Update braces
to resolve CVE-2024-4068
#82
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
push: | |
branches: [ main ] | |
pull_request: | |
branches: [ main ] | |
workflow_dispatch: | |
jobs: | |
build: | |
name: Build | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
steps: | |
- name: Checkout PR | |
if: github.event_name == 'pull_request' | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.pull_request.head.ref }} | |
- name: Checkout | |
if: github.event_name != 'pull_request' | |
uses: actions/checkout@v4 | |
- name: Set up JDK 11 | |
uses: actions/setup-java@v4 | |
with: | |
java-version: '11' | |
distribution: 'adopt' | |
server-id: coremedia.external.releases | |
server-username: PLUGINS_NEXUS_USER | |
server-password: PLUGINS_NEXUS_PASSWORD | |
- name: Cache Maven Repo | |
uses: actions/cache@v3 | |
with: | |
path: ~/.m2 | |
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | |
restore-keys: ${{ runner.os }}-m2 | |
- name: Setup PNPM | |
uses: pnpm/action-setup@v2 | |
with: | |
version: 8 | |
- name: Setup NodeJS | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 18 | |
cache: 'pnpm' | |
cache-dependency-path: "studio-client/pnpm-lock.yaml" | |
- name: Setup npm.coremedia.io | |
run: | | |
NPM_AUTH_TOKEN=$(curl -s -H "Accept: application/json" -H "Content-Type:application/json" -X PUT --data '{"name": "${{ secrets.CM_NPM_USER }}", "password": "${{ secrets.CM_NPM_READ_ONLY_PASSWORD }}"}' https://npm.coremedia.io/-/user/org.couchdb.user:${{ secrets.CM_NPM_USER }} | jq -r .token) | |
echo "::add-mask::$NPM_AUTH_TOKEN" | |
pnpm config set //npm.coremedia.io/:_authToken=$NPM_AUTH_TOKEN | |
pnpm config set @coremedia:registry=https://npm.coremedia.io | |
pnpm config set @jangaroo:registry=https://npm.coremedia.io | |
- name: Setup Git | |
if: github.event_name == 'pull_request' || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') | |
run: | | |
git config --global user.name 'coremedia-ci' | |
git config --global user.email 'coremedia-ci@coremedia.com' | |
- name: Install PNPM Dependencies | |
working-directory: studio-client | |
run: pnpm install | |
- name: Set Release Version | |
id: set-release-version | |
if: github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main' | |
env: | |
PLUGINS_NEXUS_USER: ${{ secrets.PLUGINS_NEXUS_USER }} | |
PLUGINS_NEXUS_PASSWORD: ${{ secrets.PLUGINS_NEXUS_PASSWORD }} | |
run: | | |
mvn --batch-mode org.codehaus.mojo:versions-maven-plugin:2.8.1:set -DremoveSnapshot -DartifactId='*' | |
release_version=$(mvn --batch-mode org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) | |
cd studio-client | |
pnpm set-version ${release_version} | |
cd .. | |
git add . | |
git commit -m "set release version: ${release_version}" | |
release_tag="v${release_version}" | |
git tag "${release_tag}" | |
echo "version=${release_version}" >> $GITHUB_OUTPUT | |
echo "tag=${release_tag}" >> $GITHUB_OUTPUT | |
- name: Output Version | |
id: output-version | |
env: | |
PLUGINS_NEXUS_USER: ${{ secrets.PLUGINS_NEXUS_USER }} | |
PLUGINS_NEXUS_PASSWORD: ${{ secrets.PLUGINS_NEXUS_PASSWORD }} | |
run: | | |
version=$(mvn --batch-mode org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) | |
