Skip to content

Commit

Permalink
ci: Harden variables in strings
Browse files Browse the repository at this point in the history 
Signed-off-by: Christoph Wurst <[email protected]>
  • Loading branch information
@ChristophWurst
ChristophWurst committed Jan 9, 2025
1 parent e9c7893 commit dc8185d
Show file tree
Hide file tree
Showing 14 changed files with 95 additions and 95 deletions.
64 changes: 32 additions & 32 deletions .github/workflows/appstore-build-publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,13 +34,13 @@ jobs:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
path: ${{ env.APP_NAME }}
path: '${{ env.APP_NAME }}'

- name: Get appinfo data
id: appinfo
uses: skjnldsv/xpath-action@7e6a7c379d0e9abc8acaef43df403ab4fc4f770c # master
with:
filename: ${{ env.APP_NAME }}/appinfo/info.xml
filename: '${{ env.APP_NAME }}/appinfo/info.xml'
expression: "//info//dependencies//nextcloud/@min-version"

- name: Read package.json node and npm engines version
Expand All @@ -49,18 +49,18 @@ jobs:
# Continue if no package.json
continue-on-error: true
with:
path: ${{ env.APP_NAME }}
path: '${{ env.APP_NAME }}'
fallbackNode: '^20'
fallbackNpm: '^10'

- name: Set up node ${{ steps.versions.outputs.nodeVersion }}
- name: 'Set up node ${{ steps.versions.outputs.nodeVersion }}'
# Skip if no package.json
if: ${{ steps.versions.outputs.nodeVersion }}
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version: ${{ steps.versions.outputs.nodeVersion }}
node-version: '${{ steps.versions.outputs.nodeVersion }}'

- name: Set up npm ${{ steps.versions.outputs.npmVersion }}
- name: 'Set up npm ${{ steps.versions.outputs.npmVersion }}'
# Skip if no package.json
if: ${{ steps.versions.outputs.npmVersion }}
run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}'
Expand All @@ -69,26 +69,26 @@ jobs:
id: php-versions
uses: icewind1991/nextcloud-version-matrix@58becf3b4bb6dc6cef677b15e2fd8e7d48c0908f # v1.3.1
with:
filename: ${{ env.APP_NAME }}/appinfo/info.xml
filename: '${{ env.APP_NAME }}/appinfo/info.xml'

- name: Set up php ${{ steps.php-versions.outputs.php-min }}
- name: 'Set up php ${{ steps.php-versions.outputs.php-min }}'
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1
with:
php-version: ${{ steps.php-versions.outputs.php-min }}
php-version: '${{ steps.php-versions.outputs.php-min }}'
coverage: none
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

- name: Check composer.json
id: check_composer
uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0
with:
files: "${{ env.APP_NAME }}/composer.json"
files: '${{ env.APP_NAME }}/composer.json'

- name: Install composer dependencies
if: steps.check_composer.outputs.files_exists == 'true'
run: |
cd ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}'
composer install --no-dev
- name: Build ${{ env.APP_NAME }}
Expand All @@ -97,35 +97,35 @@ jobs:
env:
CYPRESS_INSTALL_BINARY: 0
run: |
cd ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}'
npm ci
npm run build --if-present
- name: Check Krankerl config
id: krankerl
uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0
with:
files: ${{ env.APP_NAME }}/krankerl.toml
files: '${{ env.APP_NAME }}/krankerl.toml'

