ? '✅' : s === 'skipped' ? '⏭️' : '❌';
+            
+            let body = '## SHA Validation Summary\n| Stack | Status |\n|-------|--------|\n';
+            if (php) body += `| PHP | ${icon(phpStatus)} ${phpStatus} |\n`;
+            if (dotnet) body += `| .NET | ${icon(dotnetStatus)} ${dotnetStatus} |\n`;
+            
+            github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body
+            });

build/scripts/validate-dotnet-sha.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT license.
+# --------------------------------------------------------------------------------------------
+# Validates .NET SHA512 hashes against official Microsoft releases.
+set -euo pipefail
+
+CONSTANTS_FILE="${1:-images/constants.yml}"
+
+echo "Validating .NET SHA512 hashes..."
+failed=0
+
+# Check both runtime types
+for prefix in NET_CORE_APP ASPNET_CORE_APP; do
+    while IFS=: read -r key version; do
+        key=$(echo "$key" | tr -d ' ')
+        version=$(echo "$version" | tr -d ' "')
+        major_raw="${key##*_}"
+        
+        # Convert 80 -> 8.0, 100 -> 10.0
+        if [[ ${#major_raw} -eq 2 ]]; then
+            major="${major_raw:0:1}.${major_raw:1}"
+        else
+            major="${major_raw:0:2}.${major_raw:2}"
+        fi
+        
+        # Get local SHA - use exact match with leading space to avoid ASPNET matching NET
+        local_sha=$(grep -E "^[[:space:]]+${key}_SHA:" "$CONSTANTS_FILE" | awk '{print $2}' || true)
+        [[ -n "$local_sha" ]] || { echo "  $key: SKIP (no SHA defined)"; continue; }
+        
+        # Fetch official SHA
+        jq_filter=$([ "$prefix" = "NET_CORE_APP" ] && echo '.releases[].runtime' || echo '.releases[]."aspnetcore-runtime"')
+        tarball=$([ "$prefix" = "NET_CORE_APP" ] && echo 'dotnet-runtime-' || echo 'aspnetcore-runtime-')
+        
+        official=$(curl -sf --max-time 30 \
+            "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/${major}/releases.json" | \
+            jq -r --arg v "$version" "${jq_filter} | select(.version==\$v) | .files[] | select(.rid==\"linux-x64\" and (.name | contains(\"${tarball}\")) and (.name | endswith(\".tar.gz\"))) | .hash // empty" 2>/dev/null | head -1 || true)
+        
+        label=$([ "$prefix" = "NET_CORE_APP" ] && echo ".NET Runtime" || echo "ASP.NET Core")
+        if [[ -z "$official" ]]; then
+            echo "  $label $version: WARN (could not fetch)"
+        elif [[ "${official,,}" != "${local_sha,,}" ]]; then
+            echo "  $label $version: FAILED"
+            echo "    expected: $official"
+            echo "    got:      $local_sha"
+            failed=1
+        else
+            echo "  $label $version: OK"
+        fi
+    done < <(grep -E "^[[:space:]]+${prefix}_[0-9]+:" "$CONSTANTS_FILE")
+done
+
+[[ $failed -eq 0 ]] && echo "PASSED" || { echo "FAILED"; exit 1; }

