Check the hashes of our dependencies

Svetlitski · Xyene · commit acc643f9497f · 2025-12-12T14:54:15.000-05:00
Signed-off-by: Kevin Svetlitski &lt;ksvetlitski@janestreet.com&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -26,8 +26,10 @@ jobs:
       - name: Install musl-compatible kernel headers
         run: |
           mkdir musl-kernel
-          curl -L https://github.com/sabotage-linux/kernel-headers/archive/refs/tags/v4.19.88-1.tar.gz | \
-            tar -xz -C musl-kernel --strip-components=1
+          filename='v4.19.88-1.tar.gz'
+          wget "https://github.com/sabotage-linux/kernel-headers/archive/refs/tags/$filename"
+          shasum --check <(echo "44a07e9f18033cff7840dbb112fff2862c0fb8fc  $filename")
+          tar -xzf "$filename" -C musl-kernel --strip-components=1
           echo "C_INCLUDE_PATH=$(pwd)/musl-kernel/x86/include" >> "$GITHUB_ENV"
           echo "CC=musl-gcc" >> "$GITHUB_ENV"
 
@@ -40,13 +42,18 @@ jobs:
         run: |
           # The version that comes with focal is broken for musl binaries, so we have to download
           # from another location.
-          wget http://ftp.debian.org/debian/pool/main/u/upx-ucl/upx-ucl_3.96-2_amd64.deb
+          filename='upx-ucl_3.96-2_amd64.deb'
+          wget "http://ftp.debian.org/debian/pool/main/u/upx-ucl/$filename"
+          shasum --check <(echo "0b3c901a6ae8db264a0e58aad9bbed4ef3e925b9  $filename")
           sudo dpkg -i upx-ucl_3.96-2_amd64.deb
 
       - name: Build zlib with musl
         run: |
           mkdir musl-zlib
-          curl -L https://zlib.net/zlib-1.3.1.tar.gz | tar -xz -C musl-zlib --strip-components=1
+          filename='zlib-1.3.1.tar.gz'
+          wget "https://zlib.net/$filename"
+          shasum --check <(echo "f535367b1a11e2f9ac3bec723fb007fbc0d189e5  $filename")
+          tar -xzf "$filename" -C musl-zlib --strip-components=1
           cd musl-zlib
           CC=musl-gcc ./configure --libdir=/usr/lib/x86_64-linux-musl --includedir=/usr/include/x86_64-linux-musl
           make -j$(nproc)
@@ -55,15 +62,20 @@ jobs:
       - name: Build zstd with musl
         run: |
           mkdir musl-zstd
-          curl -L https://github.com/facebook/zstd/releases/download/v1.5.5/zstd-1.5.5.tar.gz | \
-            tar -xz -C musl-zstd --strip-components=1
+          filename='zstd-1.5.5.tar.gz'
+          wget "https://github.com/facebook/zstd/releases/download/v1.5.5/$filename"
+          shasum --check <(echo "4479ecc74300d23391d99fbebf2fddd47aed9b28  $filename")
+          tar -xzf "$filename" -C musl-zstd --strip-components=1
           cd musl-zstd
           CC=musl-gcc make -j$(nproc)
           sudo make INCLUDEDIR=/usr/include/x86_64-linux-musl LIBDIR=/usr/lib/x86_64-linux-musl install
 
       - name: Use OCaml ${{ matrix.ocaml-version }}
         run: |
-          sudo wget -O /usr/local/bin/opam https://github.com/ocaml/opam/releases/download/2.5.0/opam-2.5.0-x86_64-linux
+          filename='opam-2.5.0-x86_64-linux'
+          wget "https://github.com/ocaml/opam/releases/download/2.5.0/$filename"
+          shasum --check <(echo "67fb680a785f0bc7ceb57155f21786c0680ef5fe  $filename")
+          sudo mv "$filename" /usr/local/bin/opam
           sudo chmod a+x /usr/local/bin/opam
 
           export OPAMYES=1
@@ -91,7 +103,7 @@ jobs:
           git -C ../core_unix apply $PWD/vendor/core-unix-musl-compatibility.patch
           opam pin core_unix ../core_unix
 
-      - run: opam install ./magic-trace.opam --deps-only
+      - run: opam install ./magic-trace.opam --deps-only --locked
 
