Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: Harden variables in strings #10552

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 32 additions & 32 deletions .github/workflows/appstore-build-publish.yml
Original file line number Diff line number Diff line change
@@ -34,13 +34,13 @@ jobs:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
path: ${{ env.APP_NAME }}
path: '${{ env.APP_NAME }}'

- name: Get appinfo data
id: appinfo
uses: skjnldsv/xpath-action@7e6a7c379d0e9abc8acaef43df403ab4fc4f770c # master
with:
filename: ${{ env.APP_NAME }}/appinfo/info.xml
filename: '${{ env.APP_NAME }}/appinfo/info.xml'
expression: "//info//dependencies//nextcloud/@min-version"

- name: Read package.json node and npm engines version
@@ -49,18 +49,18 @@ jobs:
# Continue if no package.json
continue-on-error: true
with:
path: ${{ env.APP_NAME }}
path: '${{ env.APP_NAME }}'
fallbackNode: '^20'
fallbackNpm: '^10'

- name: Set up node ${{ steps.versions.outputs.nodeVersion }}
- name: 'Set up node ${{ steps.versions.outputs.nodeVersion }}'
# Skip if no package.json
if: ${{ steps.versions.outputs.nodeVersion }}
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version: ${{ steps.versions.outputs.nodeVersion }}
node-version: '${{ steps.versions.outputs.nodeVersion }}'

- name: Set up npm ${{ steps.versions.outputs.npmVersion }}
- name: 'Set up npm ${{ steps.versions.outputs.npmVersion }}'
# Skip if no package.json
if: ${{ steps.versions.outputs.npmVersion }}
run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}'
@@ -69,26 +69,26 @@ jobs:
id: php-versions
uses: icewind1991/nextcloud-version-matrix@58becf3b4bb6dc6cef677b15e2fd8e7d48c0908f # v1.3.1
with:
filename: ${{ env.APP_NAME }}/appinfo/info.xml
filename: '${{ env.APP_NAME }}/appinfo/info.xml'

- name: Set up php ${{ steps.php-versions.outputs.php-min }}
- name: 'Set up php ${{ steps.php-versions.outputs.php-min }}'
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1
with:
php-version: ${{ steps.php-versions.outputs.php-min }}
php-version: '${{ steps.php-versions.outputs.php-min }}'
coverage: none
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

- name: Check composer.json
id: check_composer
uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0
with:
files: "${{ env.APP_NAME }}/composer.json"
files: '${{ env.APP_NAME }}/composer.json'

- name: Install composer dependencies
if: steps.check_composer.outputs.files_exists == 'true'
run: |
cd ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}'
composer install --no-dev

- name: Build ${{ env.APP_NAME }}
@@ -97,35 +97,35 @@ jobs:
env:
CYPRESS_INSTALL_BINARY: 0
run: |
cd ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}'
npm ci
npm run build --if-present

- name: Check Krankerl config
id: krankerl
uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0
with:
files: ${{ env.APP_NAME }}/krankerl.toml
files: '${{ env.APP_NAME }}/krankerl.toml'

- name: Install Krankerl
if: steps.krankerl.outputs.files_exists == 'true'
run: |
wget https://github.com/ChristophWurst/krankerl/releases/download/v0.14.0/krankerl_0.14.0_amd64.deb
sudo dpkg -i krankerl_0.14.0_amd64.deb

- name: Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with krankerl
- name: 'Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with krankerl'
if: steps.krankerl.outputs.files_exists == 'true'
run: |
cd ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}'
krankerl package

- name: Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with makefile
- name: 'Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with makefile'
if: steps.krankerl.outputs.files_exists != 'true'
run: |
cd ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}'
make appstore

