Skip to content

fix: file:// protocol privileges reduced, preload mandatory URL schem… #3412

fix: file:// protocol privileges reduced, preload mandatory URL schem…

fix: file:// protocol privileges reduced, preload mandatory URL schem… #3412

Workflow file for this run

name: CI
on:
push:
branches: [ develop ]
tags-ignore:
- '*'
pull_request:
branches: [ develop ]
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
actions: none
checks: none
contents: write
deployments: none
id-token: none
issues: none
packages: none
pages: none
pull-requests: none
repository-projects: none
security-events: none
statuses: none
env:
# secrets.GITHUB_TOKEN is restricted by default instead of permissive, so it does not allow release publishing. We can use a Personal Access Token with limited scope and expiration, or configure the token for this workflow using the 'permissions' key
# GITHUB_TOKEN_RELEASE_PUBLISH: ${{ secrets.RELEASE_PUBLISH }}
GITHUB_TOKEN_RELEASE_PUBLISH: ${{ secrets.GITHUB_TOKEN }}
# Electron Builder workaround
USE_HARD_LINKS: 'false'
jobs:
build:
# if: "!contains(toJSON(github.event.commits.*.message), '[skip-ci]')"
if: "github.event_name == 'pull_request' || !contains(github.event.head_commit.message, 'skip ci')"
runs-on: ${{ matrix.runson }}
strategy:
fail-fast: false
matrix:
osarch: [windows-intel, windows-arm, macos-intel, macos-arm, linux-intel, linux-arm]
include:
- osarch: windows-intel
runson: windows-latest
packname: win
release_tag: latest-windows-intel
- osarch: windows-arm
runson: windows-latest
packname: win
release_tag: latest-windows-arm
# - osarch: macos-intel
# runson: macos-13
# packname: 'mac:skip-notarize'
# release_tag: latest-macos-intel
- osarch: macos-intel
runson: macos-latest
packname: 'mac:skip-notarize'
release_tag: latest-macos-intel
- osarch: macos-arm
runson: macos-latest
packname: 'mac:skip-notarize'
release_tag: latest-macos-arm
- osarch: linux-intel
runson: ubuntu-20.04
packname: linux
release_tag: latest-linux-intel
- osarch: linux-arm
runson: ubuntu-20.04
packname: linux
release_tag: latest-linux-arm
env:
RELEASE_TAG: ${{ matrix.release_tag }}
steps:
# graceful fail?
- run: |-
pwdx || echo OK || true
shell: cmd
continue-on-error: true
- name: Microsoft Windows dumpbin to PATH
if: startsWith(matrix.osarch, 'windows-')
run: >
$VS_ROOT = "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC"; $VS_VERSION = (Get-ChildItem -Path $VS_ROOT | Sort-Object Name -Descending | Select-Object -First 1).Name; $VS_BIN = "$VS_ROOT\$VS_VERSION\bin\Hostx64\x64"; echo $VS_BIN >> $env:GITHUB_PATH; echo $VS_BIN
shell: powershell
- name: Microsoft Windows dumpbin check
if: startsWith(matrix.osarch, 'windows-')
run: >
dumpbin /headers "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.42.34433\bin\Hostx64\x64\dumpbin.exe" | findstr /i machine
shell: cmd
# - name: Microsoft Windows msbuild to PATH
# if: startsWith(matrix.osarch, 'windows-')
# uses: microsoft/setup-msbuild@v2
# "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\MSBuild\Current\Bin"
# "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools"
# "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\bin\amd64"
# "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.29.30133\bin\HostX64\x64"
# "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.42.34433\bin\Hostx64\x64"
- run: echo 'RELEASE_TAG:' ${{ env.RELEASE_TAG }}
- run: 'echo "GITHUB_RUN_NUMBER: ${{ github.run_number }}"'
- run: 'echo "GITHUB_RUN_ID: ${{ github.run_id }}"'
- run: 'echo "GITHUB_SHA: ${{ github.sha }}"'
- run: echo "${{ matrix.osarch }} // ${{ runner.arch }}"
- name: System arch (non Windows)
#if: ${{ matrix.osarch != 'windows-intel' && matrix.osarch != 'windows-arm' }}
if: ${{ !startsWith(matrix.osarch, 'windows-') }}
run: uname -m && arch
- name: Checkout
uses: actions/checkout@v4
