From 2b00cc4744cf5999cbc4689dab48ae2b4d57f978 Mon Sep 17 00:00:00 2001
From: Jarek Potiuk <jarek@potiuk.com>
Date: Sun, 17 May 2026 15:27:51 +0200
Subject: [PATCH] verify-action-build: detect MATLAB platform-named binary dirs

The in-tree binary detector flagged matlab-actions/run-tests@v3.1.1's
dist/bin/win64/run-matlab-command.exe (via .exe extension) but missed
the three Unix siblings under dist/bin/{glnxa64,maca64,maci64}/, which
have no extension and don't match the <name>-<os>-<arch> cross-compile
filename regex.  Add a parent-directory rule for MATLAB's platform
identifiers so the Linux/macOS launchers are caught too, and pin a
regression test against the actual v3.1.1 shape.

Surfaced while triaging apache/infrastructure-actions#846.

Generated-by: Claude Opus 4.7 (1M context)
---
 .../verify_action_build/test_security.py      | 26 +++++++++++++++++++
 utils/verify_action_build/security.py         | 20 ++++++++++++--
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/utils/tests/verify_action_build/test_security.py b/utils/tests/verify_action_build/test_security.py
index ed241733..c89e586a 100644
--- a/utils/tests/verify_action_build/test_security.py
+++ b/utils/tests/verify_action_build/test_security.py
@@ -1302,6 +1302,32 @@ def test_licenses_txt_exempt(self):
         assert _looks_like_in_tree_binary("dist/licenses.txt") is False
         assert _looks_like_in_tree_binary("licenses.txt") is False
 
+    def test_matlab_platform_dir_naming(self):
+        # MATLAB's launcher convention: dist/bin/<platform>/run-matlab-command
+        # where <platform> is MATLAB's own arch identifier and the file has
+        # no extension.  matlab-actions/run-tests@v3.1.1 ships these:
+        for path in (
+            "dist/bin/glnxa64/run-matlab-command",
+            "dist/bin/maca64/run-matlab-command",
+            "dist/bin/maci64/run-matlab-command",
+        ):
+            assert _looks_like_in_tree_binary(path), path
+        # The .exe sibling was already caught by extension; keep it green.
+        assert _looks_like_in_tree_binary("dist/bin/win64/run-matlab-command.exe")
+
+    def test_matlab_sibling_text_files_not_flagged(self):
+        # license.txt and thirdpartylicenses.txt sit in dist/bin/ directly,
+        # not under a <platform>/ subdir — and licenses.txt is exempt by
+        # name anyway.
+        assert not _looks_like_in_tree_binary("dist/bin/license.txt")
+        assert not _looks_like_in_tree_binary("dist/bin/thirdpartylicenses.txt")
+
+    def test_platform_dir_requires_parent(self):
+        # A file *named* glnxa64 at the repo root is not a binary launcher.
+        # The signal is parent-directory == platform, not filename.
+        assert not _looks_like_in_tree_binary("glnxa64")
+        assert not _looks_like_in_tree_binary("docs/glnxa64.md")
+
 
 class TestParseSha256sums:
     """Parse the standard ``<sha>  <filename>`` format used by ``sha256sum``
diff --git a/utils/verify_action_build/security.py b/utils/verify_action_build/security.py
index ee5c5946..3b351a2c 100644
--- a/utils/verify_action_build/security.py
+++ b/utils/verify_action_build/security.py
@@ -1651,6 +1651,18 @@ def analyze_repo_metadata(
     r"(?:\.exe)?$"
 )
 
+# Some toolchains drop platform info into the *parent directory* rather
+# than the filename, so the cross-compile regex above misses them.
+# MATLAB's launcher ships at ``dist/bin/<platform>/run-matlab-command``
+# where ``<platform>`` is MATLAB's own identifier (``glnxa64`` = Linux
+# x86_64, ``maca64`` = macOS arm64, ``maci64`` = macOS x86_64).  The
+# Windows sibling has a ``.exe`` and is already caught by extension.
+_PLATFORM_DIR_NAMES = frozenset({
+    "glnxa64",
+    "maca64",
+    "maci64",
+})
+
 # Filename patterns that LOOK binary but are conventional in JS/TS or other
 # textual sources — don't false-positive these.
 _IN_TREE_BINARY_EXEMPT_NAMES = {
@@ -1664,8 +1676,9 @@ def _looks_like_in_tree_binary(path: str) -> bool:
     pre-compiled native binary by name alone.
 
     Cheap path-only heuristic — no fetch, no magic-byte sniff.  Known
-    binary extensions and cross-compile platform/arch suffixes both
-    trigger; conventional text artifacts are exempted.
+    binary extensions, cross-compile platform/arch suffixes and
+    platform-named parent directories all trigger; conventional text
+    artifacts are exempted.
     """
     name = path.rsplit("/", 1)[-1]
     if name in _IN_TREE_BINARY_EXEMPT_NAMES:
@@ -1675,6 +1688,9 @@ def _looks_like_in_tree_binary(path: str) -> bool:
         return True
     if _PLATFORM_ARCH_BINARY_RE.search(lower):
         return True
+    parts = path.split("/")
+    if len(parts) >= 2 and parts[-2] in _PLATFORM_DIR_NAMES:
+        return True
     return False