mirror of
https://github.com/wailsapp/wails.git
synced 2026-03-14 14:45:49 +01:00
228e5745d7
This commit bundles fixes for several security issues identified by GitHub Advanced Security and Semgrep code scanning. ## Workflow Permissions (CodeQL) - Add explicit permissions blocks to GitHub Actions workflows - Restrict GITHUB_TOKEN to minimum required permissions - Affected files: automated-releases.yml, build-and-test-v3.yml, publish-npm.yml, test-simple.yml ## Path Traversal (CodeQL) - Fix directory traversal vulnerability in screen example - Add path validation using filepath.Clean and containment checks - Affected file: v3/examples/screen/main.go ## Rollup XSS Vulnerability (Semgrep) - Update rollup from 3.28.0 to 3.29.5 - Fixes CVE-2024-47068 (Cross-site Scripting) - Affected file: v3/examples/dev/frontend/package-lock.json Note: The setup wizard command injection alert was reviewed and determined to be a false positive - commands originate from backend package manager detection, not user input. Added clarifying documentation. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
125 lines
3.9 KiB
YAML
125 lines
3.9 KiB
YAML
on:
|
|
push:
|
|
branches: ['v3-alpha']
|
|
workflow_dispatch:
|
|
|
|
# Restrict default GITHUB_TOKEN permissions
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: publish-npm-v3
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
detect:
|
|
name: Detect committed changes
|
|
if: github.event_name != 'workflow_dispatch'
|
|
permissions:
|
|
contents: read
|
|
outputs:
|
|
changed: ${{ steps.package-json-changes.outputs.any_modified == 'true' || steps.source-changes.outputs.any_modified == 'true' }}
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ github.sha }}
|
|
persist-credentials: 'true'
|
|
|
|
- name: Detect committed package.json changes
|
|
id: package-json-changes
|
|
uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1
|
|
with:
|
|
files: |
|
|
v3/internal/runtime/desktop/@wailsio/runtime/package.json
|
|
v3/internal/runtime/desktop/@wailsio/runtime/package-lock.json
|
|
|
|
- name: Detect committed source changes
|
|
if: >-
|
|
steps.package-json-changes.outputs.any_modified != 'true'
|
|
id: source-changes
|
|
uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1
|
|
with:
|
|
files: |
|
|
v3/internal/runtime/Taskfile.yaml
|
|
v3/internal/runtime/desktop/@wailsio/compiled/main.js
|
|
v3/internal/runtime/desktop/@wailsio/runtime/tsconfig.json
|
|
v3/internal/runtime/desktop/@wailsio/runtime/src/**
|
|
v3/pkg/events/events.txt
|
|
v3/tasks/events/**
|
|
|
|
rebuild_and_publish:
|
|
name: Rebuild and publish
|
|
needs: [detect]
|
|
if: >-
|
|
!failure() && !cancelled()
|
|
&& (github.event_name == 'workflow_dispatch' || needs.detect.outputs.changed == 'true')
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write
|
|
actions: read
|
|
pull-requests: read
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
ref: 'v3-alpha'
|
|
token: ${{ secrets.WAILS_REPO_TOKEN || github.token }}
|
|
|
|
- name: Configure git
|
|
run: |
|
|
git config --global user.email "github-actions@github.com"
|
|
git config --global user.name "GitHub Actions"
|
|
git config --global url."https://x-access-token:${{ secrets.WAILS_REPO_TOKEN || github.token }}@github.com/".insteadOf "https://github.com/"
|
|
|
|
- name: Install Task
|
|
uses: arduino/setup-task@v2
|
|
with:
|
|
version: 3.x
|
|
repo-token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Use Node.js 20
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: "20"
|
|
|
|
- name: Install dependencies
|
|
working-directory: v3/internal/runtime/desktop/@wailsio/runtime
|
|
run: |
|
|
npm ci
|
|
npx --yes esbuild@latest --version
|
|
|
|
- name: Clean build artifacts
|
|
working-directory: v3/internal/runtime/desktop/@wailsio/runtime
|
|
run: npm run clean
|
|
|
|
- name: Build bundled runtime
|
|
working-directory: v3
|
|
run: task runtime:build
|
|
|
|
- name: Test+Build npm package
|
|
working-directory: v3/internal/runtime/desktop/@wailsio/runtime
|
|
run: |
|
|
npm test
|
|
npm run build
|
|
|
|
- name: Bump version
|
|
id: bump-version
|
|
working-directory: v3/internal/runtime/desktop/@wailsio/runtime
|
|
run: |
|
|
echo "version=$(npm --no-git-tag-version --force version prerelease)" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Commit changes
|
|
run: |
|
|
git add .
|
|
git commit -m "[skip ci] Publish @wailsio/runtime ${{ steps.bump-version.outputs.version }}"
|
|
git push
|
|
|
|
- name: Publish npm package
|
|
uses: JS-DevTools/npm-publish@v3
|
|
with:
|
|
package: v3/internal/runtime/desktop/@wailsio/runtime
|
|
access: public
|
|
token: ${{ secrets.NPM_TOKEN }}
|