       - run: opam install ocamlformat
       - run: opam exec -- dune build @fmt
diff --git a/magic-trace.opam.locked b/magic-trace.opam.locked
@@ -0,0 +1,177 @@
+opam-version: "2.0"
+name: "magic-trace"
+version: "1.0.1"
+synopsis:
+  "Collects and displays high-resolution traces of what a process is doing"
+description: "https://github.com/janestreet/magic-trace"
+maintainer: "Jane Street developers"
+authors: "Jane Street Group, LLC"
+license: "MIT"
+homepage: "https://magic-trace.org"
+doc: "https://github.com/janestreet/magic-trace/wiki"
+bug-reports: "https://github.com/janestreet/magic-trace/issues"
+depends: [
+  "angstrom" {= "0.16.1"}
+  "astring" {= "0.8.5"}
+  "async" {= "v0.18~preview.130.76+222"}
+  "async_kernel" {= "v0.18~preview.130.76+222"}
+  "async_log" {= "v0.18~preview.130.76+222"}
+  "async_rpc_kernel" {= "v0.18~preview.130.76+222"}
+  "async_unix" {= "v0.18~preview.130.76+222"}
+  "base" {= "v0.18~preview.130.76+222"}
+  "base-bigarray" {= "base"}
+  "base-bytes" {= "base"}
+  "base-domains" {= "base"}
+  "base-nnp" {= "base"}
+  "base-threads" {= "base"}
+  "base-unix" {= "base"}
+  "base64" {= "3.5.2"}
+  "base_bigstring" {= "v0.18~preview.130.76+222"}
+  "base_quickcheck" {= "v0.18~preview.130.76+222"}
+  "basement" {= "v0.18~preview.130.76+222"}
+  "bigarray-compat" {= "1.1.0"}
+  "bigstringaf" {= "0.10.0"}
+  "bin_prot" {= "v0.18~preview.130.76+222"}
+  "camlp-streams" {= "5.0.1"}
+  "camlzip" {= "1.13"}
+  "capitalization" {= "v0.18~preview.130.76+222"}
+  "capsule" {= "v0.18~preview.130.76+222"}
+  "capsule0" {= "v0.18~preview.130.76+222"}
+  "cmdliner" {= "1.3.0"}
+  "cohttp" {= "5.3.1"}
+  "cohttp-async" {= "5.3.0"}
+  "cohttp_static_handler" {= "v0.18~preview.130.76+222"}
+  "conduit" {= "8.0.0"}
+  "conduit-async" {= "8.0.0"}
+  "conf-autoconf" {= "0.2"}
+  "conf-pkg-config" {= "4"}
+  "conf-which" {= "1"}
+  "conf-zlib" {= "1"}
+  "conf-zstd" {= "1.3.8"}
+  "core" {= "v0.18~preview.130.76+222"}
+  "core_extended" {= "v0.18~preview.130.76+222"}
+  "core_kernel" {= "v0.18~preview.130.76+222"}
+  "core_unix" {= "v0.18~preview.130.76+222"}
+  "cppo" {= "1.8.0"}
+  "crunch" {= "4.0.0"}
+  "csexp" {= "1.5.2"}
+  "cstruct" {= "6.2.0"}
+  "ctypes" {= "0.23.0+ox"}
+  "domain-name" {= "0.5.0"}
+  "dune" {= "3.20.2+ox"}
+  "dune-configurator" {= "3.20.2"}
+  "expect_test_helpers_async" {= "v0.18~preview.130.76+222"}
+  "expect_test_helpers_core" {= "v0.18~preview.130.76+222"}
+  "fieldslib" {= "v0.18~preview.130.76+222"}
+  "flexible_sexp" {= "v0.18~preview.130.76+222"}
+  "fmt" {= "0.10.0"}
+  "int_repr" {= "v0.18~preview.130.76+222"}
+  "integers" {= "0.7.0"}
+  "ipaddr" {= "5.6.1"}
+  "ipaddr-sexp" {= "5.6.1"}
+  "jane-street-headers" {= "v0.18~preview.130.76+222"}
+  "jsonm" {= "1.0.2"}
+  "jst-config" {= "v0.18~preview.130.76+222"}
+  "logs" {= "0.9.0"}
+  "lwt" {= "5.9.2+ox"}
+  "macaddr" {= "5.6.1"}
+  "magic-mime" {= "1.3.1"}
+  "num" {= "1.6"}
+  "ocaml" {= "5.2.0"}
+  "ocaml-compiler-libs" {= "v0.17.0+ox"}
+  "ocaml-config" {= "3"}
+  "ocaml-options-vanilla" {= "1"}
+  "ocaml-syntax-shims" {= "1.0.0"}
+  "ocaml-variants" {= "5.2.0+ox"}
+  "ocaml_intrinsics" {= "v0.18~preview.130.76+222"}
+  "ocaml_intrinsics_kernel" {= "v0.18~preview.130.76+222"}
+  "ocamlbuild" {= "0.15.0+ox"}
+  "ocamlfind" {= "1.9.8"}
+  "ocplib-endian" {= "1.2"}
+  "odoc-parser" {= "3.1.0+ox"}
+  "owee" {= "0.8"}
+  "parsexp" {= "v0.18~preview.130.76+222"}
+  "pipe_with_writer_error" {= "v0.18~preview.130.76+222"}
+  "portable" {= "v0.18~preview.130.76+222"}
+  "ppx_array_base" {= "v0.18~preview.130.76+222"}
