fix security issue #286

Workflow file for this run

	name: CI
	on:
	push:
	branches: [ main ]
	tags: [ v* ]
	repository_dispatch:
	types: [ new-jx ]
	workflow_dispatch:
	jobs:
	analyze-ubuntu:
	name: "Ubuntu: Analyze"
	runs-on: ubuntu-latest
	if: ${{ !startsWith(github.ref, 'refs/tags/') }}
	env:
	BUILD_WRAPPER_OUT_DIR: sonar_output
	LC_ALL: en_US.UTF-8
	LANG: en_US.UTF-8
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Set environment variables
	run: \|
	echo SONAR_CACHE_PATH=$HOME/$BUILD_WRAPPER_OUT_DIR >> $GITHUB_ENV
	echo FORCE_CACHE_UPDATE=${RANDOM}${RANDOM} >> $GITHUB_ENV

	- name: Sonar data cache
	uses: actions/cache@v4
	with:
	path: ${{ env.SONAR_CACHE_PATH }}
	key: ${{ runner.os }}-sonar-cache-${{ env.FORCE_CACHE_UPDATE }}
	restore-keys: \|
	${{ runner.os }}-sonar-cache-

	- name: Install sonar-scanner and build-wrapper
	uses: sonarsource/sonarcloud-github-c-cpp@v2

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: cpp

	- name: Configure
	run: ./configure ci

	- name: Build
	run: build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} make all

	- name: Run tests
	continue-on-error: true
	run: \|
	make test \|\| true
	cd code_crusader/test
	make reset

	- name: Run sonar-scanner
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	run: sonar-scanner --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"

	- name: Perform CodeQL analysis
	uses: github/codeql-action/analyze@v3

	build-ubuntu:
	name: Ubuntu
	if: ${{ startsWith(github.ref, 'refs/tags/') }}
	uses: jafl/jx_application_framework/.github/workflows/app-build-ubuntu.yml@main
	with:
	pkg-name: code-*
	build-cmd: make all

	build-fedora:
	name: Fedora
	uses: jafl/jx_application_framework/.github/workflows/app-build-fedora.yml@main
	with:
	pkg-name: code-*
	build-cmd: make all

	build-macos:
	name: macOS
	uses: jafl/jx_application_framework/.github/workflows/app-build-macos.yml@main
	with:
	pkg-name: code-*
	build-cmd: make all

	release:
	name: Upload releases
	runs-on: ubuntu-latest
	needs: [ build-ubuntu, build-fedora, build-macos ]
	if: ${{ startsWith(github.ref, 'refs/tags/') }}
	steps:
	- uses: actions/download-artifact@v4
	with:
	name: release

	- name: Save release packages
	uses: svenstaro/upload-release-action@v2
	with:
	repo_token: ${{ secrets.GITHUB_TOKEN }}
	tag: ${{ github.ref }}
	file: code-.
	file_glob: true

	update-sourceforge-code-crusader:
	name: Crusader
	needs: [ release ]
	if: ${{ startsWith(github.ref, 'refs/tags/') }}
	uses: jafl/jx_application_framework/.github/workflows/app-mirror-sourceforge.yml@main
	with:
	forge-name: codecrusader
	filter: code-crusader*
	secrets:
	api-key: ${{ secrets.SOURCEFORGE_API_KEY }}
	ssh-key: ${{ secrets.SOURCEFORGE_SSH_KEY }}

	update-sourceforge-code-medic:
	name: Medic
	needs: [ release ]
	if: ${{ startsWith(github.ref, 'refs/tags/') }}
	uses: jafl/jx_application_framework/.github/workflows/app-mirror-sourceforge.yml@main
	with:
	forge-name: codemedic
	filter: code-medic*
	secrets:
	api-key: ${{ secrets.SOURCEFORGE_API_KEY }}
	ssh-key: ${{ secrets.SOURCEFORGE_SSH_KEY }}

	update-sourceforge-code-mill:
	name: Mill
	needs: [ release ]
	if: ${{ startsWith(github.ref, 'refs/tags/') }}
	uses: jafl/jx_application_framework/.github/workflows/app-mirror-sourceforge.yml@main
	with:
	forge-name: nps-codemill
	filter: code-mill*
	secrets:
	api-key: ${{ secrets.SOURCEFORGE_API_KEY }}
	ssh-key: ${{ secrets.SOURCEFORGE_SSH_KEY }}

	publish-version:
	name: Publish version
	runs-on: ubuntu-latest
	needs: [ update-sourceforge-code-crusader, update-sourceforge-code-medic, update-sourceforge-code-mill ]
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Update version & docs
	run: \|
	echo "${{ secrets.SOURCEFORGE_SSH_KEY }}" > ssh-key
	chmod 0600 ssh-key
	scp -o StrictHostKeyChecking=no -i ssh-key code_crusader/release/VERSION code_crusader/release/doc/* jafl,codecrusader@web.sourceforge.net:htdocs/;
	scp -o StrictHostKeyChecking=no -i ssh-key code_medic/release/VERSION code_medic/release/doc/* jafl,codemedic@web.sourceforge.net:htdocs/;
	scp -o StrictHostKeyChecking=no -i ssh-key code_mill/release/VERSION code_mill/release/doc/* jafl,nps-codemill@web.sourceforge.net:htdocs/;

	update-homebrew:
	name: Update Homebrew Formulas
	runs-on: ubuntu-latest
	needs: [ release ]
	steps:
	- name: Repository Dispatch
	uses: peter-evans/repository-dispatch@v3
	with:
	token: ${{ secrets.UPDATE_HOMEBREW }}
	repository: jafl/homebrew-jx
	event-type: new-release

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix security issue #286

Workflow file

fix security issue #286

Jobs

Run details

Workflow file for this run