build/scripts/validate-php-sha.sh

@@ -0,0 +1,152 @@
+#!/bin/bash
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT license.
+# --------------------------------------------------------------------------------------------
+#
+# Validates PHP SHA256 hashes in constants.yml against official php.net releases.
+# Usage: ./validate-php-sha.sh [path/to/constants.yml]
+#
+# Exit codes:
+#   0 - All SHAs validated successfully
+#   1 - One or more SHA mismatches found
+#   2 - Script error (missing dependencies, file not found, etc.)
+
+set -euo pipefail
+
+CONSTANTS_FILE="${1:-images/constants.yml}"
+
+# Security: Restrict to expected file paths within the repository
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+CONSTANTS_REALPATH="$(realpath -m "$CONSTANTS_FILE" 2>/dev/null || echo "")"
+
+# Validate path was resolved and is within repository
+if [[ -z "$CONSTANTS_REALPATH" ]]; then
+    echo "Error: Could not resolve constants file path: $CONSTANTS_FILE" >&2
+    exit 2
+fi
+
+case "$CONSTANTS_REALPATH" in
+    "$REPO_ROOT"/*)
+        # Path is safe - within repository
+        ;;
+    *)
+        echo "Error: Constants file must be within the repository: $REPO_ROOT" >&2
+        exit 2
+        ;;
+esac
+
+# Colors for output (disabled if not a terminal)
+if [[ -t 1 ]]; then
+    RED='\033[0;31m'
+    GREEN='\033[0;32m'
+    YELLOW='\033[0;33m'
+    NC='\033[0m' # No Color
+else
+    RED=''
+    GREEN=''
+    YELLOW=''
+    NC=''
+fi
+
+# Check dependencies
+for cmd in curl jq grep; do
+    if ! command -v "$cmd" &> /dev/null; then
+        echo "Error: Required command '$cmd' not found" >&2
+        exit 2
+    fi
+done
+
+# Function to fetch with retry logic
+fetch_with_retry() {
+    local url="$1"
+    local max_attempts=3
+    local timeout=10
+    local result=""
+    
+    for attempt in $(seq 1 $max_attempts); do
+        result=$(curl -sf --max-time "$timeout" --proto '=https' --tlsv1.2 "$url" 2>/dev/null) && break
+        [[ $attempt -lt $max_attempts ]] && sleep $((attempt * 2))
+    done
+    
+    echo "$result"
+}
+
+echo "Validating PHP SHA256 hashes from: $CONSTANTS_FILE"
+echo "=================================================="
+
+failed=0
+validated=0
+
+# Extract PHP versions and SHAs from constants.yml
+while IFS= read -r line; do
+    # Match lines like:   php85Version: 8.5.1 (with optional leading spaces)
+    if [[ "$line" =~ ^[[:space:]]*php([0-9]+)Version:[[:space:]]*([0-9.]+)$ ]]; then
+        php_key="php${BASH_REMATCH[1]}"
+        version="${BASH_REMATCH[2]}"
+        
+        # Security: Validate version format strictly (only digits and dots, reasonable length)
+        if [[ ! "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] || [[ ${#version} -gt 20 ]]; then
+            echo "Warning: Skipping invalid version format: $version" >&2
+            continue
+        fi
+        
+        # Get corresponding SHA from constants.yml using fixed string match
+        sha_line=$(grep -F "${php_key}Version_SHA:" "$CONSTANTS_FILE" 2>/dev/null || true)
+        if [[ "$sha_line" =~ _SHA:[[:space:]]*([a-f0-9]{64})$ ]]; then
+            local_sha="${BASH_REMATCH[1]}"
+            
+            # Security: Sanitize output to prevent log injection
+            safe_version="${version//[^0-9.]/}"
+            echo -n "PHP $safe_version: "
+            
+            # Fetch official SHA from php.net with retry (URL-encode version just in case)
+            encoded_version=$(printf '%s' "$version" | jq -sRr @uri)
+            response=$(fetch_with_retry "https://www.php.net/releases/?json&version=${encoded_version}")
+            
+            # Validate JSON response before parsing
+            if [[ -n "$response" ]] && ! echo "$response" | jq empty 2>/dev/null; then
+                echo -e "${YELLOW}WARNING - Invalid JSON response from php.net${NC}"
+                continue
+            fi
+            
+            official=$(echo "$response" | jq -r '.source[] | select(.filename | endswith(".tar.xz")) | .sha256 // empty' 2>/dev/null || echo "")
+            
+            # Security: Validate response is a valid SHA256 (64 hex chars)
+            if [[ -n "$official" ]] && [[ ! "$official" =~ ^[a-f0-9]{64}$ ]]; then
+                echo -e "${YELLOW}WARNING - Invalid SHA format from php.net${NC}"
+                continue
+            fi
+            
+            if [[ -z "$official" ]]; then
+                echo -e "${YELLOW}WARNING - Could not fetch from php.net${NC}"
+            elif [[ "$official" != "$local_sha" ]]; then
+                echo -e "${RED}FAILED${NC}"
+                echo "  Expected: $official"
+                echo "  Got:      $local_sha"
+                failed=1
+            else
+                echo -e "${GREEN}OK${NC}"
+                validated=$((validated + 1))
+            fi
+        else
+            # Version found but no SHA - this is likely a configuration error
+            safe_version="${version//[^0-9.]/}"
+            echo -e "PHP $safe_version: ${YELLOW}WARNING - Version found but ${php_key}Version_SHA is missing${NC}"
+        fi
+    fi
+done < "$CONSTANTS_FILE" || {
+    echo "Error: Could not read constants file: $CONSTANTS_FILE" >&2
+    exit 2
+}
+
+echo "=================================================="
+echo "Validated: $validated PHP version(s)"
+
+if [[ $failed -eq 1 ]]; then
+    echo -e "${RED}VALIDATION FAILED - SHA256 mismatches detected!${NC}"
+    exit 1
+else
+    echo -e "${GREEN}VALIDATION PASSED${NC}"
+    exit 0
+fi