- name: Checkout server ${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}
- name: 'Checkout server ${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}'
continue-on-error: true
id: server-checkout
run: |
@@ -144,32 +144,32 @@ jobs:
- name: Sign app
run: |
# Extracting release
cd ${{ env.APP_NAME }}/build/artifacts
tar -xvf ${{ env.APP_NAME }}.tar.gz
cd '${{ env.APP_NAME }}/build/artifacts'
tar -xvf '${{ env.APP_NAME }}.tar.gz'
cd ../../../
# Setting up keys
echo '${{ secrets.APP_PRIVATE_KEY }}' > ${{ env.APP_NAME }}.key
wget --quiet "https://github.com/nextcloud/app-certificate-requests/raw/master/${{ env.APP_NAME }}/${{ env.APP_NAME }}.crt"
# Signing
php nextcloud/occ integrity:sign-app --privateKey=../${{ env.APP_NAME }}.key --certificate=../${{ env.APP_NAME }}.crt --path=../${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}
php nextcloud/occ integrity:sign-app --privateKey='../${{ env.APP_NAME }}.key' --certificate='../${{ env.APP_NAME }}.crt' --path='../${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}'
# Rebuilding archive
cd ${{ env.APP_NAME }}/build/artifacts
tar -zcvf ${{ env.APP_NAME }}.tar.gz ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}/build/artifacts'
tar -zcvf '${{ env.APP_NAME }}.tar.gz ${{ env.APP_NAME }}'

- name: Attach tarball to github release
uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2
id: attach_to_release
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: ${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}.tar.gz
asset_name: ${{ env.APP_NAME }}-${{ env.APP_VERSION }}.tar.gz
tag: ${{ github.ref }}
repo_token: '${{ secrets.GITHUB_TOKEN }}'
file: '${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}.tar.gz'
asset_name: '${{ env.APP_NAME }}-${{ env.APP_VERSION }}.tar.gz'
tag: '${{ github.ref }}'
overwrite: true

- name: Upload app to Nextcloud appstore
uses: nextcloud-releases/nextcloud-appstore-push-action@a011fe619bcf6e77ddebc96f9908e1af4071b9c1 # v1
with:
app_name: ${{ env.APP_NAME }}
appstore_token: ${{ secrets.APPSTORE_TOKEN }}
download_url: ${{ steps.attach_to_release.outputs.browser_download_url }}
app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
app_name: '${{ env.APP_NAME }}'
appstore_token: '${{ secrets.APPSTORE_TOKEN }}'
download_url: '${{ steps.attach_to_release.outputs.browser_download_url }}'
app_private_key: '${{ secrets.APP_PRIVATE_KEY }}'
50 changes: 25 additions & 25 deletions .github/workflows/appstore-conventional-build-publish.yml
Original file line number Diff line number Diff line change
@@ -35,14 +35,14 @@ jobs:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
path: ${{ env.APP_NAME }}
path: '${{ env.APP_NAME }}'

- name: Conventional Changelog Action
id: changelog
uses: TriPSs/conventional-changelog-action@b7f32a8347e86c26ea2f4823cc7c160b9014c6a0 # v3
working-directory: ${{ env.APP_NAME }}
working-directory: '${{ env.APP_NAME }}'
with:
github-token: ${{ secrets.RELEASE_PAT }}
github-token: '${{ secrets.RELEASE_PAT }}'
git-user-email: nextcloud-command@users.noreply.github.com
git-user-name: Nextcloud Command Bot
skip-git-pull: "true"
@@ -55,7 +55,7 @@ jobs:
id: appinfo
uses: skjnldsv/xpath-action@7e6a7c379d0e9abc8acaef43df403ab4fc4f770c # master
with:
filename: ${{ env.APP_NAME }}/appinfo/info.xml
filename: '${{ env.APP_NAME }}/appinfo/info.xml'
expression: "//info//dependencies//nextcloud/@min-version"

- name: Read package.json node and npm engines version
@@ -65,47 +65,47 @@ jobs:
# Continue if no package.json
continue-on-error: true
with:
path: ${{ env.APP_NAME }}
path: '${{ env.APP_NAME }}'
fallbackNode: '^20'
fallbackNpm: '^9'

- name: Set up node ${{ steps.versions.outputs.nodeVersion }}
- name: 'Set up node ${{ steps.versions.outputs.nodeVersion }}'
if: ${{ steps.changelog.outputs.skipped == 'false' }}
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
with:
node-version: ${{ steps.versions.outputs.nodeVersion }}
node-version: '${{ steps.versions.outputs.nodeVersion }}'

