From 9a368cb059092c0e53a7415d1a309fa84feb1a86 Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Tue, 17 Dec 2024 01:10:08 +0000
Subject: [PATCH] update workflow

---
 .github/workflows/build.yml   | 15 ++++++++++-----
 .github/workflows/release.yml | 35 ++++++++++++++++++++++++-----------
 2 files changed, 34 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a9f7ab5..6d7ef67 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,10 +1,11 @@
 name: Build and Test
 
 on:
-  push:
-    branches: [ main ]
   pull_request:
     branches: [ main ]
+  push:
+    branches-ignore:
+      - main
 
 jobs:
   build:
@@ -35,9 +36,13 @@ jobs:
         run: cargo test --release
         
       - name: Upload build artifacts
-        if: github.event_name == 'pull_request'
         uses: actions/upload-artifact@v3
         with:
-          name: build-artifacts
-          path: target/release/*.exe
+          name: build-artifacts-${{ github.sha }}
+          path: |
+            target/release/*.exe
+            SHA.txt
           retention-days: 1
+
+      - name: Save SHA
+        run: echo ${{ github.sha }} > SHA.txt
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d905d22..99f55e8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,11 +4,18 @@ on:
   push:
     branches: [ main ]
 
+permissions:
+  contents: write
+
 jobs:
   release:
     runs-on: windows-latest
     steps:
-      # Try to download artifacts from PR build if available
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      
+      # Try to download artifacts from PR build
       - name: Download PR artifacts
         id: download
         uses: dawidd6/action-download-artifact@v2
@@ -16,20 +23,26 @@ jobs:
         with:
           workflow: build.yml
           workflow_conclusion: success
-          branch: ${{ github.event.pull_request.head.ref }}
-          name: build-artifacts
+          name: build-artifacts-${{ github.sha }}
           path: artifacts
+
+      # Verify SHA matches
+      - name: Verify build SHA
+        id: verify
+        if: steps.download.outcome == 'success'
+        run: |
+          $expected_sha = Get-Content artifacts/SHA.txt
+          if ($expected_sha -ne "${{ github.sha }}") {
+            echo "SHA mismatch - need fresh build"
+            exit 1
+          }
           
-      # If no artifacts found (direct push to main), build from scratch
-      - uses: actions/checkout@v3
-        if: steps.download.outcome == 'failure'
-      
       - name: Install Rust
-        if: steps.download.outcome == 'failure'
+        if: steps.download.outcome == 'failure' || steps.verify.outcome == 'failure'
         uses: dtolnay/rust-toolchain@stable
         
       - name: Cache Rust dependencies and build outputs
-        if: steps.download.outcome == 'failure'
+        if: steps.download.outcome == 'failure' || steps.verify.outcome == 'failure'
         uses: actions/cache@v3
         with:
           path: |
@@ -43,11 +56,11 @@ jobs:
             ${{ runner.os }}-cargo-
         
       - name: Build
-        if: steps.download.outcome == 'failure'
+        if: steps.download.outcome == 'failure' || steps.verify.outcome == 'failure'
         run: cargo build --release
         
       - name: Move build artifacts
-        if: steps.download.outcome == 'failure'
+        if: steps.download.outcome == 'failure' || steps.verify.outcome == 'failure'
         run: |
           mkdir artifacts
           move target/release/*.exe artifacts/