- name: Install Krankerl
if: steps.krankerl.outputs.files_exists == 'true'
run: |
wget https://github.com/ChristophWurst/krankerl/releases/download/v0.14.0/krankerl_0.14.0_amd64.deb
sudo dpkg -i krankerl_0.14.0_amd64.deb
- name: Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with krankerl
- name: 'Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with krankerl'
if: steps.krankerl.outputs.files_exists == 'true'
run: |
cd ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}'
krankerl package
- name: Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with makefile
- name: 'Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with makefile'
if: steps.krankerl.outputs.files_exists != 'true'
run: |
cd ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}'
make appstore
- name: Checkout server ${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}
- name: 'Checkout server ${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}'
continue-on-error: true
id: server-checkout
run: |
Expand All @@ -144,32 +144,32 @@ jobs:
- name: Sign app
run: |
# Extracting release
cd ${{ env.APP_NAME }}/build/artifacts
tar -xvf ${{ env.APP_NAME }}.tar.gz
cd '${{ env.APP_NAME }}/build/artifacts'
tar -xvf '${{ env.APP_NAME }}.tar.gz'
cd ../../../
# Setting up keys
echo '${{ secrets.APP_PRIVATE_KEY }}' > ${{ env.APP_NAME }}.key
wget --quiet "https://github.com/nextcloud/app-certificate-requests/raw/master/${{ env.APP_NAME }}/${{ env.APP_NAME }}.crt"
# Signing
php nextcloud/occ integrity:sign-app --privateKey=../${{ env.APP_NAME }}.key --certificate=../${{ env.APP_NAME }}.crt --path=../${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}
php nextcloud/occ integrity:sign-app --privateKey='../${{ env.APP_NAME }}.key' --certificate='../${{ env.APP_NAME }}.crt' --path='../${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}'
# Rebuilding archive
cd ${{ env.APP_NAME }}/build/artifacts
tar -zcvf ${{ env.APP_NAME }}.tar.gz ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}/build/artifacts'
tar -zcvf '${{ env.APP_NAME }}.tar.gz ${{ env.APP_NAME }}'
- name: Attach tarball to github release
uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2
id: attach_to_release
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: ${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}.tar.gz
asset_name: ${{ env.APP_NAME }}-${{ env.APP_VERSION }}.tar.gz
tag: ${{ github.ref }}
repo_token: '${{ secrets.GITHUB_TOKEN }}'
file: '${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}.tar.gz'
asset_name: '${{ env.APP_NAME }}-${{ env.APP_VERSION }}.tar.gz'
tag: '${{ github.ref }}'
overwrite: true

- name: Upload app to Nextcloud appstore
uses: nextcloud-releases/nextcloud-appstore-push-action@a011fe619bcf6e77ddebc96f9908e1af4071b9c1 # v1
with:
app_name: ${{ env.APP_NAME }}
appstore_token: ${{ secrets.APPSTORE_TOKEN }}
download_url: ${{ steps.attach_to_release.outputs.browser_download_url }}
app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
app_name: '${{ env.APP_NAME }}'
appstore_token: '${{ secrets.APPSTORE_TOKEN }}'
download_url: '${{ steps.attach_to_release.outputs.browser_download_url }}'
app_private_key: '${{ secrets.APP_PRIVATE_KEY }}'
50 changes: 25 additions & 25 deletions .github/workflows/appstore-conventional-build-publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,14 +35,14 @@ jobs:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
path: ${{ env.APP_NAME }}
path: '${{ env.APP_NAME }}'

- name: Conventional Changelog Action
id: changelog
uses: TriPSs/conventional-changelog-action@b7f32a8347e86c26ea2f4823cc7c160b9014c6a0 # v3
working-directory: ${{ env.APP_NAME }}
working-directory: '${{ env.APP_NAME }}'
with:
github-token: ${{ secrets.RELEASE_PAT }}
github-token: '${{ secrets.RELEASE_PAT }}'
git-user-email: [email protected]
git-user-name: Nextcloud Command Bot
skip-git-pull: "true"
Expand All @@ -55,7 +55,7 @@ jobs:
id: appinfo
uses: skjnldsv/xpath-action@7e6a7c379d0e9abc8acaef43df403ab4fc4f770c # master
with:
filename: ${{ env.APP_NAME }}/appinfo/info.xml
filename: '${{ env.APP_NAME }}/appinfo/info.xml'
expression: "//info//dependencies//nextcloud/@min-version"

