Add workflow to check for unsafeFlags in Swift packages

leogdion · leogdion · commit c4ca67734903 · 2025-12-08T18:38:17.000Z
diff --git a/.github/workflows/check-unsafe-flags.yml b/.github/workflows/check-unsafe-flags.yml
@@ -0,0 +1,75 @@
+name: Check for unsafeFlags
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  fast-scan:
+    name: Fast Python scanner (text-based)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run quick Python scanner (ignores comments)
+        run: |
+          set -euo pipefail
+          python3 - <<'PY'
+import sys,os,re
+found=False
+for root,_,files in os.walk('.'):
+  for f in files:
+    if f == 'Package.swift':
+      path=os.path.join(root,f)
+      try:
+        with open(path, 'r', encoding='utf-8') as fh:
+          in_block_comment=False
+          for i,line in enumerate(fh, start=1):
+            s=line.rstrip('\n')
+            if '/*' in s:
+              in_block_comment=True
+            if '*/' in s:
+              in_block_comment=False
+              continue
+            if in_block_comment:
+              continue
+            if re.match(r'^\s*//', s):
+              continue
+            if 'unsafeFlags' in s:
+              print(f"{path}:{i}: {s}")
+              found=True
+      except Exception as e:
+        print(f"Error reading {path}: {e}", file=sys.stderr)
+if found:
+  sys.exit(1)
+else:
+  print('No unsafeFlags found in tracked Package.swift files.')
+PY
+
+  dump-package-check:
+    name: Dump Swift package (authoritative) and scan JSON
+    runs-on: ubuntu-latest
+    container:
+      image: swift:5.10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Dump package JSON and check for unsafeFlags
+        run: |
+          set -euo pipefail
+          # Ensure we have a clean workspace
+          swift --version || true
+          swift package dump-package > package.json
+          if grep -q '"unsafeFlags"' package.json; then
+            echo "ERROR: unsafeFlags found in resolved package JSON:"
+            grep -n '"unsafeFlags"' package.json || true
+            echo "--- package.json ---"
+            sed -n '1,200p' package.json || true
+            exit 1
+          else
+            echo "No unsafeFlags in resolved package JSON."
+          fi
