mirror of
https://github.com/arsvendg/Stirling-PDF.git
synced 2026-07-15 11:00:47 +02:00
62ec512dda
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.11.1 to 2.12.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/step-security/harden-runner/releases">step-security/harden-runner's releases</a>.</em></p> <blockquote> <h2>v2.12.0</h2> <h2>What's Changed</h2> <ol> <li> <p>A new option, <code>disable-sudo-and-containers</code>, is now available to replace the <code>disable-sudo policy</code>, addressing Docker-based privilege escalation (<a href="https://github.com/step-security/harden-runner/security/advisories/GHSA-mxr3-8whj-j74r">CVE-2025-32955</a>). More details can be found in this <a href="https://www.stepsecurity.io/blog/evolving-harden-runners-disable-sudo-policy-for-improved-runner-security">blog post</a>.</p> </li> <li> <p>New detections have been added based on insights from the tj-actions and reviewdog actions incidents.</p> </li> </ol> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2...v2.12.0">https://github.com/step-security/harden-runner/compare/v2...v2.12.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/step-security/harden-runner/commit/0634a2670c59f64b4a01f0f96f84700a4088b9f0"><code>0634a26</code></a> Merge pull request <a href="https://redirect.github.com/step-security/harden-runner/issues/541">#541</a> from step-security/rc-20</li> <li><a href="https://github.com/step-security/harden-runner/commit/2e3c5113419044c10e6826351ff7cf7d56cbebe4"><code>2e3c511</code></a> Update action.yml</li> <li><a href="https://github.com/step-security/harden-runner/commit/40873e6a41e9ae4f46268f8ee038b3561bb88504"><code>40873e6</code></a> Update README.md</li> <li><a href="https://github.com/step-security/harden-runner/commit/484c2799ec63f20b4acc41bcf649dd4003718616"><code>484c279</code></a> Update README.md</li> <li><a href="https://github.com/step-security/harden-runner/commit/4c8582f45544ce2dafb2cfae82cfbebf0f41bde2"><code>4c8582f</code></a> Update agent versions</li> <li><a href="https://github.com/step-security/harden-runner/commit/e8d595cd66544d43aca8ac7e42a212a5a83b41f8"><code>e8d595c</code></a> fix disable_sudo_and_containers bug</li> <li><a href="https://github.com/step-security/harden-runner/commit/5d277fc8734baba8746d0c18cb0a2594d4692c66"><code>5d277fc</code></a> fix journalctl related bug</li> <li><a href="https://github.com/step-security/harden-runner/commit/ff2ab228bdb9f0c9129169d47dbb2bdf4b8f9b0e"><code>ff2ab22</code></a> Merge pull request <a href="https://redirect.github.com/step-security/harden-runner/issues/536">#536</a> from rohan-stepsecurity/feat/flag/disable-sudo-and-co...</li> <li><a href="https://github.com/step-security/harden-runner/commit/b81d650d0e627a80d0d73d192b33d729507e0ef5"><code>b81d650</code></a> fix: run sudo command only when both disable-sudo and disable-sudo-and-docker...</li> <li><a href="https://github.com/step-security/harden-runner/commit/769df4ef5d6336b33b11e5b0d43934309cf439f6"><code>769df4e</code></a> Update agent</li> <li>Additional commits viewable in <a href="https://github.com/step-security/harden-runner/compare/c6295a65d1254861815972266d5933fd6e532bdf...0634a2670c59f64b4a01f0f96f84700a4088b9f0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
181 lines
6.0 KiB
YAML
181 lines
6.0 KiB
YAML
name: Release Artifacts
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
release:
|
|
types: [created]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
enable_security: [true, false]
|
|
include:
|
|
- enable_security: true
|
|
file_suffix: "-with-login"
|
|
- enable_security: false
|
|
file_suffix: ""
|
|
outputs:
|
|
version: ${{ steps.versionNumber.outputs.versionNumber }}
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Set up JDK 17
|
|
uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
|
|
with:
|
|
java-version: "17"
|
|
distribution: "temurin"
|
|
|
|
- uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
|
|
with:
|
|
gradle-version: 8.12
|
|
|
|
- name: Generate jar (With Security=${{ matrix.enable_security }})
|
|
