From e682446a8a17c7dda82cd2a7e8ab4cb1b29b023d Mon Sep 17 00:00:00 2001
From: Sam Gammon <sam@elide.ventures>
Date: Tue, 19 Mar 2024 03:11:14 -0700
Subject: [PATCH] chore: better repository checks

- chore: use `sgammon/verify-hashes`
- chore: nits for job names

Signed-off-by: Sam Gammon <sam@elide.ventures>
---
 .github/workflows/check.gradle-wrapper.yml |  2 +-
 .github/workflows/check.hashes.yml         | 24 ++++++++++++++++++++++
 .github/workflows/on.pr.yml                |  4 ++++
 .github/workflows/on.push.yml              |  4 ++++
 .github/workflows/on.queue.yml             |  4 ++++
 5 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/check.hashes.yml

diff --git a/.github/workflows/check.gradle-wrapper.yml b/.github/workflows/check.gradle-wrapper.yml
index ae5283c8..718b7db6 100644
--- a/.github/workflows/check.gradle-wrapper.yml
+++ b/.github/workflows/check.gradle-wrapper.yml
@@ -9,7 +9,7 @@ permissions:
 
 jobs:
   validation:
-    name: "Gradle Wrapper"
+    name: "Check: Gradle Wrappers"
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
diff --git a/.github/workflows/check.hashes.yml b/.github/workflows/check.hashes.yml
new file mode 100644
index 00000000..36fdd810
--- /dev/null
+++ b/.github/workflows/check.hashes.yml
@@ -0,0 +1,24 @@
+name: "Checks: Hashes"
+
+"on":
+  workflow_call: {}
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+
+jobs:
+  validation:
+    name: "Check: Hashes"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          persist-credentials: false
+      - name: "Check: Hashes"
+        uses: sgammon/verify-hashes@cac7d57e01915a3fc9bda26373fb85d3f71dea68 # v1.0.0-rc1
diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml
index 7cc3c57b..0a4bde0c 100644
--- a/.github/workflows/on.pr.yml
+++ b/.github/workflows/on.pr.yml
@@ -28,3 +28,7 @@ jobs:
     name: "Checks"
     needs: [build-dependency-graph]
     uses: ./.github/workflows/check.dependency-review.yml
+
+  checks-hashes:
+    name: "Checks"
+    uses: ./.github/workflows/check.hashes.yml
diff --git a/.github/workflows/on.push.yml b/.github/workflows/on.push.yml
index f1123de4..0b622728 100644
--- a/.github/workflows/on.push.yml
+++ b/.github/workflows/on.push.yml
@@ -28,3 +28,7 @@ jobs:
       contents: read
       pages: write
       id-token: write
+
+  checks-hashes:
+    name: "Checks"
+    uses: ./.github/workflows/check.hashes.yml
diff --git a/.github/workflows/on.queue.yml b/.github/workflows/on.queue.yml
index cf25a8e9..96d0ede4 100644
--- a/.github/workflows/on.queue.yml
+++ b/.github/workflows/on.queue.yml
@@ -16,3 +16,7 @@ jobs:
   checks-gradle:
     name: "Checks"
     uses: ./.github/workflows/check.gradle-wrapper.yml
+
+  checks-hashes:
+    name: "Checks"
+    uses: ./.github/workflows/check.hashes.yml