Introduce CI workflow to check mirrors

Every 24 hours, fetch a bunch of tarballs from ziglang.org and every
mirror, to check that they are all working as intended. A summary is
emitted in a Markdown table which GitHub will render on the workflow run
page. If any mirror fails to serve a tarball or serves one which differs
from the one on ziglang.org, the workflow sends me (@mlugg) a push
notification so I see the issue and can address it.

As well as running on a cron schedule, this workflow can also be
manually triggered and runs when the mirror list file is edited.

Author: mlugg

.github/workflows/check-mirrors.yml

@@ -0,0 +1,28 @@
+name: Check Mirrors
+on:
+  schedule: [{ cron: "0 22 * * *" }]
+  workflow_dispatch: null
+  pull_request: { paths: ["assets/community-mirrors.ziggy"] }
+jobs:
+  check:
+    runs-on: [self-hosted, website]
+    steps:
+      - uses: actions/checkout@v2
+      - name: Check Mirrors
+        run: |
+          cd check-mirrors
+          /home/ci/deps/zig-linux-x86_64-0.14.0/zig build run -- ../assets/community-mirrors.ziggy "$GITHUB_STEP_SUMMARY"
+  notify-failure:
+    runs-on: [self-hosted, website]
+    needs: [check]
+    if: ${{ always() && (needs.check.result == 'failure' || needs.check.result == 'timed_out') }}
+    steps:
+      - name: Send Notification
+        env:
+          PUSHOVER_USER: ${{ secrets.MIRROR_CHECK_PUSHOVER_USER }}
+          PUSHOVER_TOKEN: ${{ secrets.MIRROR_CHECK_PUSHOVER_TOKEN }}
+        run: curl -s
+               -F user="$PUSHOVER_USER"
+               -F token="$PUSHOVER_TOKEN"
+               -F message="Zig download mirror validation failed"
+               https://api.pushover.net/1/messages.json

check-mirrors/README.md

@@ -0,0 +1,8 @@
+# check-mirrors
+
+This is a small utility which checks the functionality of all listed community mirrors. It does this
+by fetching a subset of available tarballs and signatures from each mirror, and checking that the
+returned files exactly match the corresponding files served by ziglang.org.
+
+This check is automatically run once per day by the 'check-mirrors' workflow. It also runs when a PR
+modifies the mirror list.

check-mirrors/build.zig

@@ -0,0 +1,28 @@
+pub fn build(b: *std.Build) void {
+    const target = b.standardTargetOptions(.{});
+    const optimize = b.standardOptimizeOption(.{});
+
+    const ziggy = b.dependency("ziggy", .{
+        .target = target,
+        .optimize = optimize,
+    });
+
+    const exe = b.addExecutable(.{
+        .name = "check-mirrors",
+        .root_module = b.createModule(.{
+            .root_source_file = b.path("main.zig"),
+            .target = target,
+            .optimize = optimize,
+            .imports = &.{
+                .{ .name = "ziggy", .module = ziggy.module("ziggy") },
+            },
+        }),
+    });
+    b.installArtifact(exe);
+
+    const run = b.addRunArtifact(exe);
+    if (b.args) |args| run.addArgs(args);
+    b.step("run", "Run check-mirrors").dependOn(&run.step);
+}
+
+const std = @import("std");

check-mirrors/build.zig.zon

@@ -0,0 +1,17 @@
+.{
+    .name = .check_mirrors,
+    .version = "0.0.0",
+    .fingerprint = 0xcb408e1ecbee16fd, // Changing this has security and trust implications.
+    .minimum_zig_version = "0.14.0",
+    .dependencies = .{
+        .ziggy = .{
+            .url = "git+https://github.com/kristoff-it/ziggy.git#fe3bf9389e7ff213cf3548caaf9c6f3d4bb38647",
+            .hash = "ziggy-0.1.0-kTg8vwBEBgDFzbstERaPLr5TzM1DhfDza1we_eEXuLDL",
+        },
+    },
+    .paths = .{
+        "build.zig",
+        "build.zig.zon",
+        "src",
+    },
+}