- name: Read package.json node and npm engines version
Expand All @@ -65,47 +65,47 @@ jobs:
# Continue if no package.json
continue-on-error: true
with:
path: ${{ env.APP_NAME }}
path: '${{ env.APP_NAME }}'
fallbackNode: '^20'
fallbackNpm: '^9'

- name: Set up node ${{ steps.versions.outputs.nodeVersion }}
- name: 'Set up node ${{ steps.versions.outputs.nodeVersion }}'
if: ${{ steps.changelog.outputs.skipped == 'false' }}
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
with:
node-version: ${{ steps.versions.outputs.nodeVersion }}
node-version: '${{ steps.versions.outputs.nodeVersion }}'

- name: Set up npm ${{ steps.versions.outputs.npmVersion }}
- name: 'Set up npm ${{ steps.versions.outputs.npmVersion }}'
if: ${{ steps.changelog.outputs.skipped == 'false' }}
run: npm i -g npm@"${{ steps.versions.outputs.npmVersion }}"

- name: Set up php ${{ env.PHP_VERSION }}
if: ${{ steps.changelog.outputs.skipped == 'false' }}
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2
with:
php-version: ${{ env.PHP_VERSION }}
php-version: '${{ env.PHP_VERSION }}'
coverage: none
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

- name: Install Krankerl
if: ${{ steps.changelog.outputs.skipped == 'false' }}
run: |
wget https://github.com/ChristophWurst/krankerl/releases/download/v0.14.0/krankerl_0.14.0_amd64.deb
sudo dpkg -i krankerl_0.14.0_amd64.deb
- name: Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with krankerl
- name: 'Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with krankerl'
if: ${{ steps.changelog.outputs.skipped == 'false' }}
run: |
cd ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}'
krankerl package
- name: Checkout server ${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}
- name: 'Checkout server ${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}'
if: ${{ steps.changelog.outputs.skipped == 'false' }}
continue-on-error: true
id: server-checkout
run: |
NCVERSION=${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}
NCVERSION='${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}'
wget --quiet https://download.nextcloud.com/server/releases/latest-$NCVERSION.zip
unzip latest-$NCVERSION.zip
Expand All @@ -121,7 +121,7 @@ jobs:
if: ${{ steps.changelog.outputs.skipped == 'false' }}
run: |
# Extracting release
cd ${{ env.APP_NAME }}/build/artifacts
cd '${{ env.APP_NAME }}/build/artifacts'
tar -xvf ${{ env.APP_NAME }}.tar.gz
cd ../../../
# Setting up keys
Expand All @@ -130,7 +130,7 @@ jobs:
# Signing
php nextcloud/occ integrity:sign-app --privateKey=../${{ env.APP_NAME }}.key --certificate=../${{ env.APP_NAME }}.crt --path=../${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}
# Rebuilding archive
cd ${{ env.APP_NAME }}/build/artifacts
cd '${{ env.APP_NAME }}/build/artifacts'
tar -zcvf ${{ env.APP_NAME }}.tar.gz ${{ env.APP_NAME }}
- name: Push tag to releases organization
Expand All @@ -144,18 +144,18 @@ jobs:
uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2
id: attach_to_release
with:
repo_token: ${{ secrets.RELEASE_PAT }}
repo_name: nextcloud-releases/${{ env.APP_NAME }}
file: ${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}.tar.gz
asset_name: ${{ env.APP_NAME }}-${{ env.APP_VERSION }}.tar.gz
tag: ${{ steps.changelog.outputs.tag }}
repo_token: '${{ secrets.RELEASE_PAT }}'
repo_name: 'nextcloud-releases/${{ env.APP_NAME }}'
file: '${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}.tar.gz'
asset_name: '${{ env.APP_NAME }}-${{ env.APP_VERSION }}.tar.gz'
tag: '${{ steps.changelog.outputs.tag }}'
overwrite: true

