Fixes CVE-2024-32489 in tecnickcom/tcpdf #7942
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build Vue files | |
on: | |
pull_request: | |
types: [synchronize, opened] | |
permissions: | |
actions: read | |
checks: none | |
contents: write | |
deployments: none | |
issues: write | |
packages: none | |
pull-requests: write | |
repository-projects: none | |
security-events: none | |
statuses: none | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Detect branch for PR | |
id: vars | |
run: | | |
PR="${{ github.event.pull_request.number }}" | |
PR_INFO=$( curl \ | |
--request GET \ | |
--header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \ | |
--header 'content-type: application/json' \ | |
--url https://api.github.com/repos/$GITHUB_REPOSITORY/pulls/$PR ) | |
REF=$(echo "${PR_INFO}" | jq -r .head.ref) | |
BASE=$(echo "${PR_INFO}" | jq -r .head.repo.full_name) | |
STATE=$(echo "${PR_INFO}" | jq -r .state) | |
BASE_SHA=$(echo "${PR_INFO}" | jq -r .base.sha) | |
if [[ $STATE == "closed" ]] | |
then | |
echo "Pull Request already closed." | |
exit 0; | |
fi | |
echo "islocalbranch=$(expr $BASE == $GITHUB_REPOSITORY)" >> $GITHUB_OUTPUT | |
echo "branch=$REF" >> $GITHUB_OUTPUT | |
echo "base=$BASE_SHA" >> $GITHUB_OUTPUT | |
- uses: actions/checkout@v4 | |
with: | |
lfs: false | |
persist-credentials: false | |
if: steps.vars.outputs.branch != '' | |
- name: Check vue changes | |
id: vuecheck | |
run: | | |
git fetch --depth=1 origin ${{ steps.vars.outputs.base }} | |
VUE_FILES_MODIFIED=$(git diff --name-only ${{ steps.vars.outputs.base }} -- plugins/*/vue/**/* plugins/CoreVue/types package-lock.json | wc -l) | |
if [[ $VUE_FILES_MODIFIED == "0" ]] | |
then | |
echo "No vue files modified" | |
exit 0; | |
fi | |
echo "vue_modified=1" >> $GITHUB_OUTPUT | |
if: steps.vars.outputs.branch != '' | |
- name: Setup PHP | |
uses: shivammathur/setup-php@v2 | |
with: | |
php-version: '8.0' | |
if: steps.vars.outputs.branch != '' && steps.vuecheck.outputs.vue_modified == '1' | |
- name: Setup node | |
uses: actions/setup-node@v3 | |
with: | |
node-version: '16' | |
cache: 'npm' | |
if: steps.vars.outputs.branch != '' && steps.vuecheck.outputs.vue_modified == '1' | |
- run: npm install | |
if: steps.vars.outputs.branch != '' && steps.vuecheck.outputs.vue_modified == '1' | |
- name: Get composer cache directory | |
id: composer-cache | |
run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT | |
if: steps.vars.outputs.branch != '' && steps.vuecheck.outputs.vue_modified == '1' | |
- name: Cache dependencies | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.composer-cache.outputs.dir }} | |
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | |
restore-keys: ${{ runner.os }}-composer- | |
if: steps.vars.outputs.branch != '' && steps.vuecheck.outputs.vue_modified == '1' | |
- name: Install dependencies | |
run: composer install --prefer-dist | |
if: steps.vars.outputs.branch != '' && steps.vuecheck.outputs.vue_modified == '1' | |
- name: Quick Matomo Install | |
run: | | |
cat <<-EOF > ./config/config.ini.php | |
[General] | |
always_load_commands_from_plugin=CoreVue | |
[Development] | |
enabled = 1 | |
EOF | |
cat ./config/config.ini.php | |
if: steps.vars.outputs.branch != '' && steps.vuecheck.outputs.vue_modified == '1' | |
- name: Prepare git config | |
run: | | |
cat <<- EOF > $HOME/.netrc | |
machine github.com | |
login $GITHUB_ACTOR | |
password $GITHUB_TOKEN | |
machine api.github.com | |
login $GITHUB_ACTOR | |
password $GITHUB_TOKEN | |
EOF | |
chmod 600 $HOME/.netrc | |
git config --global user.email "[email protected]" | |
git config --global user.name "$GITHUB_ACTOR" | |
git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY | |
if [[ ${{ steps.vars.outputs.islocalbranch }} ]] | |
then | |
git fetch --depth=1 origin $BRANCH_NAME | |
git checkout $BRANCH_NAME | |
fi | |
env: | |
BRANCH_NAME: ${{ steps.vars.outputs.branch }} | |
if: steps.vars.outputs.branch != '' && steps.vuecheck.outputs.vue_modified == '1' | |
- name: Build Vue Modules | |
run: php ./console vue:build | |
if: steps.vars.outputs.branch != '' && steps.vuecheck.outputs.vue_modified == '1' | |
- name: Push changes | |
id: push | |
run: | | |
if [[ $( git diff --numstat plugins/*/vue/dist/*.js ) ]] | |
then | |
if [[ ! ${{ steps.vars.outputs.islocalbranch }} ]] | |
then | |
echo "It's only possible to update local branches automatically. Adding a comment instead." | |
echo "failure=1" >> $GITHUB_OUTPUT | |
else | |
cd $GITHUB_WORKSPACE | |
git add plugins/*/vue/dist/*.js plugins/*/vue/dist/*.json | |
git commit -m "Build vue files" | |
git push | |
fi | |
fi | |
if: steps.vars.outputs.branch != '' && steps.vuecheck.outputs.vue_modified == '1' | |
- uses: actions/github-script@v6 | |
with: | |
script: | | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: 'Vue files are not up to date. Please build the files using `./console vue:build` locally and push them to your branch.' | |
}) | |
if: steps.push.outputs.failure == '1' | |
- name: Fail if not up to date | |
run: exit 1 | |
if: steps.push.outputs.failure == '1' |