run: ./gradlew clean createExe
|
|
env:
|
|
DOCKER_ENABLE_SECURITY: ${{ matrix.enable_security }}
|
|
STIRLING_PDF_DESKTOP_UI: false
|
|
|
|
- name: Get version number
|
|
id: versionNumber
|
|
run: |
|
|
VERSION=$(grep "^version =" build.gradle | awk -F'"' '{print $2}')
|
|
echo "versionNumber=$VERSION" >> $GITHUB_OUTPUT
|
|
|
|
- name: Rename binaries
|
|
run: |
|
|
mv ./build/launch4j/Stirling-PDF.exe ./build/launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.exe
|
|
mv ./build/libs/Stirling-PDF-${{ steps.versionNumber.outputs.versionNumber }}.jar ./build/libs/Stirling-PDF${{ matrix.file_suffix }}.jar
|
|
|
|
- name: Debug build artifacts
|
|
run: |
|
|
echo "Current Directory: $(pwd)"
|
|
ls -R ./build/libs
|
|
ls -R ./build/launch4j
|
|
|
|
- name: Upload build artifacts
|
|
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
|
with:
|
|
name: binaries${{ matrix.file_suffix }}
|
|
path: |
|
|
./build/launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.*
|
|
./build/libs/Stirling-PDF${{ matrix.file_suffix }}.*
|
|
|
|
sign_verify:
|
|
needs: build
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
enable_security: [true, false]
|
|
include:
|
|
- enable_security: true
|
|
file_suffix: "-with-login"
|
|
- enable_security: false
|
|
file_suffix: ""
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Download build artifacts
|
|
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
|
with:
|
|
name: binaries${{ matrix.file_suffix }}
|
|
- name: Display structure of downloaded files
|
|
run: ls -R
|
|
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
|
|
|
|
- name: Generate key pair
|
|
run: cosign generate-key-pair
|
|
|
|
- name: Sign and generate attestations
|
|
run: |
|
|
cosign sign-blob \
|
|
--key ./cosign.key \
|
|
--yes \
|
|
--output-signature ./libs/Stirling-PDF${{ matrix.file_suffix }}.jar.sig \
|
|
./libs/Stirling-PDF${{ matrix.file_suffix }}.jar
|
|
|
|
cosign attest-blob \
|
|
--predicate - \
|
|
--key ./cosign.key \
|
|
--yes \
|
|
--output-attestation ./libs/Stirling-PDF${{ matrix.file_suffix }}.jar.intoto.jsonl \
|
|
./libs/Stirling-PDF${{ matrix.file_suffix }}.jar
|
|
|
|
cosign verify-blob \
|
|
--key ./cosign.pub \
|
|
--signature ./libs/Stirling-PDF${{ matrix.file_suffix }}.jar.sig \
|
|
./libs/Stirling-PDF${{ matrix.file_suffix }}.jar
|
|
|
|
cosign sign-blob \
|
|
--key ./cosign.key \
|
|
--yes \
|
|
--output-signature ./launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.exe.sig \
|
|
./launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.exe
|
|
|
|
cosign attest-blob \
|
|
--predicate - \
|
|
--key ./cosign.key \
|
|
--yes \
|
|
--output-attestation ./launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.exe.intoto.jsonl \
|
|
./launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.exe
|
|
|
|
cosign verify-blob \
|
|
--key ./cosign.pub \
|
|
--signature ./launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.exe.sig \
|
|
./launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.exe
|
|
|
|
- name: Upload signed artifacts
|
|
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
|
with:
|
|
name: signed${{ matrix.file_suffix }}
|
|
path: |
|
|
./libs/Stirling-PDF${{ matrix.file_suffix }}.*
|
|
./launch4j/Stirling-PDF-Server${{ matrix.file_suffix }}.*
|
|
|
|
release:
|
|
needs: [build, sign_verify]
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write
|
|
strategy:
|
|
matrix:
|
|
enable_security: [true, false]
|
|
include:
|
|
- enable_security: true
|
|
file_suffix: "-with-login"
|
|
- enable_security: false
|
|
file_suffix: ""
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Download signed artifacts
|
|
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
|
with:
|
|
name: signed${{ matrix.file_suffix }}
|
|
|
|
- name: Upload binaries, attestations and signatures to Release and create GitHub Release
|
|
uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
|
|
with:
|
|
tag_name: v${{ needs.build.outputs.version }}
|
|
generate_release_notes: true
|
|
files: |
|
|
./libs/Stirling-PDF*
|
|
./launch4j/Stirling-PDF-Server*
|