Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: Harden variables in strings #10552

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ci: Harden variables in strings #10552

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 32 additions & 32 deletions .github/workflows/appstore-build-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,13 +34,13 @@ jobs:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
path: ${{ env.APP_NAME }}
path: '${{ env.APP_NAME }}'

- name: Get appinfo data
id: appinfo
uses: skjnldsv/xpath-action@7e6a7c379d0e9abc8acaef43df403ab4fc4f770c # master
with:
filename: ${{ env.APP_NAME }}/appinfo/info.xml
filename: '${{ env.APP_NAME }}/appinfo/info.xml'
expression: "//info//dependencies//nextcloud/@min-version"

- name: Read package.json node and npm engines version
Expand All @@ -49,18 +49,18 @@ jobs:
# Continue if no package.json
continue-on-error: true
with:
path: ${{ env.APP_NAME }}
path: '${{ env.APP_NAME }}'
fallbackNode: '^20'
fallbackNpm: '^10'

- name: Set up node ${{ steps.versions.outputs.nodeVersion }}
- name: 'Set up node ${{ steps.versions.outputs.nodeVersion }}'
# Skip if no package.json
if: ${{ steps.versions.outputs.nodeVersion }}
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version: ${{ steps.versions.outputs.nodeVersion }}
node-version: '${{ steps.versions.outputs.nodeVersion }}'

- name: Set up npm ${{ steps.versions.outputs.npmVersion }}
- name: 'Set up npm ${{ steps.versions.outputs.npmVersion }}'
# Skip if no package.json
if: ${{ steps.versions.outputs.npmVersion }}
run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}'
Expand All @@ -69,26 +69,26 @@ jobs:
id: php-versions
uses: icewind1991/nextcloud-version-matrix@58becf3b4bb6dc6cef677b15e2fd8e7d48c0908f # v1.3.1
with:
filename: ${{ env.APP_NAME }}/appinfo/info.xml
filename: '${{ env.APP_NAME }}/appinfo/info.xml'

- name: Set up php ${{ steps.php-versions.outputs.php-min }}
- name: 'Set up php ${{ steps.php-versions.outputs.php-min }}'
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1
with:
php-version: ${{ steps.php-versions.outputs.php-min }}
php-version: '${{ steps.php-versions.outputs.php-min }}'
coverage: none
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

- name: Check composer.json
id: check_composer
uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0
with:
files: "${{ env.APP_NAME }}/composer.json"
files: '${{ env.APP_NAME }}/composer.json'

- name: Install composer dependencies
if: steps.check_composer.outputs.files_exists == 'true'
run: |
cd ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}'
composer install --no-dev

- name: Build ${{ env.APP_NAME }}
Expand All @@ -97,35 +97,35 @@ jobs:
env:
CYPRESS_INSTALL_BINARY: 0
run: |
cd ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}'
npm ci
npm run build --if-present

- name: Check Krankerl config
id: krankerl
uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0
with:
files: ${{ env.APP_NAME }}/krankerl.toml
files: '${{ env.APP_NAME }}/krankerl.toml'

- name: Install Krankerl
if: steps.krankerl.outputs.files_exists == 'true'
run: |
wget https://github.com/ChristophWurst/krankerl/releases/download/v0.14.0/krankerl_0.14.0_amd64.deb
sudo dpkg -i krankerl_0.14.0_amd64.deb

- name: Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with krankerl
- name: 'Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with krankerl'
if: steps.krankerl.outputs.files_exists == 'true'
run: |
cd ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}'
krankerl package

- name: Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with makefile
- name: 'Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with makefile'
if: steps.krankerl.outputs.files_exists != 'true'
run: |
cd ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}'
make appstore

