coder/scripts/check_mise_versions.sh

#!/usr/bin/env bash

# This script checks the mise values used by CI and dogfood images:
# - mise.toml min_version is the source of truth for the mise version.
# - .github/actions/setup-mise/checksums.toml stores pinned binary checksums.
# - .github/actions/setup-mise/action.yml
# - flake.nix
# - scripts/dogfood/mise-oci-wrapper.sh
# - dogfood/coder/ubuntu-*/Dockerfile.base

set -euo pipefail
# shellcheck source=scripts/lib.sh
source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
cdroot

check_not_empty() {
	local label="$1"
	local value="$2"

	log "INFO : ${label}: ${value}"
	if [[ -z "${value}" ]]; then
		error "Missing mise value for ${label}"
	fi
}

check_equal() {
	local label="$1"
	local actual="$2"
	local expected="$3"

	check_not_empty "${label}" "${actual}"
	if [[ "${actual}" != "${expected}" ]]; then
		error "Mise mismatch for ${label}: expected ${expected}, got ${actual}"
	fi
}

check_sha256_format() {
	local label="$1"
	local value="$2"

	if [[ -z "${value}" ]]; then
		error "Missing mise value for ${label}"
	fi
	if [[ ! "${value}" =~ ^[a-f0-9]{64}$ ]]; then
		error "Expected 64-character lowercase SHA256 for ${label}: ${value}"
	fi
}

mise_version="$(sed -n 's/^min_version = "\([^"]*\)"/\1/p' mise.toml)"
check_not_empty "mise.toml min_version" "${mise_version}"

action_version="$(
	awk '
		$1 == "mise-version:" { in_input = 1; next }
		in_input && /^  [A-Za-z0-9_-]+:/ { exit }
		in_input && $1 == "default:" {
			gsub(/"/, "", $2)
			print $2
			exit
		}
	' .github/actions/setup-mise/action.yml
)"
check_equal ".github/actions/setup-mise/action.yml" "${action_version}" "${mise_version}"

checksum_version="$(
	awk -v version="${mise_version}" '
		$0 == "[\"" version "\"]" {
			print version
			exit
		}
	' .github/actions/setup-mise/checksums.toml
)"
check_equal ".github/actions/setup-mise/checksums.toml" "${checksum_version}" "${mise_version}"

declare -A setup_mise_checksums=()
for target in linux-x64 linux-arm64 macos-x64 macos-arm64 windows-x64; do
	checksum="$(./scripts/mise_checksum.sh .github/actions/setup-mise/checksums.toml "${mise_version}" "${target}")"
	check_not_empty ".github/actions/setup-mise/checksums.toml ${target}" "${checksum}"
	check_sha256_format ".github/actions/setup-mise/checksums.toml ${target}" "${checksum}"
	setup_mise_checksums["${target}"]="${checksum}"
done
linux_x64_checksum="${setup_mise_checksums["linux-x64"]}"

sri_sha256_to_hex() {
	local label="$1"
	local sri="$2"

	if [[ "${sri}" != sha256-* ]]; then
		error "Expected SRI SHA256 hash for ${label}: ${sri}"
	fi

	printf '%s' "${sri#sha256-}" | openssl base64 -A -d | od -An -tx1 -v | tr -d ' \n'
}

flake_version="$(
	awk '
		/^[[:space:]]*mise = / { in_mise = 1; next }
		in_mise && /^[[:space:]]*version = / {
			gsub(/[";]/, "", $3)
			print $3
			exit
		}
		in_mise && /^[[:space:]]*};/ { exit }
	' flake.nix
)"
check_equal "flake.nix" "${flake_version}" "${mise_version}"

declare -A flake_targets=(
	["x86_64-linux"]="linux-x64"
	["aarch64-linux"]="linux-arm64"
	["x86_64-darwin"]="macos-x64"
	["aarch64-darwin"]="macos-arm64"
)
for system in "${!flake_targets[@]}"; do
	target="${flake_targets[${system}]}"
	expected_checksum="${setup_mise_checksums[${target}]}"

	flake_hash="$(
		awk -v nix_system="${system}" '
			/^[[:space:]]*hash = \{/ { in_hash = 1; next }
			in_hash && $1 == nix_system {
				gsub(/[";]/, "", $3)
				print $3
				exit
			}
			in_hash && /^[[:space:]]*};/ { exit }
		' flake.nix
	)"
	check_not_empty "flake.nix ${system} hash" "${flake_hash}"

	actual_checksum="$(sri_sha256_to_hex "flake.nix ${system}" "${flake_hash}")"
	check_equal "flake.nix ${system} sha256" "${actual_checksum}" "${expected_checksum}"
done

wrapper_version="$(sed -n 's/^MISE_VERSION="v\([^"]*\)"/\1/p' scripts/dogfood/mise-oci-wrapper.sh)"
check_equal "scripts/dogfood/mise-oci-wrapper.sh" "${wrapper_version}" "${mise_version}"
wrapper_checksum="$(sed -n 's/^MISE_SHA256="\([a-f0-9]*\)"/\1/p' scripts/dogfood/mise-oci-wrapper.sh)"
check_equal "scripts/dogfood/mise-oci-wrapper.sh sha256" "${wrapper_checksum}" "${linux_x64_checksum}"
check_sha256_format "scripts/dogfood/mise-oci-wrapper.sh sha256" "${wrapper_checksum}"

for dockerfile in dogfood/coder/ubuntu-*/Dockerfile.base; do
	dockerfile_version="$(sed -n 's/.*MISE_VERSION=v\([0-9.]*\).*/\1/p' "${dockerfile}" | head -n 1)"
	check_equal "${dockerfile}" "${dockerfile_version}" "${mise_version}"

	dockerfile_checksum="$(sed -n 's/.*MISE_SHA256=\([a-f0-9]*\).*/\1/p' "${dockerfile}" | head -n 1)"
	check_equal "${dockerfile} sha256" "${dockerfile_checksum}" "${linux_x64_checksum}"
	check_sha256_format "${dockerfile} sha256" "${dockerfile_checksum}"
done

log "Mise version check passed, all versions are ${mise_version}"