From c871c9d0ac457f3876073ca55609a1baf7cac65f Mon Sep 17 00:00:00 2001
From: Mohit Gaur <56885276+Mohit-Gaur@users.noreply.github.com>
Date: Wed, 23 Jul 2025 16:24:39 +0000
Subject: [PATCH] fix: update check-workflows-use-hashes to use github error
 format

---
 scripts/check-workflows-use-hashes.sh | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/scripts/check-workflows-use-hashes.sh b/scripts/check-workflows-use-hashes.sh
index d508ce843..8ab12d661 100755
--- a/scripts/check-workflows-use-hashes.sh
+++ b/scripts/check-workflows-use-hashes.sh
@@ -12,21 +12,23 @@ set -euo pipefail
 failed=0
 
 # Find all workflow YAML files
+
+# Use GitHub Actions error format
+# ::error file={name},line={line},col={col}::{message}
+
 for file in $(find .github/workflows/ -type f \( -name "*.yml" -o -name "*.yaml" \)); do
     IFS=$'\n'
-    # Grep for `uses:` lines that look like actions
-    for line in $(grep -E '^.*uses:[^@]+@[^ ]+' "$file"); do
-        # Extract the ref part after the last @
+    # Get line numbers for each 'uses:'
+    while IFS= read -r match; do
+        line_num=$(echo "$match" | cut -d: -f1)
+        line=$(echo "$match" | cut -d: -f2-)
         ref=$(echo "$line" | sed -E 's/.*@([A-Za-z0-9._-]+).*/\1/')
-        # Check if ref is a 40-character hex string (full SHA).
-        #
-        # Note: strictly speaking, this could also be a tag or branch name, but
-        # we'd have to pull this info from the remote. Meh.
         if ! [[ $ref =~ ^[0-9a-fA-F]{40}$ ]]; then
-            echo "ERROR: $file uses non-SHA action ref: $line"
+            # Output in GitHub Actions annotation format
+            echo "::error file=$file,line=$line_num::uses non-SHA action ref: $line"
             failed=1
         fi
-    done
+    done < <(grep -n -E '^.*uses:[^@]+@[^ ]+' "$file")
 done
 
 exit $failed