+  "ppx_assert" {= "v0.18~preview.130.76+222"}
+  "ppx_base" {= "v0.18~preview.130.76+222"}
+  "ppx_bench" {= "v0.18~preview.130.76+222"}
+  "ppx_bin_prot" {= "v0.18~preview.130.76+222"}
+  "ppx_cold" {= "v0.18~preview.130.76+222"}
+  "ppx_compare" {= "v0.18~preview.130.76+222"}
+  "ppx_custom_printf" {= "v0.18~preview.130.76+222"}
+  "ppx_debug_assert" {= "v0.18~preview.130.76+222"}
+  "ppx_derivers" {= "1.2.1"}
+  "ppx_diff" {= "v0.18~preview.130.76+222"}
+  "ppx_disable_unused_warnings" {= "v0.18~preview.130.76+222"}
+  "ppx_enumerate" {= "v0.18~preview.130.76+222"}
+  "ppx_expect" {= "v0.18~preview.130.76+222"}
+  "ppx_fields_conv" {= "v0.18~preview.130.76+222"}
+  "ppx_fixed_literal" {= "v0.18~preview.130.76+222"}
+  "ppx_fuelproof" {= "v0.18~preview.130.76+222"}
+  "ppx_globalize" {= "v0.18~preview.130.76+222"}
+  "ppx_hash" {= "v0.18~preview.130.76+222"}
+  "ppx_helpers" {= "v0.18~preview.130.76+222"}
+  "ppx_here" {= "v0.18~preview.130.76+222"}
+  "ppx_ignore_instrumentation" {= "v0.18~preview.130.76+222"}
+  "ppx_inline_test" {= "v0.18~preview.130.76+222"}
+  "ppx_int63_literal" {= "v0.18~preview.130.76+222"}
+  "ppx_jane" {= "v0.18~preview.130.76+222"}
+  "ppx_js_style" {= "v0.18~preview.130.76+222"}
+  "ppx_let" {= "v0.18~preview.130.76+222"}
+  "ppx_log" {= "v0.18~preview.130.76+222"}
+  "ppx_module_timer" {= "v0.18~preview.130.76+222"}
+  "ppx_optcomp" {= "v0.18~preview.130.76+222"}
+  "ppx_optional" {= "v0.18~preview.130.76+222"}
+  "ppx_pipebang" {= "v0.18~preview.130.76+222"}
+  "ppx_portable" {= "v0.18~preview.130.76+222"}
+  "ppx_sexp_conv" {= "v0.18~preview.130.76+222"}
+  "ppx_sexp_message" {= "v0.18~preview.130.76+222"}
+  "ppx_sexp_value" {= "v0.18~preview.130.76+222"}
+  "ppx_shorthand" {= "v0.18~preview.130.76+222"}
+  "ppx_stable" {= "v0.18~preview.130.76+222"}
+  "ppx_stable_witness" {= "v0.18~preview.130.76+222"}
+  "ppx_string" {= "v0.18~preview.130.76+222"}
+  "ppx_string_conv" {= "v0.18~preview.130.76+222"}
+  "ppx_template" {= "v0.18~preview.130.76+222"}
+  "ppx_tydi" {= "v0.18~preview.130.76+222"}
+  "ppx_typed_fields" {= "v0.18~preview.130.76+222"}
+  "ppx_typerep_conv" {= "v0.18~preview.130.76+222"}
+  "ppx_var_name" {= "v0.18~preview.130.76+222"}
+  "ppx_variants_conv" {= "v0.18~preview.130.76+222"}
+  "ppxlib" {= "0.33.0+ox"}
+  "ppxlib_ast" {= "0.33.0+ox"}
+  "ppxlib_jane" {= "v0.18~preview.130.76+222"}
+  "protocol_version_header" {= "v0.18~preview.130.76+222"}
+  "ptime" {= "1.2.0"}
+  "re" {= "1.14.0+ox"}
+  "record_builder" {= "v0.18~preview.130.76+222"}
+  "result" {= "1.5"}
+  "seq" {= "base"}
+  "sexp_pretty" {= "v0.18~preview.130.76+222"}
+  "sexp_type" {= "v0.18~preview.130.76+222"}
+  "sexplib" {= "v0.18~preview.130.76+222"}
+  "sexplib0" {= "v0.18~preview.130.76+222"}
+  "shell" {= "v0.18~preview.130.76+222"}
+  "spawn" {= "v0.15.1+ox"}
+  "splittable_random" {= "v0.18~preview.130.76+222"}
+  "stdio" {= "v0.18~preview.130.76+222"}
+  "stdlib-shims" {= "0.3.0"}
+  "string_dict" {= "v0.18~preview.130.76+222"}
+  "stringext" {= "1.6.0"}
+  "textutils" {= "v0.18~preview.130.76+222"}
+  "time_now" {= "v0.18~preview.130.76+222"}
+  "topkg" {= "1.0.8+ox"}
+  "typerep" {= "v0.18~preview.130.76+222"}
+  "unique" {= "v0.18~preview.130.76+222"}
+  "univ_map" {= "v0.18~preview.130.76+222"}
+  "uopt" {= "v0.18~preview.130.76+222"}
+  "uri" {= "4.4.0"}
+  "uri-sexp" {= "4.4.0"}
+  "uutf" {= "1.0.3+ox"}
+  "variantslib" {= "v0.18~preview.130.76+222"}
+  "zstandard" {= "v0.18~preview.130.76+222"}
+]
+build: ["dune" "build" "-p" name "-j" jobs]
+dev-repo: "git+https://github.com/janestreet/magic-trace.git"