- name: Checkout server ${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}
- name: 'Checkout server ${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}'
continue-on-error: true
id: server-checkout
run: |
Expand All @@ -144,32 +144,32 @@ jobs:
- name: Sign app
run: |
# Extracting release
cd ${{ env.APP_NAME }}/build/artifacts
tar -xvf ${{ env.APP_NAME }}.tar.gz
cd '${{ env.APP_NAME }}/build/artifacts'
tar -xvf '${{ env.APP_NAME }}.tar.gz'
cd ../../../
# Setting up keys
echo '${{ secrets.APP_PRIVATE_KEY }}' > ${{ env.APP_NAME }}.key
wget --quiet "https://github.com/nextcloud/app-certificate-requests/raw/master/${{ env.APP_NAME }}/${{ env.APP_NAME }}.crt"
# Signing
php nextcloud/occ integrity:sign-app --privateKey=../${{ env.APP_NAME }}.key --certificate=../${{ env.APP_NAME }}.crt --path=../${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}
php nextcloud/occ integrity:sign-app --privateKey='../${{ env.APP_NAME }}.key' --certificate='../${{ env.APP_NAME }}.crt' --path='../${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}'
# Rebuilding archive
cd ${{ env.APP_NAME }}/build/artifacts
tar -zcvf ${{ env.APP_NAME }}.tar.gz ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}/build/artifacts'
tar -zcvf '${{ env.APP_NAME }}.tar.gz ${{ env.APP_NAME }}'

- name: Attach tarball to github release
uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2
id: attach_to_release
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: ${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}.tar.gz
asset_name: ${{ env.APP_NAME }}-${{ env.APP_VERSION }}.tar.gz
tag: ${{ github.ref }}
repo_token: '${{ secrets.GITHUB_TOKEN }}'
file: '${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}.tar.gz'
asset_name: '${{ env.APP_NAME }}-${{ env.APP_VERSION }}.tar.gz'
tag: '${{ github.ref }}'
overwrite: true

- name: Upload app to Nextcloud appstore
uses: nextcloud-releases/nextcloud-appstore-push-action@a011fe619bcf6e77ddebc96f9908e1af4071b9c1 # v1
with:
app_name: ${{ env.APP_NAME }}
appstore_token: ${{ secrets.APPSTORE_TOKEN }}
download_url: ${{ steps.attach_to_release.outputs.browser_download_url }}
app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
app_name: '${{ env.APP_NAME }}'
appstore_token: '${{ secrets.APPSTORE_TOKEN }}'
download_url: '${{ steps.attach_to_release.outputs.browser_download_url }}'
app_private_key: '${{ secrets.APP_PRIVATE_KEY }}'
50 changes: 25 additions & 25 deletions .github/workflows/appstore-conventional-build-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,14 +35,14 @@ jobs:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
path: ${{ env.APP_NAME }}
path: '${{ env.APP_NAME }}'

- name: Conventional Changelog Action
id: changelog
uses: TriPSs/conventional-changelog-action@b7f32a8347e86c26ea2f4823cc7c160b9014c6a0 # v3
working-directory: ${{ env.APP_NAME }}
working-directory: '${{ env.APP_NAME }}'
with:
github-token: ${{ secrets.RELEASE_PAT }}
github-token: '${{ secrets.RELEASE_PAT }}'
git-user-email: [email protected]
git-user-name: Nextcloud Command Bot
skip-git-pull: "true"
Expand All @@ -55,7 +55,7 @@ jobs:
id: appinfo
uses: skjnldsv/xpath-action@7e6a7c379d0e9abc8acaef43df403ab4fc4f770c # master
with:
filename: ${{ env.APP_NAME }}/appinfo/info.xml
filename: '${{ env.APP_NAME }}/appinfo/info.xml'
expression: "//info//dependencies//nextcloud/@min-version"

- name: Read package.json node and npm engines version
Expand All @@ -65,47 +65,47 @@ jobs:
# Continue if no package.json
continue-on-error: true
with:
path: ${{ env.APP_NAME }}
path: '${{ env.APP_NAME }}'
fallbackNode: '^20'
fallbackNpm: '^9'

