This is an automated email from the ASF dual-hosted git repository.
hgruszecki pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iggy.git
The following commit(s) were added to refs/heads/master by this push:
new 6735eea6b ci: add binary artifact detection to pre-commit and CI
(#2875)
6735eea6b is described below
commit 6735eea6bc8e30c889981e45ac4c881f56396d4e
Author: Hubert Gruszecki <[email protected]>
AuthorDate: Thu Mar 5 13:48:33 2026 +0100
ci: add binary artifact detection to pre-commit and CI (#2875)
---
.github/workflows/_common.yml | 22 ++++++
.pre-commit-config.yaml | 7 ++
rust_out | Bin 3893768 -> 0 bytes
scripts/ci/binary-artifacts.sh | 151 +++++++++++++++++++++++++++++++++++++++++
4 files changed, 180 insertions(+)
diff --git a/.github/workflows/_common.yml b/.github/workflows/_common.yml
index fb746ba4f..136d89b91 100644
--- a/.github/workflows/_common.yml
+++ b/.github/workflows/_common.yml
@@ -221,6 +221,18 @@ jobs:
- name: Check TOML formatting
run: ./scripts/ci/taplo.sh --check --ci
+ binary-artifacts:
+ name: Check binary artifacts
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 0
+
+ - name: Check for binary artifacts
+ run: ./scripts/ci/binary-artifacts.sh --check --ci
+
typos:
name: Check typos
runs-on: ubuntu-latest
@@ -249,6 +261,7 @@ jobs:
trailing-whitespace,
trailing-newline,
toml-format,
+ binary-artifacts,
typos,
]
if: always()
@@ -351,6 +364,15 @@ jobs:
echo "| ⏭️ Trailing Newline | $TRAILING_NL | Check skipped |" >>
$GITHUB_STEP_SUMMARY
fi
+ BINARY_ARTIFACTS="${{ needs.binary-artifacts.result }}"
+ if [ "$BINARY_ARTIFACTS" = "success" ]; then
+ echo "| ✅ Binary Artifacts | success | No binary artifacts found
|" >> $GITHUB_STEP_SUMMARY
+ elif [ "$BINARY_ARTIFACTS" = "failure" ]; then
+ echo "| ❌ Binary Artifacts | failure | Binary artifacts detected
in commit |" >> $GITHUB_STEP_SUMMARY
+ else
+ echo "| ⏭️ Binary Artifacts | $BINARY_ARTIFACTS | Check skipped |"
>> $GITHUB_STEP_SUMMARY
+ fi
+
TOML_FORMAT="${{ needs.toml-format.result }}"
if [ "$TOML_FORMAT" = "success" ]; then
echo "| ✅ TOML Format | success | All TOML files properly
formatted |" >> $GITHUB_STEP_SUMMARY
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 4d0171369..0712dc663 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -103,6 +103,13 @@ repos:
types: [text]
pass_filenames: false
+ - id: binary-artifacts
+ name: binary artifacts
+ entry: ./scripts/ci/binary-artifacts.sh
+ args: ["--check", "--staged"]
+ language: system
+ pass_filenames: false
+
- id: typos
name: typos (spelling check)
entry: typos
diff --git a/rust_out b/rust_out
deleted file mode 100755
index 421fd8e25..000000000
Binary files a/rust_out and /dev/null differ
diff --git a/scripts/ci/binary-artifacts.sh b/scripts/ci/binary-artifacts.sh
new file mode 100755
index 000000000..4d420eb9a
--- /dev/null
+++ b/scripts/ci/binary-artifacts.sh
@@ -0,0 +1,151 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+set -euo pipefail
+
+# binary-artifacts.sh -- Prevent compiled binaries from entering the repo.
+#
+# .gitignore catches common extensions (*.o, *.so, *.exe, *.out, etc.) but
+# extensionless binaries slip through (e.g. `rust_out` from `rustc --test`).
