refactor(security): extracts CSP hash verification into shared script

wgordon17 · wgordon17 · commit 9222965e57f4 · 2026-04-02T13:12:12.000-04:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,15 +15,7 @@ jobs:
           cache: pnpm
       - run: pnpm install --frozen-lockfile
       - name: Verify CSP inline script hash
-        run: |
-          SCRIPT=$(sed -n 's/.*<script>\(.*\)<\/script>.*/\1/p' index.html)
-          HASH=$(printf '%s' "$SCRIPT" | openssl dgst -sha256 -binary | base64)
-          if ! grep -q "sha256-$HASH" public/_headers; then
-            echo "::error::CSP hash mismatch! Inline script hash 'sha256-$HASH' not found in public/_headers"
-            echo "Update the sha256 hash in public/_headers to match the inline script in index.html"
-            exit 1
-          fi
-          echo "CSP hash verified: sha256-$HASH"
+        run: bash scripts/verify-csp-hash.sh
       - run: pnpm run typecheck
       - run: pnpm test
       - name: Install Playwright browsers
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -19,15 +19,7 @@ jobs:
       - run: pnpm run typecheck
       - run: pnpm test
       - name: Verify CSP inline script hash
-        run: |
-          SCRIPT=$(sed -n 's/.*<script>\(.*\)<\/script>.*/\1/p' index.html)
-          HASH=$(printf '%s' "$SCRIPT" | openssl dgst -sha256 -binary | base64)
-          if ! grep -q "sha256-$HASH" public/_headers; then
-            echo "::error::CSP hash mismatch! Inline script hash 'sha256-$HASH' not found in public/_headers"
-            echo "Update the sha256 hash in public/_headers to match the inline script in index.html"
-            exit 1
-          fi
-          echo "CSP hash verified: sha256-$HASH"
+        run: bash scripts/verify-csp-hash.sh
       - name: WAF smoke tests
         run: pnpm test:waf
       - run: pnpm run build
diff --git a/prek.toml b/prek.toml
@@ -44,7 +44,7 @@ priority = 0
 id = "csp-hash"
 name = "CSP hash verification"
 language = "system"
-entry = "bash -c 'SCRIPT=$(sed -n \"s/.*<script>\\(.*\\)<\\/script>.*/\\1/p\" index.html) && HASH=$(printf \"%s\" \"$SCRIPT\" | openssl dgst -sha256 -binary | base64) && grep -q \"sha256-$HASH\" public/_headers && echo \"CSP hash OK: sha256-$HASH\" || { echo \"CSP hash mismatch! sha256-$HASH not in public/_headers\"; exit 1; }'"
+entry = "bash scripts/verify-csp-hash.sh"
 pass_filenames = false
 always_run = true
 priority = 0
diff --git a/scripts/verify-csp-hash.sh b/scripts/verify-csp-hash.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT=$(sed -n 's/.*<script>\([^<]*\)<\/script>.*/\1/p' index.html)
+if [[ -z "$SCRIPT" ]]; then
+  echo "No inline <script>...</script> found in index.html"
+  [[ -n "${GITHUB_ACTIONS:-}" ]] && echo "::error::No inline <script>...</script> found in index.html"
+  exit 1
+fi
+HASH=$(printf '%s' "$SCRIPT" | openssl dgst -sha256 -binary | base64)
+
+if ! grep -qF "sha256-$HASH" public/_headers; then
+  echo "CSP hash mismatch! Inline script hash 'sha256-$HASH' not found in public/_headers"
+  echo "Update the sha256 hash in public/_headers to match the inline script in index.html"
+  [[ -n "${GITHUB_ACTIONS:-}" ]] && echo "::error::CSP hash mismatch! Inline script hash 'sha256-$HASH' not found in public/_headers"
+  exit 1
+fi
+
+echo "CSP hash verified: sha256-$HASH"