- name: Upload app to Nextcloud appstore
if: ${{ steps.changelog.outputs.skipped == 'false' }}
uses: nextcloud-releases/nextcloud-appstore-push-action@a011fe619bcf6e77ddebc96f9908e1af4071b9c1 # v1
with:
app_name: ${{ env.APP_NAME }}
appstore_token: ${{ secrets.APPSTORE_TOKEN }}
download_url: ${{ steps.attach_to_release.outputs.browser_download_url }}
app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
app_name: '{{ env.APP_NAME }}'
appstore_token: '${{ secrets.APPSTORE_TOKEN }}'
download_url: '${{ steps.attach_to_release.outputs.browser_download_url }}'
app_private_key: '${{ secrets.APP_PRIVATE_KEY }}'
2 changes: 1 addition & 1 deletion .github/workflows/block-unconventional-commits.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,4 @@ jobs:

- uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
2 changes: 1 addition & 1 deletion .github/workflows/fixup.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,4 @@ jobs:
- name: Run check
uses: skjnldsv/block-fixup-merge-action@c138ea99e45e186567b64cf065ce90f7158c236a # v2
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
repo-token: '${{ secrets.GITHUB_TOKEN }}'
6 changes: 3 additions & 3 deletions .github/workflows/lint-eslint.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,12 +62,12 @@ jobs:
fallbackNode: '^20'
fallbackNpm: '^9'

- name: Set up node ${{ steps.versions.outputs.nodeVersion }}
- name: 'Set up node ${{ steps.versions.outputs.nodeVersion }}'
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
with:
node-version: ${{ steps.versions.outputs.nodeVersion }}
node-version: '${{ steps.versions.outputs.nodeVersion }}'

- name: Set up npm ${{ steps.versions.outputs.npmVersion }}
- name: 'Set up npm ${{ steps.versions.outputs.npmVersion }}'
run: npm i -g npm@"${{ steps.versions.outputs.npmVersion }}"

- name: Install dependencies
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/lint-php-cs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
coverage: none
ini-file: development
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

- name: Install dependencies
run: composer i
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/lint-php.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,14 @@ jobs:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Set up php ${{ matrix.php-versions }}
- name: 'Set up php ${{ matrix.php-versions }}'
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2
with:
php-version: ${{ matrix.php-versions }}
php-version: '${{ matrix.php-versions }}'
coverage: none
ini-file: development
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

- name: Lint
run: composer run lint
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/npm-audit-fix.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,13 @@ jobs:
matrix:
branches: ['main', 'stable3.7', 'stable3.6']

name: npm-audit-fix-${{ matrix.branches }}
name: 'npm-audit-fix-${{ matrix.branches }}'

steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ matrix.branches }}
ref: '${{ matrix.branches }}'

- name: Read package.json node and npm engines version
uses: skjnldsv/read-package-engines-version-actions@8205673bab74a63eb9b8093402fd9e0e018663a1 # v2.2
Expand All @@ -38,10 +38,10 @@ jobs:
fallbackNode: '^20'
fallbackNpm: '^10'

- name: Set up node ${{ steps.versions.outputs.nodeVersion }}
- name: 'Set up node ${{ steps.versions.outputs.nodeVersion }}'
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
with:
node-version: ${{ steps.versions.outputs.nodeVersion }}
node-version: '${{ steps.versions.outputs.nodeVersion }}'

- name: Set up npm ${{ steps.versions.outputs.npmVersion }}
run: npm i -g npm@"${{ steps.versions.outputs.npmVersion }}"
Expand All @@ -54,12 +54,12 @@ jobs:
if: always()
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7
with:
token: ${{ secrets.COMMAND_BOT_PAT }}
token: '${{ secrets.COMMAND_BOT_PAT }}'
commit-message: "fix(deps): Apply npm audit fix"
committer: GitHub <[email protected]>
author: nextcloud-command <[email protected]>
signoff: true
branch: automated/noid/${{ matrix.branches }}-fix-npm-audit
branch: 'automated/noid/${{ matrix.branches }}-fix-npm-audit'
title: "fix(deps): Apply npm audit fix"
body: |
Auto-generated fix of npm audit
Expand Down
Loading

0 comments on commit dc8185d

Please sign in to comment.