From 6e4cfa1cfef3c38c318da51fac7102fdde6d24f6 Mon Sep 17 00:00:00 2001
From: Marc Durdin <marc@durdin.net>
Date: Tue, 16 Jun 2026 15:17:54 +0200
Subject: [PATCH] chore: verify bootstrap version format before merge

Relates-to: keymanapp/keyman.com#794
Test-bot: skip
---
 .github/workflows/ci.yml              | 13 +++++++++++++
 build.sh                              |  3 ++-
 resources/.bootstrap-required-version |  1 +
 3 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 resources/.bootstrap-required-version

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 995279d..d54248f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -83,3 +83,16 @@ jobs:
         source ./_common/tests.inc.sh
         set -e
         do_test_print_container_error_logs "$CONTAINER_DESC"
+
+    - name: Verify .bootstrap-required-version
+      if: ${{ !cancelled() }}
+      shell: bash
+      run: |
+        # We want to avoid merging a bootstrap version that is not based on a published tag
+        # in the shared-sites repo. We will do this with a heuristic based on the normal
+        # shape of the tags, which is `v#.#.#`. Any other shape we will assume is a test
+        # branch.
+        cat resources/.bootstrap-required-version | grep -qP '^v\d+\.\d+\.\d+$' || (
+          echo "::error file=resources/.bootstrap-required-version,line=1,col=1::This branch cannot be merged, because resources/.bootstrap-required-version references \`$(cat resources/.bootstrap-required-version)\`, which does not appear to be a published tag -- is it a test branch?"
+          exit 1
+        )
diff --git a/build.sh b/build.sh
index 6e9cadc..3a38456 100755
--- a/build.sh
+++ b/build.sh
@@ -2,7 +2,8 @@
 ## START STANDARD SITE BUILD SCRIPT INCLUDE
 readonly THIS_SCRIPT="$(readlink -f "${BASH_SOURCE[0]}")"
 readonly BOOTSTRAP="$(dirname "$THIS_SCRIPT")/resources/bootstrap.inc.sh"
-readonly BOOTSTRAP_VERSION=feat/linkinator-and-central-test-script
+BOOTSTRAP_VERSION="$(cat "$(dirname "THIS_SCRIPT")/resources/.bootstrap-required-version")" || exit 1
+readonly BOOTSTRAP_VERSION
 if ! [ -f "$BOOTSTRAP" ] || ! source "$BOOTSTRAP"; then
   curl -H "Cache-Control: no-cache" --fail --silent --show-error -w "curl: Finished attempt to download %{url}" "https://raw.githubusercontent.com/keymanapp/shared-sites/$BOOTSTRAP_VERSION/bootstrap.inc.sh" -o "$BOOTSTRAP.tmp" || exit 1
   source "$BOOTSTRAP.tmp"
diff --git a/resources/.bootstrap-required-version b/resources/.bootstrap-required-version
new file mode 100644
index 0000000..eca15ab
--- /dev/null
+++ b/resources/.bootstrap-required-version
@@ -0,0 +1 @@
+v1.0.14
\ No newline at end of file