- name: Set up npm ${{ steps.versions.outputs.npmVersion }}
- name: 'Set up npm ${{ steps.versions.outputs.npmVersion }}'
if: ${{ steps.changelog.outputs.skipped == 'false' }}
run: npm i -g npm@"${{ steps.versions.outputs.npmVersion }}"

- name: Set up php ${{ env.PHP_VERSION }}
if: ${{ steps.changelog.outputs.skipped == 'false' }}
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2
with:
php-version: ${{ env.PHP_VERSION }}
php-version: '${{ env.PHP_VERSION }}'
coverage: none
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

- name: Install Krankerl
if: ${{ steps.changelog.outputs.skipped == 'false' }}
run: |
wget https://github.com/ChristophWurst/krankerl/releases/download/v0.14.0/krankerl_0.14.0_amd64.deb
sudo dpkg -i krankerl_0.14.0_amd64.deb

- name: Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with krankerl
- name: 'Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with krankerl'
if: ${{ steps.changelog.outputs.skipped == 'false' }}
run: |
cd ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}'
krankerl package

- name: Checkout server ${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}
- name: 'Checkout server ${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}'
if: ${{ steps.changelog.outputs.skipped == 'false' }}
continue-on-error: true
id: server-checkout
run: |
NCVERSION=${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}
NCVERSION='${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}'
wget --quiet https://download.nextcloud.com/server/releases/latest-$NCVERSION.zip
unzip latest-$NCVERSION.zip

@@ -121,7 +121,7 @@ jobs:
if: ${{ steps.changelog.outputs.skipped == 'false' }}
run: |
# Extracting release
cd ${{ env.APP_NAME }}/build/artifacts
cd '${{ env.APP_NAME }}/build/artifacts'
tar -xvf ${{ env.APP_NAME }}.tar.gz
cd ../../../
# Setting up keys
@@ -130,7 +130,7 @@ jobs:
# Signing
php nextcloud/occ integrity:sign-app --privateKey=../${{ env.APP_NAME }}.key --certificate=../${{ env.APP_NAME }}.crt --path=../${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}
# Rebuilding archive
cd ${{ env.APP_NAME }}/build/artifacts
cd '${{ env.APP_NAME }}/build/artifacts'
tar -zcvf ${{ env.APP_NAME }}.tar.gz ${{ env.APP_NAME }}

- name: Push tag to releases organization
@@ -144,18 +144,18 @@ jobs:
uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2
id: attach_to_release
with:
repo_token: ${{ secrets.RELEASE_PAT }}
repo_name: nextcloud-releases/${{ env.APP_NAME }}
file: ${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}.tar.gz
asset_name: ${{ env.APP_NAME }}-${{ env.APP_VERSION }}.tar.gz
tag: ${{ steps.changelog.outputs.tag }}
repo_token: '${{ secrets.RELEASE_PAT }}'
repo_name: 'nextcloud-releases/${{ env.APP_NAME }}'
file: '${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}.tar.gz'
asset_name: '${{ env.APP_NAME }}-${{ env.APP_VERSION }}.tar.gz'
tag: '${{ steps.changelog.outputs.tag }}'
overwrite: true

- name: Upload app to Nextcloud appstore
if: ${{ steps.changelog.outputs.skipped == 'false' }}
uses: nextcloud-releases/nextcloud-appstore-push-action@a011fe619bcf6e77ddebc96f9908e1af4071b9c1 # v1
with:
app_name: ${{ env.APP_NAME }}
appstore_token: ${{ secrets.APPSTORE_TOKEN }}
download_url: ${{ steps.attach_to_release.outputs.browser_download_url }}
app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
app_name: '{{ env.APP_NAME }}'
appstore_token: '${{ secrets.APPSTORE_TOKEN }}'
download_url: '${{ steps.attach_to_release.outputs.browser_download_url }}'
app_private_key: '${{ secrets.APP_PRIVATE_KEY }}'
2 changes: 1 addition & 1 deletion .github/workflows/block-unconventional-commits.yml
Original file line number Diff line number Diff line change
@@ -31,4 +31,4 @@ jobs:

- uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
2 changes: 1 addition & 1 deletion .github/workflows/fixup.yml
Original file line number Diff line number Diff line change
@@ -33,4 +33,4 @@ jobs:
- name: Run check
uses: skjnldsv/block-fixup-merge-action@c138ea99e45e186567b64cf065ce90f7158c236a # v2
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
repo-token: '${{ secrets.GITHUB_TOKEN }}'
6 changes: 3 additions & 3 deletions .github/workflows/lint-eslint.yml
Original file line number Diff line number Diff line change
@@ -62,12 +62,12 @@ jobs:
fallbackNode: '^20'
fallbackNpm: '^9'

- name: Set up node ${{ steps.versions.outputs.nodeVersion }}
- name: 'Set up node ${{ steps.versions.outputs.nodeVersion }}'
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
with:
node-version: ${{ steps.versions.outputs.nodeVersion }}
node-version: '${{ steps.versions.outputs.nodeVersion }}'

- name: Set up npm ${{ steps.versions.outputs.npmVersion }}
- name: 'Set up npm ${{ steps.versions.outputs.npmVersion }}'
run: npm i -g npm@"${{ steps.versions.outputs.npmVersion }}"

- name: Install dependencies
2 changes: 1 addition & 1 deletion .github/workflows/lint-php-cs.yml
Original file line number Diff line number Diff line change
@@ -34,7 +34,7 @@ jobs:
coverage: none
ini-file: development
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

- name: Install dependencies
run: composer i
6 changes: 3 additions & 3 deletions .github/workflows/lint-php.yml
Original file line number Diff line number Diff line change
@@ -30,14 +30,14 @@ jobs:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Set up php ${{ matrix.php-versions }}
- name: 'Set up php ${{ matrix.php-versions }}'
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2
with:
php-version: ${{ matrix.php-versions }}
php-version: '${{ matrix.php-versions }}'
coverage: none
ini-file: development
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

- name: Lint
run: composer run lint
12 changes: 6 additions & 6 deletions .github/workflows/npm-audit-fix.yml
Original file line number Diff line number Diff line change
@@ -23,13 +23,13 @@ jobs:
matrix:
branches: ['main', 'stable3.7', 'stable3.6']

name: npm-audit-fix-${{ matrix.branches }}
name: 'npm-audit-fix-${{ matrix.branches }}'

steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ matrix.branches }}
ref: '${{ matrix.branches }}'

- name: Read package.json node and npm engines version
uses: skjnldsv/read-package-engines-version-actions@8205673bab74a63eb9b8093402fd9e0e018663a1 # v2.2
@@ -38,10 +38,10 @@ jobs:
fallbackNode: '^20'
fallbackNpm: '^10'

- name: Set up node ${{ steps.versions.outputs.nodeVersion }}
- name: 'Set up node ${{ steps.versions.outputs.nodeVersion }}'
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
with:
node-version: ${{ steps.versions.outputs.nodeVersion }}
node-version: '${{ steps.versions.outputs.nodeVersion }}'

- name: Set up npm ${{ steps.versions.outputs.npmVersion }}
run: npm i -g npm@"${{ steps.versions.outputs.npmVersion }}"
@@ -54,12 +54,12 @@ jobs:
if: always()
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7
with:
token: ${{ secrets.COMMAND_BOT_PAT }}
token: '${{ secrets.COMMAND_BOT_PAT }}'
commit-message: "fix(deps): Apply npm audit fix"
committer: GitHub <noreply@github.com>
author: nextcloud-command <nextcloud-command@users.noreply.github.com>
signoff: true
branch: automated/noid/${{ matrix.branches }}-fix-npm-audit
branch: 'automated/noid/${{ matrix.branches }}-fix-npm-audit'
title: "fix(deps): Apply npm audit fix"
body: |
Auto-generated fix of npm audit
Loading
Loading