echo "version=${version}" >> $GITHUB_OUTPUT | |
- name: Build with Pnpm | |
working-directory: studio-client | |
run: | | |
pnpm -r build | |
pnpm -r package | |
- name: Build with Maven | |
env: | |
PLUGINS_NEXUS_USER: ${{ secrets.PLUGINS_NEXUS_USER }} | |
PLUGINS_NEXUS_PASSWORD: ${{ secrets.PLUGINS_NEXUS_PASSWORD }} | |
run: mvn --batch-mode --update-snapshots install | |
- name: Update license info | |
if: github.event_name == 'pull_request' | |
env: | |
PLUGINS_NEXUS_USER: ${{ secrets.PLUGINS_NEXUS_USER }} | |
PLUGINS_NEXUS_PASSWORD: ${{ secrets.PLUGINS_NEXUS_PASSWORD }} | |
run: | | |
mvn --batch-mode -Pdocs-third-party generate-resources | |
if [ -n "$(git status --porcelain documentation)" ]; then | |
git add documentation | |
git commit -m "update license information" | |
git push | |
fi | |
- name: Create Bundle | |
env: | |
VERSION: ${{ steps.output-version.outputs.version }} | |
DESCRIPTOR_TEMPLATE: 'content-hub-adapter-rss.json' | |
CREATE_RELEASE: ${{ github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main' }} | |
RELEASE_TAG: ${{ steps.set-release-version.outputs.tag }} | |
URL_PATTERN: 'https://github.com/${GITHUB_REPOSITORY}/releases/download/${RELEASE_TAG}/${REL_FILE}' | |
run: | | |
mkdir -p target/bundle | |
RESULT="$(cat ${DESCRIPTOR_TEMPLATE})" | |
APPS=$(cat ${DESCRIPTOR_TEMPLATE} | jq -r '.plugins | keys[]') | |
for APP in ${APPS}; do | |
FILE_TEMPLATE=$(cat ${DESCRIPTOR_TEMPLATE} | jq -r --arg APP "${APP}" '.plugins[$APP].file') | |
FILE=$(eval echo ${FILE_TEMPLATE}) | |
REL_FILE=$(echo "${FILE}" | sed 's#.*/##g') | |
cp "${FILE}" target/bundle | |
if [ "${CREATE_RELEASE}" = true ]; then | |
URL=$(eval echo ${URL_PATTERN}) | |
RESULT="$(echo ${RESULT} | jq -r --arg APP "${APP}" --arg URL "${URL}" '.plugins[$APP] = {"url": $URL}')" | |
else | |
RESULT="$(echo ${RESULT} | jq -r --arg APP "${APP}" --arg REL_FILE "${REL_FILE}" '.plugins[$APP] = {"file": $REL_FILE}')" | |
fi | |
done | |
echo "${RESULT}" > "target/bundle/$(echo ${DESCRIPTOR_TEMPLATE} | sed 's#.*/##g' | cut -d '.' -f1)-${VERSION}.json" | |
- name: Set Next Snapshot Version | |
id: set-snapshot-version | |
if: github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main' | |
env: | |
PLUGINS_NEXUS_USER: ${{ secrets.PLUGINS_NEXUS_USER }} | |
PLUGINS_NEXUS_PASSWORD: ${{ secrets.PLUGINS_NEXUS_PASSWORD }} | |
run: | | |
mvn --batch-mode org.codehaus.mojo:versions-maven-plugin:2.8.1:set -DnextSnapshot -DartifactId='*' | |
snapshot_version=$(mvn --batch-mode org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) | |
cd studio-client | |
pnpm set-version ${snapshot_version} | |
cd .. | |
git add . | |
git commit -m "set next snapshot version" | |
git push && git push --tags | |
echo "version=${snapshot_version}" >> $GITHUB_OUTPUT | |
- name: Upload Build Artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: content-hub-adapter-rss-${{ steps.output-version.outputs.version }} | |
path: target/bundle | |
if-no-files-found: error | |
- name: Upload Release Artifacts | |
if: github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main' | |
uses: softprops/action-gh-release@v1 | |
with: | |
tag_name: v${{ steps.set-release-version.outputs.version }} | |
files: target/bundle/* |