Fix code scanning alert no. 10: Database query built from user-controlled sources #129
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: App Builder | |
on: | |
push: | |
branches: [ master, main ] | |
paths-ignore: | |
- '**.md' | |
- '**.yml' | |
pull_request: | |
branches: [ master, main ] | |
paths-ignore: | |
- '**.md' | |
env: | |
REGISTRY: ghcr.io | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: 1.22.1 | |
- name: Build Frontend | |
if: github.event_name != 'pull_request' | |
run: echo y | ./scripts/build_frontend.sh | |
- name: Build Binary | |
run: echo y |./scripts/build_binary.sh | |
- name: Build Packages | |
if: github.event_name != 'pull_request' | |
run: | | |
sed -i 's|goreleaser/nfpm|goreleaser/nfpm|g' scripts/build_package.sh | |
RELEASE=$(./homer-app -version | egrep -o '[0-9].[0-9].[0-9]+') | |
echo "TAG_NAME=$RELEASE" >> $GITHUB_ENV | |
VERSION=$RELEASE make package | |
- name: Archive Frontend | |
if: github.event_name != 'pull_request' | |
run: tar cvfz homer-ui-${{env.TAG_NAME}}.tgz dist | |
- name: Upload release | |
if: github.event_name != 'pull_request' | |
uses: boxpositron/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
release_config: | | |
homer-app | |
homer-app-${{ env.TAG_NAME }}-amd64.deb | |
homer-app-${{ env.TAG_NAME }}-amd64.rpm | |
homer-ui-${{ env.TAG_NAME }}.tgz | |
tag_name: ${{ env.TAG_NAME }} | |
release_name: homer-app-${{ env.TAG_NAME }} | |
draft: false | |
prerelease: false | |
overwrite: true | |
- name: Check PACKAGECLOUD secret presence | |
id: checkpackagecloud | |
shell: bash | |
run: | | |
if [ "$SECRET" == "" ] || [ "$USERNAME" == "" ]; then | |
echo "secretspresent=false" >> $GITHUB_OUTPUT | |
else | |
echo "secretspresent=true" >> $GITHUB_OUTPUT | |
fi | |
env: | |
SECRET: ${{ secrets.PACKAGECLOUD_TOKEN }} | |
USERNAME: ${{ secrets.PACKAGECLOUD_USERNAME }} | |
- name: upload deb packagecloud | |
if: ${{ steps.checkpackagecloud.outputs.secretspresent == 'true' }} | |
uses: danielmundi/upload-packagecloud@v1 | |
with: | |
PACKAGE-NAME: homer-app-${{ env.TAG_NAME }}-amd64.deb | |
PACKAGECLOUD-REPO: sipcapture | |
PACKAGECLOUD-DISTRIB: any/any | |
PACKAGECLOUD-USERNAME: ${{ secrets.PACKAGECLOUD_USERNAME }} | |
PACKAGECLOUD-TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }} | |
continue-on-error: true | |
- name: upload rpm packagecloud | |
if: ${{ steps.checkpackagecloud.outputs.secretspresent == 'true' }} | |
uses: danielmundi/upload-packagecloud@v1 | |
with: | |
PACKAGE-NAME: homer-app-${{ env.TAG_NAME }}-amd64.rpm | |
PACKAGECLOUD-REPO: sipcapture | |
PACKAGECLOUD-DISTRIB: rpm_any/rpm_any | |
PACKAGECLOUD-USERNAME: ${{ secrets.PACKAGECLOUD_USERNAME }} | |
PACKAGECLOUD-TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }} | |
continue-on-error: true | |
docker-push: | |
if: github.event_name != 'pull_request' | |
runs-on: ubuntu-latest | |
needs: build | |
permissions: | |
packages: write | |
contents: read | |
steps: | |
- uses: actions/checkout@v3 | |
- id: tag_bump | |
name: Bump version and push tag | |
uses: anothrNick/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
DEFAULT_BUMP: none | |
BRANCH: master | |
- name: Log in to the Container registry | |
uses: docker/[email protected] | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Docker meta | |
id: meta | |
uses: docker/[email protected] | |
with: | |
images: | | |
ghcr.io/${{ github.repository }} | |
tags: | | |
latest | |
${{ steps.tag_bump.outputs.tag }} | |
- name: Build and push | |
uses: docker/[email protected] | |
with: | |
context: . | |
file: ./Dockerfile | |
push: ${{ github.event_name != 'pull_request' }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} |