From 8e4e4098e64fc17994e1e43dfd9c9815ed74dfcb Mon Sep 17 00:00:00 2001
From: Jake Petroules <jake.petroules@apple.com>
Date: Fri, 2 Jan 2026 09:08:26 -0800
Subject: [PATCH] Add source integrity check to PR workflow

Runs update.sh on every PR and fails if the working tree is dirtied,
detecting PRs that attempt to submit modified SQLite source files.
---
 .github/workflows/pull_request.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index 5d2175e..c0f03c3 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -26,6 +26,21 @@ jobs:
       enable_embedded_wasm_sdk_build: true
       enable_android_sdk_build: true
 
+  source-integrity:
+    name: Source integrity check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Run update.sh and check for modifications
+        run: |
+          bash update.sh
+          if [ -n "$(git diff --name-only)" ]; then
+            echo "::error::Source files do not match the upstream SQLite release. The following files differ:"
+            git diff
+            exit 1
+          fi
+
   soundness:
     name: Soundness
     uses: swiftlang/github-workflows/.github/workflows/soundness.yml@main