# with:
# persist-credentials: false
# - name: Git config global dump (pre)
# run: 'git config --global --list || echo NO_GIT_GLOBAL_CONFIG || true'
# shell: bash
# - name: Git config local dump (pre)
# run: 'git config --list || echo NO_GIT_GLOBAL_CONFIG || true'
# shell: bash
# - name: git HTTP authentication instead SSH (NPM >=7) 1
# run: >
# git config --global url."https://github.com/".insteadOf ssh://git@github.com/
# shell: bash
# - name: git HTTP authentication instead SSH (NPM >=7) 2
# run: >
# git config --global url."https://github.com".insteadOf ssh://git@github.com
# shell: bash
# - name: git HTTP authentication instead SSH (NPM >=7) 3
# run: >
# git config --global url."http://github.com/".insteadOf git@github.com:
# shell: bash
# - name: git HTTP authentication instead SSH (NPM >=7) 4
# run: >
# git config --global url."http://".insteadOf git://
# shell: bash
- name: Git config global dump (post)
run: 'git config --global --list || echo NO_GIT_GLOBAL_CONFIG || true'
shell: bash
- name: Git config local dump (post)
run: 'git config --list || echo NO_GIT_GLOBAL_CONFIG || true'
shell: bash
- uses: actions/setup-node@v4
with:
node-version: '20'
#check-latest: true
- run: node --version && npm --version
- run: npm --global install npm@^10
- run: npm --version
- run: python --version || echo ok
- run: python3 --version || echo ok
- run: pip --version || echo ok
# PYTHON 3.12 distutils deprecation remediation:
#- run: python3 -m pip install packaging || python -m pip install packaging
- run: python3 -m pip install setuptools || python -m pip install setuptools
# - run: npm --global install asar
- name: package patch 1
run: node scripts/package-ci-patch.js package.json ${{ github.run_id }} && cat package.json | grep -i VERSION && cat package.json
shell: bash
- name: package patch 2
run: node scripts/package-ci-patch.js src/package.json ${{ github.run_id }} && cat src/package.json | grep -i VERSION && cat src/package.json
shell: bash
- name: package lock patch
run: node scripts/package-lock-patch.js && cat package-lock.json | grep -i divina-player-js
shell: bash
- run: git --no-pager diff
- run: npm cache clean --force
- run: npm cache verify
- run: cat package-lock.json | grep -i divina-player-js
- name: NPM install (arm64)
#if: ${{ matrix.osarch == 'linux-arm' || matrix.osarch == 'windows-arm' || matrix.osarch == 'macos-arm' }}
if: endsWith(matrix.osarch, '-arm')
run: npm ci --foreground-scripts --arch=arm64 --cpu=arm64
#export npm_config_arch=arm64 && export npm_config_cpu=arm64 &&
- name: NPM install (x64)
#if: ${{ matrix.osarch == 'linux-intel' || matrix.osarch == 'windows-intel' || matrix.osarch == 'macos-intel' }}
if: endsWith(matrix.osarch, '-intel')
run: npm ci --foreground-scripts --arch=x64 --cpu=x64
#export npm_config_arch=x64 && export npm_config_cpu=x64 &&
- name: Electron version + arch (Windows)
#if: ${{ matrix.osarch == 'windows-intel' || matrix.osarch == 'windows-arm' }}
if: startsWith(matrix.osarch, 'windows-')
run: >
(dumpbin /headers "node_modules\electron\dist\electron.exe" | findstr /i machine) && (node_modules\\electron\\dist\\electron.exe --no-sandbox --version || echo INVALID_ARCH || true) && (node_modules\\electron\\dist\\electron.exe --no-sandbox --abi || echo INVALID_ARCH || true)
shell: cmd
continue-on-error: true
- name: Electron version + arch (Linux)
#if: ${{ matrix.osarch == 'linux-intel' || matrix.osarch == 'linux-arm' }}
if: startsWith(matrix.osarch, 'linux-')
run: >
(file node_modules/electron/dist/electron) && (node_modules/electron/dist/electron --no-sandbox --version || echo INVALID_ARCH) && (node_modules/electron/dist/electron --no-sandbox --abi || echo INVALID_ARCH)
- name: Electron version + arch (MacOS)
#if: ${{ matrix.osarch == 'macos-intel' || matrix.osarch == 'macos-arm' }}
if: startsWith(matrix.osarch, 'macos-')
run: >
(file node_modules/electron/dist/Electron.app/Contents/MacOS/Electron) && (node_modules/electron/dist/Electron.app/Contents/MacOS/Electron --no-sandbox --version || echo INVALID_ARCH) && (node_modules/electron/dist/Electron.app/Contents/MacOS/Electron --no-sandbox --abi || echo INVALID_ARCH)
