Correctly sanitize input everywhere #7140
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "node.js build" | |
| on: | |
| pull_request: | |
| push: | |
| tags: | |
| - "*" | |
| - "!py-*" | |
| jobs: | |
| prebuild: | |
| name: Prebuild | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [macos-latest, windows-latest] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| show-progress: false | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "18" | |
| - name: System info | |
| run: | | |
| rustc -vV | |
| rustup -vV | |
| cargo -vV | |
| npm --version | |
| node --version | |
| - name: Cache node modules | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ${{ env.APPDATA }}/npm-cache | |
| ~/.npm | |
| key: ${{ matrix.os }}-node-${{ hashFiles('**/package.json') }} | |
| - name: Cache cargo index | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry/ | |
| ~/.cargo/git | |
| target | |
| key: ${{ matrix.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}-2 | |
| - name: Install dependencies & build | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| working-directory: node | |
| run: npm install --verbose | |
| - name: Build Prebuild | |
| working-directory: node | |
| run: | | |
| npm run prebuildify | |
| tar -zcvf "${{ matrix.os }}.tar.gz" -C prebuilds . | |
| - name: Upload Prebuild | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.os }} | |
| path: node/${{ matrix.os }}.tar.gz | |
| prebuild-linux: | |
| name: Prebuild Linux | |
| runs-on: ubuntu-latest | |
| # Build Linux prebuilds inside a container with old glibc for backwards compatibility. | |
| # Debian 10 contained glibc 2.28: https://packages.debian.org/buster/libc6 | |
| container: debian:10 | |
| steps: | |
| # Working directory is owned by 1001:1001 by default. | |
| # Change it to our user. | |
| - name: Change working directory owner | |
| run: chown root:root . | |
| - uses: actions/checkout@v4 | |
| with: | |
| show-progress: false | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "18" | |
| - run: apt-get update | |
| # Python is needed for node-gyp | |
| - name: Install curl, python and compilers | |
| run: apt-get install -y curl build-essential python3 | |
| - name: Install Rust | |
| run: | | |
| curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y | |
| echo "$HOME/.cargo/bin" >> $GITHUB_PATH | |
| - name: System info | |
| run: | | |
| rustc -vV | |
| rustup -vV | |
| cargo -vV | |
| npm --version | |
| node --version | |
| - name: Cache node modules | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ${{ env.APPDATA }}/npm-cache | |
| ~/.npm | |
| key: ${{ matrix.os }}-node-${{ hashFiles('**/package.json') }} | |
| - name: Cache cargo index | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry/ | |
| ~/.cargo/git | |
| target | |
| key: ${{ matrix.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}-2 | |
| - name: Install dependencies & build | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| working-directory: node | |
| run: npm install --verbose | |
| - name: Build Prebuild | |
| working-directory: node | |
| run: | | |
| npm run prebuildify | |
| tar -zcvf "linux.tar.gz" -C prebuilds . | |
| - name: Upload Prebuild | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: linux | |
| path: node/linux.tar.gz | |
| pack-module: | |
| needs: [prebuild, prebuild-linux] | |
| name: Package deltachat-node and upload to download.delta.chat | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install tree | |
| run: sudo apt install tree | |
| - uses: actions/checkout@v4 | |
| with: | |
| show-progress: false | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "18" | |
| - name: Get tag | |
| id: tag | |
| uses: dawidd6/action-get-tag@v1 | |
| continue-on-error: true | |
| - name: Get Pull Request ID | |
| id: prepare | |
| run: | | |
| tag=${{ steps.tag.outputs.tag }} | |
| if [ -z "$tag" ]; then | |
| node -e "console.log('DELTACHAT_NODE_TAR_GZ=deltachat-node-' + '${{ github.ref }}'.split('/')[2] + '.tar.gz')" >> $GITHUB_ENV | |
| else | |
| echo "DELTACHAT_NODE_TAR_GZ=deltachat-node-${{ steps.tag.outputs.tag }}.tar.gz" >> $GITHUB_ENV | |
| echo "No preview will be uploaded this time, but the $tag release" | |
| fi | |
| - name: System info | |
| run: | | |
| rustc -vV | |
| rustup -vV | |
| cargo -vV | |
| npm --version | |
| node --version | |
| echo $DELTACHAT_NODE_TAR_GZ | |
| - name: Download Linux prebuild | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: linux | |
| - name: Download macOS prebuild | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: macos-latest | |
| - name: Download Windows prebuild | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: windows-latest | |
| - shell: bash | |
| run: | | |
| mkdir node/prebuilds | |
| tar -xvzf linux.tar.gz -C node/prebuilds | |
| tar -xvzf macos-latest.tar.gz -C node/prebuilds | |
| tar -xvzf windows-latest.tar.gz -C node/prebuilds | |
| tree node/prebuilds | |
| rm -f linux.tar.gz macos-latest.tar.gz windows-latest.tar.gz | |
| - name: Install dependencies without running scripts | |
| run: | | |
| npm install --ignore-scripts | |
| - name: Build constants | |
| run: | | |
| npm run build:core:constants | |
| - name: Build TypeScript part | |
| run: | | |
| npm run build:bindings:ts | |
| - name: Package | |
| shell: bash | |
| run: | | |
| mv node/README.md README.md | |
| npm pack . | |
| ls -lah | |
| mv $(find deltachat-node-*) $DELTACHAT_NODE_TAR_GZ | |
| - name: Upload prebuild | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: deltachat-node.tgz | |
| path: ${{ env.DELTACHAT_NODE_TAR_GZ }} | |
| # Upload to download.delta.chat/node/preview/ | |
| - name: Upload deltachat-node preview to download.delta.chat/node/preview/ | |
| if: ${{ ! steps.tag.outputs.tag }} | |
| id: upload-preview | |
| shell: bash | |
| run: | | |
| echo -e "${{ secrets.SSH_KEY }}" >__TEMP_INPUT_KEY_FILE | |
| chmod 600 __TEMP_INPUT_KEY_FILE | |
| scp -o StrictHostKeyChecking=no -v -i __TEMP_INPUT_KEY_FILE -P "22" -r $DELTACHAT_NODE_TAR_GZ "${{ secrets.USERNAME }}"@"download.delta.chat":"/var/www/html/download/node/preview/" | |
| continue-on-error: true | |
| - name: Post links to details | |
| if: steps.upload-preview.outcome == 'success' | |
| run: node ./node/scripts/postLinksToDetails.js | |
| env: | |
| URL: preview/${{ env.DELTACHAT_NODE_TAR_GZ }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Upload to download.delta.chat/node/ | |
| - name: Upload deltachat-node build to download.delta.chat/node/ | |
| if: ${{ steps.tag.outputs.tag }} | |
| id: upload | |
| shell: bash | |
| run: | | |
| echo -e "${{ secrets.SSH_KEY }}" >__TEMP_INPUT_KEY_FILE | |
| chmod 600 __TEMP_INPUT_KEY_FILE | |
| scp -o StrictHostKeyChecking=no -v -i __TEMP_INPUT_KEY_FILE -P "22" -r $DELTACHAT_NODE_TAR_GZ "${{ secrets.USERNAME }}"@"download.delta.chat":"/var/www/html/download/node/" |