+#
+# This script uses file(1) to inspect actual file content and reject:
+# - ELF executables, shared objects, and relocatables (Linux)
+# - Mach-O executables and universal binaries (macOS)
+# - PE32/PE32+ executables (Windows)
+# - WebAssembly modules, compiled Java classes, .NET assemblies
+#
+# Runs in two contexts:
+# pre-commit hook -- checks staged files (--check --staged)
+# CI workflow -- checks PR diff files (--check --ci)
+#
+# Exit codes: 0 = clean, 1 = binary artifacts found or error.
+
+FILE_MODE="staged"
+FILES=()
+
+while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --check)
+ shift
+ ;;
+ --staged)
+ FILE_MODE="staged"
+ shift
+ ;;
+ --ci)
+ FILE_MODE="ci"
+ shift
+ ;;
+ --all)
+ FILE_MODE="all"
+ shift
+ ;;
+ --help|-h)
+ echo "Usage: $0 [--check] [--staged|--ci|--all] [files...]"
+ echo ""
+ echo "File selection:"
+ echo " --staged Check staged files (default, for git hooks)"
+ echo " --ci Check files changed in PR (for CI)"
+ echo " --all Check all tracked files"
+ echo " [files] Check specific files"
+ exit 0
+ ;;
+ -*)
+ echo "Unknown option: $1"
+ echo "Use --help for usage information"
+ exit 1
+ ;;
+ *)
+ FILES+=("$1")
+ shift
+ ;;
+ esac
+done
+
+get_files() {
+ case "$FILE_MODE" in
+ staged)
+ git diff --cached --name-only --diff-filter=ACM
+ ;;
+ ci)
+ if [ -n "${GITHUB_BASE_REF:-}" ]; then
+ git fetch --no-tags --depth=1 origin
"${GITHUB_BASE_REF}:${GITHUB_BASE_REF}" 2>/dev/null || true
+ git diff --name-only --diff-filter=ACM "${GITHUB_BASE_REF}...HEAD"
+ elif [ -n "${CI:-}" ]; then
+ git diff --name-only --diff-filter=ACM HEAD~1
+ else
+ git diff --cached --name-only --diff-filter=ACM
+ fi
+ ;;
+ all)
+ git ls-files
+ ;;
+ esac
+}
+
+if [ ${#FILES[@]} -gt 0 ]; then
+ CHANGED_FILES=("${FILES[@]}")
+else
+ CHANGED_FILES=()
+ while IFS= read -r file; do
+ CHANGED_FILES+=("$file")
+ done < <(get_files)
+fi
+
+if [ ${#CHANGED_FILES[@]} -eq 0 ]; then
+ echo "No files to check"
+ exit 0
+fi
+
+echo "Checking ${#CHANGED_FILES[@]} file(s) for binary artifacts..."
+
+BINARY_PATTERN="ELF .* executable|ELF .* shared object|ELF .*
relocatable|Mach-O .* executable|Mach-O universal binary|PE32\+ executable|PE32
executable|WebAssembly .* module|compiled Java class|\.NET assembly"
+
+BINARY_FILES=()
+
+for file in "${CHANGED_FILES[@]}"; do
+ if [ ! -f "$file" ]; then
+ continue
+ fi
+
+ file_type=$(file -b "$file" 2>/dev/null) || continue
+
+ if echo "$file_type" | grep -qE "$BINARY_PATTERN"; then
+ BINARY_FILES+=("$file")
+ fi
+done
+
+if [ ${#BINARY_FILES[@]} -eq 0 ]; then
+ echo "No binary artifacts found"
+ exit 0
+fi
+
+echo "Found ${#BINARY_FILES[@]} binary artifact(s) that must not be committed:"
+echo ""
+
+for file in "${BINARY_FILES[@]}"; do
+ file_type=$(file -b "$file" 2>/dev/null)
+ echo " $file"
+ echo " Type: $file_type"
+ echo ""
+done
+
+echo "Binary artifacts (compiled executables, object files, shared libraries)"
+echo "must not be checked into the repository. Remove them and add appropriate"
+echo "patterns to .gitignore."
+exit 1
