From 6b75387a2d90d31891d0d75fd2eaa2e3c120a006 Mon Sep 17 00:00:00 2001
From: Samuel Moelius <samuel.moelius@trailofbits.com>
Date: Mon, 6 May 2024 16:29:45 +0000
Subject: [PATCH 1/2] Expand CI checks

---
 Cargo.lock  | 33 +++++++++++++++++++++++++++++++++
 Cargo.toml  |  1 +
 tests/ci.rs | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 85 insertions(+)

diff --git a/Cargo.lock b/Cargo.lock
index 58ebc4c..af55a75 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2,6 +2,15 @@
 # It is not intended for manual editing.
 version = 3
 
+[[package]]
+name = "aho-corasick"
+version = "1.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916"
+dependencies = [
+ "memchr",
+]
+
 [[package]]
 name = "anstyle"
 version = "1.0.7"
@@ -56,6 +65,7 @@ dependencies = [
  "ctor",
  "home",
  "once_cell",
+ "regex",
  "tempfile",
  "toml",
 ]
@@ -242,11 +252,34 @@ dependencies = [
  "proc-macro2",
 ]
 
+[[package]]
+name = "regex"
+version = "1.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c117dbdfde9c8308975b6a18d71f3f385c89461f7b3fb054288ecf2a2058ba4c"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-automata",
+ "regex-syntax",
+]
+
 [[package]]
 name = "regex-automata"
 version = "0.4.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "86b83b8b9847f9bf95ef68afb0b8e6cdb80f498442f5179a29fad448fcc1eaea"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-syntax"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "adad44e29e4c806119491a7f06f03de4d1af22c3a680dd47f1e6e179439d1f56"
 
 [[package]]
 name = "rustix"
diff --git a/Cargo.toml b/Cargo.toml
index 2dc5470..38a1cee 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -19,6 +19,7 @@ toml = "0.8"
 assert_cmd = "2.0"
 cargo_metadata = "0.18"
 ctor = "0.2"
+regex = "1.10"
 
 [lints.clippy]
 pedantic = { level = "warn", priority = -1 }
diff --git a/tests/ci.rs b/tests/ci.rs
index 6c8c7c9..2751bf8 100644
--- a/tests/ci.rs
+++ b/tests/ci.rs
@@ -1,4 +1,6 @@
 use assert_cmd::Command;
+use regex::Regex;
+use std::{fs::read_to_string, path::Path};
 
 pub mod util;
 
@@ -25,3 +27,52 @@ fn dylint() {
         .assert()
         .success();
 }
+
+#[test]
+fn markdown_link_check() {
+    let tempdir = util::tempdir().unwrap();
+
+    // smoelius: Pin `markdown-link-check` to version 3.11 until the following issue is resolved:
+    // https://github.com/tcort/markdown-link-check/issues/304
+    Command::new("npm")
+        .args(["install", "markdown-link-check@3.11"])
+        .current_dir(&tempdir)
+        .assert()
+        .success();
+
+    let readme_md = Path::new(env!("CARGO_MANIFEST_DIR")).join("README.md");
+
+    Command::new("npx")
+        .args(["markdown-link-check", &readme_md.to_string_lossy()])
+        .current_dir(&tempdir)
+        .assert()
+        .success();
+}
+
+#[test]
+fn readme_reference_links_are_sorted() {
+    let re = Regex::new(r"^\[[^\]]*\]:").unwrap();
+    let readme = read_to_string("README.md").unwrap();
+    let links = readme
+        .lines()
+        .filter(|line| re.is_match(line))
+        .collect::<Vec<_>>();
+    let mut links_sorted = links.clone();
+    links_sorted.sort_unstable();
+    assert_eq!(links_sorted, links);
+}
+
+#[test]
+fn readme_reference_links_are_used() {
+    let re = Regex::new(r"(?m)^(\[[^\]]*\]):").unwrap();
+    let readme = read_to_string("README.md").unwrap();
+    for captures in re.captures_iter(&readme) {
+        assert_eq!(2, captures.len());
+        let m = captures.get(1).unwrap();
+        assert!(
+            readme[..m.start()].contains(m.as_str()),
+            "{} is unused",
+            m.as_str()
+        );
+    }
+}

From 7704f0d3321b8d110b8c937ab6cf21be1e22af0a Mon Sep 17 00:00:00 2001
From: Samuel Moelius <samuel.moelius@trailofbits.com>
Date: Mon, 6 May 2024 16:30:01 +0000
Subject: [PATCH 2/2] Fix README.md links

---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 89c77f1..3ed7548 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 A linker replacement to help protect against malicious build scripts
 
-`build-wrap` "re-links" a build script so that it is executed under another command. By default, the command is [Bubblewrap] (Linux) or [`sandbox-exec`] (macOS), though this is configurable. See [Environment variables] and [How it works] for more information.
+`build-wrap` "re-links" a build script so that it is executed under another command. By default, the command is [Bubblewrap] (Linux) or [`sandbox-exec`] (macOS), though this is configurable. See [Environment variables that `build-wrap` reads] and [How `build-wrap` works] for more information.
 
 ## Installation
 
@@ -95,9 +95,9 @@ Given a build script `B`, its "wrapped" version `B'` contains a copy of `B` and
 - Aside from configuration and dealing with an occasional warning, `build-wrap` should not require a user to adjust their normal workflow.
 
 [Bubblewrap]: https://github.com/containers/bubblewrap
-[Environment variables]: #environment-variables
-[How it works]: #how-it-works
+[Environment variables that `build-wrap` reads]: #environment-variables-that-build-wrap-reads
 [How `BUILD_WRAP_CMD` is expanded]: #how-build_wrap_cmd-is-expanded
+[How `build-wrap` works]: #how-build-wrap-works
 [`BUILD_WRAP_CMD` is expanded]: #how-build_wrap_cmd-is-expanded
 [`cc-rs`]: https://github.com/rust-lang/cc-rs
 [`sandbox-exec`]: https://keith.github.io/xcode-man-pages/sandbox-exec.1.html