- name: Set up node ${{ steps.versions.outputs.nodeVersion }}
- name: 'Set up node ${{ steps.versions.outputs.nodeVersion }}'
if: ${{ steps.changelog.outputs.skipped == 'false' }}
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
with:
node-version: ${{ steps.versions.outputs.nodeVersion }}
node-version: '${{ steps.versions.outputs.nodeVersion }}'

- name: Set up npm ${{ steps.versions.outputs.npmVersion }}
- name: 'Set up npm ${{ steps.versions.outputs.npmVersion }}'
if: ${{ steps.changelog.outputs.skipped == 'false' }}
run: npm i -g npm@"${{ steps.versions.outputs.npmVersion }}"

- name: Set up php ${{ env.PHP_VERSION }}
if: ${{ steps.changelog.outputs.skipped == 'false' }}
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2
with:
php-version: ${{ env.PHP_VERSION }}
php-version: '${{ env.PHP_VERSION }}'
coverage: none
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

- name: Install Krankerl
if: ${{ steps.changelog.outputs.skipped == 'false' }}
run: |
wget https://github.com/ChristophWurst/krankerl/releases/download/v0.14.0/krankerl_0.14.0_amd64.deb
sudo dpkg -i krankerl_0.14.0_amd64.deb

- name: Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with krankerl
- name: 'Package ${{ env.APP_NAME }} ${{ env.APP_VERSION }} with krankerl'
if: ${{ steps.changelog.outputs.skipped == 'false' }}
run: |
cd ${{ env.APP_NAME }}
cd '${{ env.APP_NAME }}'
krankerl package

- name: Checkout server ${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}
- name: 'Checkout server ${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}'
if: ${{ steps.changelog.outputs.skipped == 'false' }}
continue-on-error: true
id: server-checkout
run: |
NCVERSION=${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}
NCVERSION='${{ fromJSON(steps.appinfo.outputs.result).nextcloud.min-version }}'
wget --quiet https://download.nextcloud.com/server/releases/latest-$NCVERSION.zip
unzip latest-$NCVERSION.zip

Expand All @@ -121,7 +121,7 @@ jobs:
if: ${{ steps.changelog.outputs.skipped == 'false' }}
run: |
# Extracting release
cd ${{ env.APP_NAME }}/build/artifacts
cd '${{ env.APP_NAME }}/build/artifacts'
tar -xvf ${{ env.APP_NAME }}.tar.gz
cd ../../../
# Setting up keys
Expand All @@ -130,7 +130,7 @@ jobs:
# Signing
php nextcloud/occ integrity:sign-app --privateKey=../${{ env.APP_NAME }}.key --certificate=../${{ env.APP_NAME }}.crt --path=../${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}
# Rebuilding archive
cd ${{ env.APP_NAME }}/build/artifacts
cd '${{ env.APP_NAME }}/build/artifacts'
tar -zcvf ${{ env.APP_NAME }}.tar.gz ${{ env.APP_NAME }}

- name: Push tag to releases organization
Expand All @@ -144,18 +144,18 @@ jobs:
uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2
id: attach_to_release
with:
repo_token: ${{ secrets.RELEASE_PAT }}
repo_name: nextcloud-releases/${{ env.APP_NAME }}
file: ${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}.tar.gz
asset_name: ${{ env.APP_NAME }}-${{ env.APP_VERSION }}.tar.gz
tag: ${{ steps.changelog.outputs.tag }}
repo_token: '${{ secrets.RELEASE_PAT }}'
repo_name: 'nextcloud-releases/${{ env.APP_NAME }}'
file: '${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}.tar.gz'
asset_name: '${{ env.APP_NAME }}-${{ env.APP_VERSION }}.tar.gz'
tag: '${{ steps.changelog.outputs.tag }}'
overwrite: true

