Merge pull request #20504 from Homebrew/copilot/fix-20503

Add RuboCop rule to detect identical SHA256 values across architectures in casks
2025-08-19 14:00:44 +00:00 · 2025-08-19 14:00:44 +00:00 · d82f30290e
commit d82f30290e
parent 00c1ca2aac 7f6b4bee93
2 changed files with 48 additions and 0 deletions
--- a/Library/Homebrew/rubocops/cask/on_system_conditionals.rb
+++ b/Library/Homebrew/rubocops/cask/on_system_conditionals.rb
@ -47,6 +47,7 @@ module RuboCop
          audit_arch_conditionals(cask_body, allowed_blocks: FLIGHT_STANZA_NAMES)
          audit_macos_version_conditionals(cask_body, recommend_on_system: false)
          simplify_sha256_stanzas
+          audit_identical_sha256_across_architectures
        end

        private
@ -76,6 +77,43 @@ module RuboCop
          end
        end

+        sig { void }
+        def audit_identical_sha256_across_architectures
+          sha256_stanzas = toplevel_stanzas.select { |stanza| stanza.stanza_name == :sha256 }
+
+          sha256_stanzas.each do |stanza|
+            sha256_node = stanza.stanza_node
+            next if sha256_node.arguments.count != 1
+            next unless sha256_node.arguments.first.hash_type?
+
+            hash_node = sha256_node.arguments.first
+            arm_sha = T.let(nil, T.nilable(String))
+            intel_sha = T.let(nil, T.nilable(String))
+
+            hash_node.pairs.each do |pair|
+              key = pair.key
+              next unless key.sym_type?
+
+              value = pair.value
+              next unless value.str_type?
+
+              case key.value
+              when :arm
+                arm_sha = value.value
+              when :intel
+                intel_sha = value.value
+              end
+            end
+
+            next unless arm_sha
+            next unless intel_sha
+            next if arm_sha != intel_sha
+
+            offending_node(sha256_node)
+            problem "sha256 values for different architectures should not be identical."
+          end
+        end
+
        def_node_search :sha256_on_arch_stanzas, <<~PATTERN
          $(block
            (send nil? ${:on_intel :on_arm})
--- a/Library/Homebrew/test/rubocops/cask/on_system_conditionals_spec.rb
+++ b/Library/Homebrew/test/rubocops/cask/on_system_conditionals_spec.rb
@ -105,6 +105,16 @@ RSpec.describe RuboCop::Cop::Cask::OnSystemConditionals, :config do
      CASK
    end

+    it "reports an offense when `sha256` has identical values for different architectures" do
+      expect_offense <<~CASK
+        cask 'foo' do
+          sha256 arm:   "5f42cb017dd07270409eaee7c3b4a164ffa7c0f21d85c65840c4f81aab21d457",
+          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ sha256 values for different architectures should not be identical.
+                 intel: "5f42cb017dd07270409eaee7c3b4a164ffa7c0f21d85c65840c4f81aab21d457"
+        end
+      CASK
+    end
+
    it "accepts when there is only one `on_arch` block" do
      expect_no_offenses <<~CASK
        cask 'foo' do