From f8b9d7d282b6229532ebc4fb015de84d352def78 Mon Sep 17 00:00:00 2001
From: Aaron Weiker <a.weiker@sap.com>
Date: Thu, 14 May 2026 05:48:21 +0000
Subject: [PATCH] fix: portable checksum on darwin, anchor grep pattern

- sha256sum is not available on macOS; use shasum -a 256 on darwin.
  Select based on steps.version.outputs.os which is already computed.
  Fixes MAJOR finding from gpt-review-bot (PR #127 review).

- Anchor checksum grep with ^ to avoid matching on partial lines.
  Fixes MINOR finding from gpt-review-bot (PR #127 review).
---
 .gitea/actions/review/action.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.gitea/actions/review/action.yml b/.gitea/actions/review/action.yml
index 456d04d..8934e40 100644
--- a/.gitea/actions/review/action.yml
+++ b/.gitea/actions/review/action.yml
@@ -173,8 +173,13 @@ runs:
 
         # Verify SHA-256 checksum
         cd "${{ runner.temp }}"
-        EXPECTED=$(grep -E "[[:xdigit:]]+[[:space:]]+\*?${BINARY}$" checksums.txt | awk '{print $1}')
-        ACTUAL=$(sha256sum review-bot | awk '{print $1}')
+        EXPECTED=$(grep -E "^[[:xdigit:]]+[[:space:]]+\*?${BINARY}$" checksums.txt | awk '{print $1}')
+        # sha256sum (GNU) is not available on macOS; use shasum -a 256 on darwin.
+        if [ "${{ steps.version.outputs.os }}" = "darwin" ]; then
+          ACTUAL=$(shasum -a 256 review-bot | awk '{print $1}')
+        else
+          ACTUAL=$(sha256sum review-bot | awk '{print $1}')
+        fi
 
         if [ -z "$EXPECTED" ]; then
           echo "Error: no checksum found for ${BINARY}" >&2