JSON linting for PRs

[ljoonal]

There's been quite a few PR's that had broken JSON or wrong indentation. Setting up GH actions to check for basic things like that and automatically request changes if there's issues should be done.

Also as a more complex possibility, since so many people use github links, we could do a regex check on the download/release urls and if they match Github urls but aren't pinned to a specific tag could leave a comment straight away about it on the PR.

[EIA485]

i agree,
we should also check that the download link matches the checksum automatically

[zkxs]

i agree, we should also check that the download link matches the checksum automatically

Unfortunately that's not feasible, as the whole reason we have the checksum is because the download link has no guarantee of always serving the same file. While we could have automatic checksum validation as a sanity check, it wouldn't actually function as a security check, and I worry it would imply to auditors that they don't have to verify the checksum themselves.

[EIA485]

and I worry it would imply to auditors that they don't have to verify the checksum themselves.

maybe we could explicitly have the bot state that "the checksum did not pass the sanity check"

[ljoonal]

Yeah IMO we shouldn't make the gh actions ever state that it passed, only say if it didn't. And of course keep auditors informed that they still need to verify it locally too, and that the bot check is just a sanity check pass.

Alternatively we could go GH actions all the way and make the actions download & decompile the file that passed the sanity check, though I doubt that that could be done reasonably with permissions and not opening a decompilation as a service loophole.

[EIA485]

the bot could also automatically resolve merge conflicts caused by multiple prs appending mods to the end of the list