mirror of
https://github.com/electron/electron.git
synced 2026-04-10 03:01:51 -04:00
9928c7d828
* fix: harden GitHub Actions against script injection vulnerabilities
Replace direct ${{ }} expression interpolation in run: blocks with
environment variables to prevent script injection attacks. Changes:
- archaeologist-dig.yml: move clone_url, head.sha, base.ref to env vars
- non-maintainer-dependency-change.yml: move user.login to env var
- issue-unlabeled.yml: move toJSON(labels) to env var
- issue-labeled.yml: move issue.number to env var
- pipeline-electron-lint.yml: validate chromium_revision format
- cipd-install/action.yml: move all inputs to env vars and quote them
- set-chromium-cookie/action.yml: reference secrets via $ENV_VAR
- Add security comments to all 5 pull_request_target workflows
https://claude.ai/code/session_01UUWmLxn5hyyxrhK8rGxU2s
* fix: allow version strings in chromium_revision validation
The previous regex `^[a-f0-9]+$` only matched git SHAs but
chromium_revision is a version string like `148.0.7741.0`.
Broaden to `^[a-zA-Z0-9._-]+$` which still blocks shell
metacharacters.
https://claude.ai/code/session_01UUWmLxn5hyyxrhK8rGxU2s
---------
Co-authored-by: Claude <noreply@anthropic.com>
103 lines
3.9 KiB
YAML
103 lines
3.9 KiB
YAML
name: Electron Lint
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
container:
|
|
required: true
|
|
description: 'Container to run lint in'
|
|
type: string
|
|
|
|
permissions: {}
|
|
|
|
concurrency:
|
|
group: electron-lint-${{ github.ref_protected == true && github.run_id || github.ref }}
|
|
cancel-in-progress: ${{ github.ref_protected != true }}
|
|
|
|
env:
|
|
CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
|
|
|
|
jobs:
|
|
lint:
|
|
name: Lint
|
|
runs-on: electron-arc-centralus-linux-amd64-4core
|
|
permissions:
|
|
contents: read
|
|
timeout-minutes: 20
|
|
container: ${{ fromJSON(inputs.container) }}
|
|
steps:
|
|
- name: Checkout Electron
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
|
|
with:
|
|
path: src/electron
|
|
fetch-depth: 0
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
- name: Install Dependencies
|
|
uses: ./src/electron/.github/actions/install-dependencies
|
|
- name: Set Chromium Git Cookie
|
|
uses: ./src/electron/.github/actions/set-chromium-cookie
|
|
- name: Setup third_party Depot Tools
|
|
shell: bash
|
|
run: |
|
|
# "depot_tools" has to be checkout into "//third_party/depot_tools" so pylint.py can a "pylintrc" file.
|
|
git clone --filter=tree:0 https://chromium.googlesource.com/chromium/tools/depot_tools.git src/third_party/depot_tools
|
|
echo "$(pwd)/src/third_party/depot_tools" >> $GITHUB_PATH
|
|
- name: Download GN Binary
|
|
shell: bash
|
|
run: |
|
|
chromium_revision="$(grep -A1 chromium_version src/electron/DEPS | tr -d '\n' | cut -d\' -f4)"
|
|
if [[ ! "$chromium_revision" =~ ^[a-zA-Z0-9._-]+$ ]]; then
|
|
echo "::error::Invalid chromium_revision: $chromium_revision"
|
|
exit 1
|
|
fi
|
|
gn_version="$(curl -sL -b ~/.gitcookies "https://chromium.googlesource.com/chromium/src/+/${chromium_revision}/DEPS?format=TEXT" | base64 -d | grep gn_version | head -n1 | cut -d\' -f4)"
|
|
|
|
cipd ensure -ensure-file - -root . <<-CIPD
|
|
\$ServiceURL https://chrome-infra-packages.appspot.com/
|
|
@Subdir src/buildtools/linux64
|
|
gn/gn/linux-amd64 $gn_version
|
|
CIPD
|
|
|
|
buildtools_path="$(pwd)/src/buildtools"
|
|
echo "CHROMIUM_BUILDTOOLS_PATH=$buildtools_path" >> $GITHUB_ENV
|
|
- name: Download clang-format Binary
|
|
shell: bash
|
|
run: |
|
|
chromium_revision="$(grep -A1 chromium_version src/electron/DEPS | tr -d '\n' | cut -d\' -f4)"
|
|
if [[ ! "$chromium_revision" =~ ^[a-zA-Z0-9._-]+$ ]]; then
|
|
echo "::error::Invalid chromium_revision: $chromium_revision"
|
|
exit 1
|
|
fi
|
|
|
|
mkdir -p src/buildtools
|
|
curl -sL -b ~/.gitcookies "https://chromium.googlesource.com/chromium/src/+/${chromium_revision}/buildtools/DEPS?format=TEXT" | base64 -d > src/buildtools/DEPS
|
|
|
|
gclient sync --spec="solutions=[{'name':'src/buildtools','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':True},'managed':False}]"
|
|
- name: Add problem matchers
|
|
shell: bash
|
|
run: |
|
|
echo "::add-matcher::src/electron/.github/problem-matchers/eslint-stylish.json"
|
|
echo "::add-matcher::src/electron/.github/problem-matchers/markdownlint.json"
|
|
- name: Run Lint
|
|
shell: bash
|
|
run: |
|
|
# gn.py tries to find a gclient root folder starting from the current dir.
|
|
# When it fails and returns "None" path, the whole script fails. Let's "fix" it.
|
|
touch .gclient
|
|
# Another option would be to checkout "buildtools" inside the Electron checkout,
|
|
# but then we would lint its contents (at least gn format), and it doesn't pass it.
|
|
|
|
cd src/electron
|
|
node script/yarn.js install --immutable
|
|
node script/yarn.js lint
|
|
- name: Run Script Typechecker
|
|
shell: bash
|
|
run: |
|
|
cd src/electron
|
|
node script/yarn.js tsc -p tsconfig.script.json
|
|
- name: Check GHA Workflows
|
|
shell: bash
|
|
run: |
|
|
cd src/electron
|
|
node script/copy-pipeline-segment-publish.js --check
|