- name: Upload app to Nextcloud appstore
if: ${{ steps.changelog.outputs.skipped == 'false' }}
uses: nextcloud-releases/nextcloud-appstore-push-action@a011fe619bcf6e77ddebc96f9908e1af4071b9c1 # v1
with:
app_name: ${{ env.APP_NAME }}
appstore_token: ${{ secrets.APPSTORE_TOKEN }}
download_url: ${{ steps.attach_to_release.outputs.browser_download_url }}
app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
app_name: '{{ env.APP_NAME }}'
appstore_token: '${{ secrets.APPSTORE_TOKEN }}'
download_url: '${{ steps.attach_to_release.outputs.browser_download_url }}'
app_private_key: '${{ secrets.APP_PRIVATE_KEY }}'
2 changes: 1 addition & 1 deletion .github/workflows/block-unconventional-commits.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,4 @@ jobs:

- uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
2 changes: 1 addition & 1 deletion .github/workflows/fixup.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,4 @@ jobs:
- name: Run check
uses: skjnldsv/block-fixup-merge-action@c138ea99e45e186567b64cf065ce90f7158c236a # v2
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
repo-token: '${{ secrets.GITHUB_TOKEN }}'
6 changes: 3 additions & 3 deletions .github/workflows/lint-eslint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,12 +62,12 @@ jobs:
fallbackNode: '^20'
fallbackNpm: '^9'

- name: Set up node ${{ steps.versions.outputs.nodeVersion }}
- name: 'Set up node ${{ steps.versions.outputs.nodeVersion }}'
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
with:
node-version: ${{ steps.versions.outputs.nodeVersion }}
node-version: '${{ steps.versions.outputs.nodeVersion }}'

- name: Set up npm ${{ steps.versions.outputs.npmVersion }}
- name: 'Set up npm ${{ steps.versions.outputs.npmVersion }}'
run: npm i -g npm@"${{ steps.versions.outputs.npmVersion }}"

- name: Install dependencies
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/lint-php-cs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
coverage: none
ini-file: development
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

- name: Install dependencies
run: composer i
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/lint-php.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,14 @@ jobs:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Set up php ${{ matrix.php-versions }}
- name: 'Set up php ${{ matrix.php-versions }}'
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2
with:
php-version: ${{ matrix.php-versions }}
php-version: '${{ matrix.php-versions }}'
coverage: none
ini-file: development
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

- name: Lint
run: composer run lint
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/npm-audit-fix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,13 @@ jobs:
matrix:
branches: ['main', 'stable3.7', 'stable3.6']

name: npm-audit-fix-${{ matrix.branches }}
name: 'npm-audit-fix-${{ matrix.branches }}'

steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ matrix.branches }}
ref: '${{ matrix.branches }}'

- name: Read package.json node and npm engines version
uses: skjnldsv/read-package-engines-version-actions@8205673bab74a63eb9b8093402fd9e0e018663a1 # v2.2
Expand All @@ -38,10 +38,10 @@ jobs:
fallbackNode: '^20'
fallbackNpm: '^10'

- name: Set up node ${{ steps.versions.outputs.nodeVersion }}
- name: 'Set up node ${{ steps.versions.outputs.nodeVersion }}'
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
with:
node-version: ${{ steps.versions.outputs.nodeVersion }}
node-version: '${{ steps.versions.outputs.nodeVersion }}'

- name: Set up npm ${{ steps.versions.outputs.npmVersion }}
run: npm i -g npm@"${{ steps.versions.outputs.npmVersion }}"
Expand All @@ -54,12 +54,12 @@ jobs:
if: always()
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7
with:
token: ${{ secrets.COMMAND_BOT_PAT }}
token: '${{ secrets.COMMAND_BOT_PAT }}'
commit-message: "fix(deps): Apply npm audit fix"
committer: GitHub <[email protected]>
author: nextcloud-command <[email protected]>
signoff: true
branch: automated/noid/${{ matrix.branches }}-fix-npm-audit
branch: 'automated/noid/${{ matrix.branches }}-fix-npm-audit'
title: "fix(deps): Apply npm audit fix"
body: |
Auto-generated fix of npm audit
Expand Down
Loading
Loading