Validate first-party DotSlash artifacts continuously and after release

Summary:
Adds a workflow to ensure the following:

* Continuously: `main` contains valid DotSlash files that reference valid artifacts.
* When a release is published: the release contains valid DotSlash files that reference valid artifacts.

This gives us confidence that branch cuts start in a valid state and that releases go out in a valid state. This is particularly important since there is a span of time, between the release commit and the publishing of the GH release, when the job would fail (as the release assets are not hosted at their final URLs yet).

This is a fairly trivial script built on top of unit-tested utilities: `processDotSlashFileInPlace`, `getWithCurl`, `validateDotSlashArtifactData`.

Author: motiz88

.github/workflows/validate-dotslash-artifacts.yml

@@ -0,0 +1,32 @@
+name: Validate DotSlash Artifacts
+
+on:
+  workflow_dispatch:
+  release:
+    types: [published]
+  push:
+    branches:
+      - main
+
+jobs:
+  validate-dotslash-artifacts:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+      - name: Install dependencies
+        uses: ./.github/actions/yarn-install
+      - name: Configure Git
+        shell: bash
+        run: |
+          git config --local user.email "[email protected]"
+          git config --local user.name "React Native Bot"
+      - name: Validate DotSlash artifacts
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const {validateDotSlashArtifacts} = require('./scripts/releases/validate-dotslash-artifacts.js');
+            await validateDotSlashArtifacts();

scripts/releases/validate-dotslash-artifacts.js

@@ -0,0 +1,98 @@
+/**
+ * Copyright (c) Meta Platforms, Inc. and affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ *
+ * @flow strict-local
+ * @format
+ */
+
+'use strict';
+
+const {REPO_ROOT} = require('../shared/consts');
+const {getWithCurl} = require('./utils/curl-utils');
+const {
+  processDotSlashFileInPlace,
+  validateDotSlashArtifactData,
+} = require('./utils/dotslash-utils');
+const {
+  FIRST_PARTY_DOTSLASH_FILES,
+} = require('./write-dotslash-release-asset-urls');
+const path = require('path');
+const {parseArgs, styleText} = require('util');
+
+async function main() {
+  const {
+    positionals: [],
+    values: {help},
+  } = parseArgs({
+    allowPositionals: true,
+    options: {
+      help: {type: 'boolean'},
+    },
+  });
+
+  if (help) {
+    console.log(`
+  Usage: node ./scripts/releases/validate-dotslash-artifacts.js
+
+  Ensures that the first-party DotSlash files in the current commit all point to
+  valid URLs that return the described artifacts. This script is intended to run
+  in two key scenarios:
+
+  1. Continuously on main - this verifies the output of the Meta-internal CI pipeline
+     that publishes DotSlash files to the repo.
+  2. After a release is published - this verifies the behavior of the
+     write-dotslash-release-asset-urls.js and upload-release-assets-for-dotslash.js
+     scripts, as well as any commits (e.g. merges, picks) that touched the DotSlash
+     files in the release branch since the branch was cut.
+     Release asset URLs are only valid once the release is published, so we can't
+     run this continuously on commits in the release branch (specifically, it would
+     fail on the release commit itself).
+`);
+    return;
+  }
+
+  await validateDotSlashArtifacts();
+}
+
+async function validateDotSlashArtifacts() /*: Promise<void> */ {
+  for (const filename of FIRST_PARTY_DOTSLASH_FILES) {
+    const fullPath = path.join(REPO_ROOT, filename);
+    console.log(`Validating all HTTP providers for ${filename}...`);
+    await processDotSlashFileInPlace(
+      fullPath,
+      async (providers, suggestedFilename, artifactInfo) => {
+        for (const provider of providers) {
+          if (provider.type !== 'http' && provider.type != null) {
+            console.log(
+              styleText(
+                'dim',
+                `   <skipping provider of type: ${provider.type}>`,
+              ),
+            );
+            continue;
+          }
+          console.log(
+            styleText(
+              'dim',
+              `   ${provider.url} (expected ${artifactInfo.size} bytes, ${artifactInfo.hash} ${artifactInfo.digest})`,
+            ),
+          );
+          const {data} = await getWithCurl(provider.url);
+          await validateDotSlashArtifactData(data, artifactInfo);
+        }
+        return providers;
+      },
+    );
+  }
+}
+
+module.exports = {
+  validateDotSlashArtifacts,
+};
+
+if (require.main === module) {
+  void main();
+}