diff --git a/Library/Homebrew/rubocops/cask/on_system_conditionals.rb b/Library/Homebrew/rubocops/cask/on_system_conditionals.rb index 5b52af327e..8f59436842 100644 --- a/Library/Homebrew/rubocops/cask/on_system_conditionals.rb +++ b/Library/Homebrew/rubocops/cask/on_system_conditionals.rb @@ -47,6 +47,7 @@ module RuboCop audit_arch_conditionals(cask_body, allowed_blocks: FLIGHT_STANZA_NAMES) audit_macos_version_conditionals(cask_body, recommend_on_system: false) simplify_sha256_stanzas + audit_identical_sha256_across_architectures end private @@ -76,6 +77,43 @@ module RuboCop end end + sig { void } + def audit_identical_sha256_across_architectures + sha256_stanzas = toplevel_stanzas.select { |stanza| stanza.stanza_name == :sha256 } + + sha256_stanzas.each do |stanza| + sha256_node = stanza.stanza_node + next if sha256_node.arguments.count != 1 + next unless sha256_node.arguments.first.hash_type? + + hash_node = sha256_node.arguments.first + arm_sha = T.let(nil, T.nilable(String)) + intel_sha = T.let(nil, T.nilable(String)) + + hash_node.pairs.each do |pair| + key = pair.key + next unless key.sym_type? + + value = pair.value + next unless value.str_type? + + case key.value + when :arm + arm_sha = value.value + when :intel + intel_sha = value.value + end + end + + next unless arm_sha + next unless intel_sha + next if arm_sha != intel_sha + + offending_node(sha256_node) + problem "sha256 values for different architectures should not be identical." + end + end + def_node_search :sha256_on_arch_stanzas, <<~PATTERN $(block (send nil? ${:on_intel :on_arm}) diff --git a/Library/Homebrew/test/rubocops/cask/on_system_conditionals_spec.rb b/Library/Homebrew/test/rubocops/cask/on_system_conditionals_spec.rb index fbbc8fc645..faf34bf049 100644 --- a/Library/Homebrew/test/rubocops/cask/on_system_conditionals_spec.rb +++ b/Library/Homebrew/test/rubocops/cask/on_system_conditionals_spec.rb @@ -105,6 +105,16 @@ RSpec.describe RuboCop::Cop::Cask::OnSystemConditionals, :config do CASK end + it "reports an offense when `sha256` has identical values for different architectures" do + expect_offense <<~CASK + cask 'foo' do + sha256 arm: "5f42cb017dd07270409eaee7c3b4a164ffa7c0f21d85c65840c4f81aab21d457", + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ sha256 values for different architectures should not be identical. + intel: "5f42cb017dd07270409eaee7c3b4a164ffa7c0f21d85c65840c4f81aab21d457" + end + CASK + end + it "accepts when there is only one `on_arch` block" do expect_no_offenses <<~CASK cask 'foo' do