Backup_Repos/code-server
1
0
Fork 0
mirror of https://github.com/cdr/code-server.git synced 2026-04-02 03:23:17 +02:00
Code Issues Projects Releases Wiki Activity

fix: pin 17 unpinned action(s),extract 7 unsafe expression(s) to env vars

Browse source 
Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard).

Changes:
 .github/workflows/build.yaml   |  8 ++++----
 .github/workflows/publish.yaml | 28 +++++++++++++++++-----------
 .github/workflows/release.yaml | 26 +++++++++++++++++---------
 3 files changed, 38 insertions(+), 24 deletions(-)
This commit is contained in:
Chris Nyhuis 2026-03-26 15:11:23 -04:00
parent ada3489acf
commit 86000a5a47
3 changed files with 38 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
.github/workflows/build.yaml vendored
View file

@ -34,7 +34,7 @@ jobs:
- name: Checkout repo
uses: actions/checkout@v6
- name: Check changed files
uses: dorny/paths-filter@v3
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
id: filter
with:
filters: |
@ -98,7 +98,7 @@ jobs:
if: needs.changes.outputs.helm == 'true'
steps:
- uses: actions/checkout@v6
- uses: azure/setup-helm@v4
- uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- run: helm plugin install https://github.com/instrumenta/helm-kubeval
@ -151,7 +151,7 @@ jobs:
test/package-lock.json
- run: SKIP_SUBMODULE_DEPS=1 npm ci
- run: npm run test:unit
- uses: codecov/codecov-action@v5
- uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
if: success()
with:
token: ${{ secrets.CODECOV_TOKEN }}
@ -167,7 +167,7 @@ jobs:
with:
submodules: true
- run: sudo apt update && sudo apt install -y libkrb5-dev
- uses: awalsh128/cache-apt-pkgs-action@latest
- uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
with:
packages: quilt
version: 1.0

28
.github/workflows/publish.yaml vendored
View file

@ -33,7 +33,7 @@ jobs:
node-version-file: .node-version
- name: Download npm package from release artifacts
uses: robinraju/release-downloader@v1.12
uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
with:
repository: "coder/code-server"
tag: ${{ github.event.inputs.version || github.ref_name }}
@ -43,9 +43,11 @@ jobs:
# Strip out the v (v4.9.1 -> 4.9.1).
- name: Get and set VERSION
run: |
TAG="${{ github.event.inputs.version || github.ref_name }}"
TAG="${INPUT_VERSION}"
echo "VERSION=${TAG#v}" >> $GITHUB_ENV
env:
INPUT_VERSION: ${{ github.event.inputs.version || github.ref_name }}
- run: npm run publish:npm
env:
VERSION: ${{ env.VERSION }}
@ -88,11 +90,13 @@ jobs:
# Strip out the v (v4.9.1 -> 4.9.1).
- name: Get and set VERSION
run: |
TAG="${{ github.event.inputs.version || github.ref_name }}"
TAG="${INPUT_VERSION}"
echo "VERSION=${TAG#v}" >> $GITHUB_ENV
env:
INPUT_VERSION: ${{ github.event.inputs.version || github.ref_name }}
- name: Validate package
uses: heyhusen/archlinux-package-action@v3.0.0
uses: heyhusen/archlinux-package-action@c9f94059ccbebe8710d31d582f33ef4e84fe575c # v3.0.0
env:
VERSION: ${{ env.VERSION }}
with:
@ -119,19 +123,19 @@ jobs:
uses: actions/checkout@v6
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- name: Login to Docker Hub
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to GHCR
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with:
registry: ghcr.io
username: ${{ github.actor }}
@ -140,11 +144,13 @@ jobs:
# Strip out the v (v4.9.1 -> 4.9.1).
- name: Get and set VERSION
run: |
TAG="${{ github.event.inputs.version || github.ref_name }}"
TAG="${INPUT_VERSION}"
echo "VERSION=${TAG#v}" >> $GITHUB_ENV
env:
INPUT_VERSION: ${{ github.event.inputs.version || github.ref_name }}
- name: Download deb artifacts
uses: robinraju/release-downloader@v1.12
uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
with:
repository: "coder/code-server"
tag: v${{ env.VERSION }}
@ -152,7 +158,7 @@ jobs:
out-file-path: "release-packages"
- name: Download rpm artifacts
uses: robinraju/release-downloader@v1.12
uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
with:
repository: "coder/code-server"
tag: v${{ env.VERSION }}

26
.github/workflows/release.yaml vendored
View file

@ -111,14 +111,16 @@ jobs:
# Strip out the v (v4.9.1 -> 4.9.1).
- name: Get and set VERSION
run: |
TAG="${{ inputs.version || github.ref_name }}"
TAG="${REF_NAME}"
echo "VERSION=${TAG#v}" >> $GITHUB_ENV
env:
REF_NAME: ${{ inputs.version || github.ref_name }}
- env:
VERSION: ${{ env.VERSION }}
run: npm run package $PKG_ARCH
- uses: softprops/action-gh-release@v1
- uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
with:
draft: true
discussion_category_name: "📣 Announcements"
@ -171,15 +173,17 @@ jobs:
# Strip out the v (v4.9.1 -> 4.9.1).
- name: Get and set VERSION
run: |
TAG="${{ inputs.version || github.ref_name }}"
TAG="${REF_NAME}"
echo "VERSION=${TAG#v}" >> $GITHUB_ENV
env:
REF_NAME: ${{ inputs.version || github.ref_name }}
- name: Build packages with nfpm
env:
VERSION: ${{ env.VERSION }}
run: npm run package
- uses: softprops/action-gh-release@v1
- uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
with:
draft: true
discussion_category_name: "📣 Announcements"
@ -232,15 +236,17 @@ jobs:
# Strip out the v (v4.9.1 -> 4.9.1).
- name: Get and set VERSION
run: |
TAG="${{ inputs.version || github.ref_name }}"
TAG="${REF_NAME}"
echo "VERSION=${TAG#v}" >> $GITHUB_ENV
env:
REF_NAME: ${{ inputs.version || github.ref_name }}
- name: Build packages with nfpm
env:
VERSION: ${{ env.VERSION }}
run: npm run package
- uses: softprops/action-gh-release@v1
- uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
with:
draft: true
discussion_category_name: "📣 Announcements"
@ -257,7 +263,7 @@ jobs:
with:
name: npm-release-package
- uses: softprops/action-gh-release@v1
- uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
with:
draft: true
discussion_category_name: "📣 Announcements"
@ -269,7 +275,7 @@ jobs:
timeout-minutes: 15
steps:
- name: Download artifacts
uses: dawidd6/action-download-artifact@v16
uses: dawidd6/action-download-artifact@2536c51d3d126276eb39f74d6bc9c72ac6ef30d3 # v16
id: download
with:
branch: ${{ github.ref }}
@ -284,9 +290,11 @@ jobs:
# Strip out the v (v4.9.1 -> 4.9.1).
- name: Get and set VERSION
run: |
TAG="${{ inputs.version || github.ref_name }}"
TAG="${REF_NAME}"
echo "VERSION=${TAG#v}" >> $GITHUB_ENV
env:
REF_NAME: ${{ inputs.version || github.ref_name }}
- name: Modify version
env:
VERSION: ${{ env.VERSION }}