mirror of
https://github.com/inventree/InvenTree.git
synced 2026-05-12 04:28:45 +00:00
fix(CI): adress zimor warnings in the release workflow (#11916)
* adress zimor warnings - https://github.com/inventree/InvenTree/security/code-scanning/346 - https://github.com/inventree/InvenTree/security/code-scanning/345 - https://github.com/inventree/InvenTree/security/code-scanning/344 - https://github.com/inventree/InvenTree/security/code-scanning/343 * adress https://github.com/inventree/InvenTree/security/code-scanning/232 * fix template injection * revert change * collected improvements * use native action
This commit is contained in:
Matthias Mair
GitHub
@@ -789,13 +789,5 @@ jobs:
|
|||||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2
|
||||||
with:
|
with:
|
||||||
persist-credentials: false
|
persist-credentials: false
|
||||||
- uses: hynek/setup-cached-uv@4300ec2180bc77d705e626a34e381b81a4772c51 # pin@v2
|
- name: Run zizmor 🌈
|
||||||
- name: Run zizmor
|
uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
|
||||||
run: uvx zizmor --format sarif . > results.sarif
|
|
||||||
env:
|
|
||||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
- name: Upload SARIF file
|
|
||||||
uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # pin@v3
|
|
||||||
with:
|
|
||||||
sarif_file: results.sarif
|
|
||||||
category: zizmor
|
|
||||||
|
|||||||
@@ -78,26 +78,21 @@ jobs:
|
|||||||
subject-path: "${{ github.workspace }}/src/backend/InvenTree/web/static/frontend-build.zip"
|
subject-path: "${{ github.workspace }}/src/backend/InvenTree/web/static/frontend-build.zip"
|
||||||
|
|
||||||
- name: Upload frontend
|
- name: Upload frontend
|
||||||
uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # pin@2.11.5
|
run: gh release upload ${REF} src/backend/InvenTree/web/static/frontend-build.zip#frontend-build.zip
|
||||||
with:
|
env:
|
||||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
REF: ${{ github.ref_name }}
|
||||||
file: src/backend/InvenTree/web/static/frontend-build.zip
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
asset_name: frontend-build.zip
|
|
||||||
tag: ${{ github.ref }}
|
|
||||||
overwrite: true
|
|
||||||
- name: Upload frontend to artifacts
|
- name: Upload frontend to artifacts
|
||||||
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # pin@v7.0.1
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # pin@v7.0.1
|
||||||
with:
|
with:
|
||||||
name: frontend-build
|
name: frontend-build
|
||||||
path: src/backend/InvenTree/web/static/frontend-build.zip
|
path: src/backend/InvenTree/web/static/frontend-build.zip
|
||||||
- name: Upload Attestation
|
- name: Upload Attestation
|
||||||
uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # pin@2.11.5
|
run: gh release upload ${REF} ${BUNDLE_PATH}#frontend-build.intoto.jsonl
|
||||||
with:
|
env:
|
||||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
REF: ${{ github.ref_name }}
|
||||||
asset_name: frontend-build.intoto.jsonl
|
BUNDLE_PATH: ${{ steps.attest.outputs.bundle-path}}
|
||||||
file: ${{ steps.attest.outputs.bundle-path}}
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
tag: ${{ github.ref }}
|
|
||||||
overwrite: true
|
|
||||||
|
|
||||||
docs:
|
docs:
|
||||||
runs-on: ubuntu-24.04
|
runs-on: ubuntu-24.04
|
||||||
@@ -134,13 +129,10 @@ jobs:
|
|||||||
cd docs/site
|
cd docs/site
|
||||||
zip -r docs-html.zip *
|
zip -r docs-html.zip *
|
||||||
- name: Publish documentation
|
- name: Publish documentation
|
||||||
uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # pin@2.11.5
|
run: gh release upload ${REF} docs/site/docs-html.zip#docs-html.zip
|
||||||
with:
|
env:
|
||||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
REF: ${{ github.ref_name }}
|
||||||
file: docs/site/docs-html.zip
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
asset_name: docs-html.zip
|
|
||||||
tag: ${{ github.ref }}
|
|
||||||
overwrite: true
|
|
||||||
|
|
||||||
build-pkgr:
|
build-pkgr:
|
||||||
if: github.repository == 'inventree/InvenTree'
|
if: github.repository == 'inventree/InvenTree'
|
||||||
@@ -244,10 +236,9 @@ jobs:
|
|||||||
channel: ${{ env.pkg_channel }}
|
channel: ${{ env.pkg_channel }}
|
||||||
file: ${{ steps.package.outputs.package_path }}
|
file: ${{ steps.package.outputs.package_path }}
|
||||||
- name: Publish to artifact
|
- name: Publish to artifact
|
||||||
uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # pin@2.11.5
|
run: gh release upload ${REF} ${PACKAGE_PATH}#${PACKAGE_NAME}
|
||||||
with:
|
env:
|
||||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
REF: ${{ github.ref_name }}
|
||||||
file: ${{ steps.package.outputs.package_path }}
|
PACKAGE_PATH: ${{ steps.package.outputs.package_path }}
|
||||||
asset_name: ${{ matrix.target }}-{{ steps.setup.outputs.version }}.tar.gz
|
PACKAGE_NAME: ${{ matrix.target }}-{{ steps.setup.outputs.version }}.tar.gz
|
||||||
tag: ${{ github.ref }}
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
overwrite: true
|
|
||||||
|
|||||||
Reference in New Issue
Block a user