- run: npm list -g node-gyp || echo ok
- run: npm list node-gyp || echo ok
- name: PR action (just build)
if: ${{ github.event_name == 'pull_request' }}
run: npm run build:prod
# && npm run test SEE https://github.com/edrlab/thorium-reader/issues/1697
- name: non-PR action (build and package) ARM
#if: ${{ github.event_name != 'pull_request' && (matrix.osarch == 'linux-arm' || matrix.osarch == 'windows-arm' || matrix.osarch == 'macos-arm') }}
if: ${{ github.event_name != 'pull_request' && endsWith(matrix.osarch, '-arm') }}
#run: sed 's/x64/arm64/g' ./package.json > ./package.json.new && mv ./package.json.new ./package.json && npm run package:${{ matrix.packname }} && sed 's/arm64/x64/g' ./package.json > ./package.json.new && mv ./package.json.new ./package.json
run: >
node -e 'const path = require("path"); const fs = require("fs"); const filePath = path.join(process.cwd(), "package.json"); let fileStr = fs.readFileSync(filePath, { encoding: "utf8" }); fileStr = fileStr.replace(/x64/g, "arm64"); fs.writeFileSync(filePath, fileStr, { encoding: "utf8" });' && npm run package:${{ matrix.packname }}
- name: non-PR action (build and package) INTEL
#if: ${{ github.event_name != 'pull_request' && (matrix.osarch == 'linux-intel' || matrix.osarch == 'windows-intel' || matrix.osarch == 'macos-intel') }}
if: ${{ github.event_name != 'pull_request' && endsWith(matrix.osarch, '-intel') }}
run: npm run package:${{ matrix.packname }}
#- run: ls -alsR release
#- run: npm install @octokit/rest
- name: GitHub Tagged Release Delete/ReCreate and Upload Build Artefacts
if: ${{ github.event_name != 'pull_request' }}
run: node scripts/release-github.mjs
# - name: Upload Artifact
# if: ${{ github.event_name != 'pull_request' }}
# uses: actions/upload-artifact@v2
# with:
# name: Thorium
# path: ./release/*.exe
# - name: Delete Release
# if: ${{ github.event_name != 'pull_request' }}
# uses: author/action-rollback@stable
# with:
# tag: $RELEASE_TAG
# always_delete_tag: true
# - name: GitHub Release
# if: ${{ github.event_name != 'pull_request' }}
# id: create_release
# uses: actions/create-release@v1
# with:
# tag_name: $RELEASE_TAG
# release_name: '[$RELEASE_TAG] continuous test build (prerelease)'
# body: 'GitHub Action build job: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID'
# draft: false
# prerelease: true
# - name: GitHub Release Assets
# if: ${{ github.event_name != 'pull_request' }}
# id: upload-release-asset
# uses: actions/upload-release-asset@v1
# with:
# upload_url: ${{ steps.create_release.outputs.upload_url }}
# asset_path: ./release/*.exe
# asset_name: Thorium.exe
# asset_content_type: application/octet-stream
# - name: GitHub Script Release And Assets
# if: ${{ github.event_name != 'pull_request' }}
# env:
# - GH_RELEASE_ID: ${{ steps.create_release.outputs.id }}
# uses: actions/github-script@v2
# with:
# github-token: ${{ secrets.GITHUB_TOKEN }}
# script: |
# console.log('process.versions', process.versions, process.env.GH_RELEASE_ID);
# const fs = require('fs').promises;
# const { repo: { owner, repo }, sha } = context;
# /*
# const release = await github.repos.createRelease({
# name: `[${process.env.RELEASE_TAG}] continuous test build (prerelease)`,
# body: `GitHub Action build job: ${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}`,
# owner,
# repo,
# tag_name: process.env.RELEASE_TAG,
# draft: false,
# prerelease: true,
# target_commitish: sha
# });
# */
# for (let file of await fs.readdir('release')) {
# if (!file.endsWith('.exe') || !file.endsWith('.AppImage') || !file.endsWith('.msi') || !file.endsWith('.deb') || !file.endsWith('.dmg')) {
# continue;
# }
# await github.repos.uploadReleaseAsset({
# owner,
# repo,
# release_id: process.env.GH_RELEASE_ID, // release.data.id,
# name: file,
# data: await fs.readFile(`./release/${file}`)
# });
# }