From 34e3696e254b735bc2d95e82b18cd73f0ceafb3f Mon Sep 17 00:00:00 2001 From: Ewout ter Hoeven Date: Sat, 21 Nov 2020 22:46:32 +0100 Subject: [PATCH 1/3] CI: Fix CVE-2020-15228 in GitHub Actions Fixes the CVE-2020-15228 security issue in GitHub Actions: > `add-path` and `set-env` Runner commands are processed via stdout set-env was used twice, which is now replaced by >> $GITHUB_ENV - Issue: https://github.com/actions/toolkit/security/advisories/GHSA-mfwh-5m23-j46w - Solution: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable) --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e483ace01b..2b3a75485e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -82,8 +82,8 @@ jobs: echo "=== artifact: ${ARTIFACT}" # defining environment variables for next step as per # https://github.com/actions/starter-workflows/issues/68 - echo "::set-env name=ARTIFACT_PATH::${GITHUB_WORKSPACE}/build/${ARTIFACT}" - echo "::set-env name=ARTIFACT_FILE::${ARTIFACT}" + echo "ARTIFACT_PATH=${GITHUB_WORKSPACE}/build/${ARTIFACT}" >> $GITHUB_ENV + echo "ARTIFACT_FILE=${ARTIFACT}" >> $GITHUB_ENV zsh -c 'echo "Bundled in $(printf "%0.2f" $(($[$(date +%s)-$(cat bundlestamp)]/$((60.))))) minutes"' exit - uses: actions/upload-artifact@v1 From 128fc0afb110a4cb215ad60f1301341e3a0bf86d Mon Sep 17 00:00:00 2001 From: Ewout ter Hoeven Date: Sat, 21 Nov 2020 22:58:08 +0100 Subject: [PATCH 2/3] CI: Specify installing libsigc++ v2.x in GitHub Actions Version 3 of libsigc++ was automatically installed. This commit fixates the version brew installs to 2.x. Should fix #6002 --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2b3a75485e..6813965eb0 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,7 +23,7 @@ jobs: mkdir build date +%s > build/stamp brew uninstall --ignore-dependencies libtiff - brew install libtiff gtk+3 gtkmm3 gtk-mac-integration adwaita-icon-theme libsigc++ little-cms2 libiptcdata fftw lensfun expat pkgconfig libomp shared-mime-info | tee -a depslog + brew install libtiff gtk+3 gtkmm3 gtk-mac-integration adwaita-icon-theme libsigc++@2 little-cms2 libiptcdata fftw lensfun expat pkgconfig libomp shared-mime-info | tee -a depslog date -u echo "----====Pourage====----" cat depslog | grep Pouring From cccc9694515fd11dad53506f4039f4335576b59f Mon Sep 17 00:00:00 2001 From: Ewout ter Hoeven Date: Sat, 21 Nov 2020 23:50:04 +0100 Subject: [PATCH 3/3] CI: Use v2 checkout and upload-artifact actions Also replaces macos-10.15 with macos-latest as runner. Currently is references the same environment (macOS 10.15), but this way it will update to macOS 11.0 when it's ready and stable. --- .github/workflows/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6813965eb0..4fa09ee98c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -14,9 +14,9 @@ on: - created jobs: build: - runs-on: macos-10.15 + runs-on: macos-latest steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@v2 - name: Install dependencies run: | date -u @@ -86,7 +86,7 @@ jobs: echo "ARTIFACT_FILE=${ARTIFACT}" >> $GITHUB_ENV zsh -c 'echo "Bundled in $(printf "%0.2f" $(($[$(date +%s)-$(cat bundlestamp)]/$((60.))))) minutes"' exit - - uses: actions/upload-artifact@v1 + - uses: actions/upload-artifact@v2 with: name: ${{env.ARTIFACT_FILE}} path: ${{env.ARTIFACT_PATH}}