fix: file:// protocol privileges reduced, preload mandatory URL schem… #3412
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: [ develop ] | |
tags-ignore: | |
- '*' | |
pull_request: | |
branches: [ develop ] | |
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions | |
permissions: | |
actions: none | |
checks: none | |
contents: write | |
deployments: none | |
id-token: none | |
issues: none | |
packages: none | |
pages: none | |
pull-requests: none | |
repository-projects: none | |
security-events: none | |
statuses: none | |
env: | |
# secrets.GITHUB_TOKEN is restricted by default instead of permissive, so it does not allow release publishing. We can use a Personal Access Token with limited scope and expiration, or configure the token for this workflow using the 'permissions' key | |
# GITHUB_TOKEN_RELEASE_PUBLISH: ${{ secrets.RELEASE_PUBLISH }} | |
GITHUB_TOKEN_RELEASE_PUBLISH: ${{ secrets.GITHUB_TOKEN }} | |
# Electron Builder workaround | |
USE_HARD_LINKS: 'false' | |
jobs: | |
build: | |
# if: "!contains(toJSON(github.event.commits.*.message), '[skip-ci]')" | |
if: "github.event_name == 'pull_request' || !contains(github.event.head_commit.message, 'skip ci')" | |
runs-on: ${{ matrix.runson }} | |
strategy: | |
fail-fast: false | |
matrix: | |
osarch: [windows-intel, windows-arm, macos-intel, macos-arm, linux-intel, linux-arm] | |
include: | |
- osarch: windows-intel | |
runson: windows-latest | |
packname: win | |
release_tag: latest-windows-intel | |
- osarch: windows-arm | |
runson: windows-latest | |
packname: win | |
release_tag: latest-windows-arm | |
# - osarch: macos-intel | |
# runson: macos-13 | |
# packname: 'mac:skip-notarize' | |
# release_tag: latest-macos-intel | |
- osarch: macos-intel | |
runson: macos-latest | |
packname: 'mac:skip-notarize' | |
release_tag: latest-macos-intel | |
- osarch: macos-arm | |
runson: macos-latest | |
packname: 'mac:skip-notarize' | |
release_tag: latest-macos-arm | |
- osarch: linux-intel | |
runson: ubuntu-20.04 | |
packname: linux | |
release_tag: latest-linux-intel | |
- osarch: linux-arm | |
runson: ubuntu-20.04 | |
packname: linux | |
release_tag: latest-linux-arm | |
env: | |
RELEASE_TAG: ${{ matrix.release_tag }} | |
steps: | |
# graceful fail? | |
- run: |- | |
pwdx || echo OK || true | |
shell: cmd | |
continue-on-error: true | |
- name: Microsoft Windows dumpbin to PATH | |
if: startsWith(matrix.osarch, 'windows-') | |
run: > | |
$VS_ROOT = "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC"; $VS_VERSION = (Get-ChildItem -Path $VS_ROOT | Sort-Object Name -Descending | Select-Object -First 1).Name; $VS_BIN = "$VS_ROOT\$VS_VERSION\bin\Hostx64\x64"; echo $VS_BIN >> $env:GITHUB_PATH; echo $VS_BIN | |
shell: powershell | |
- name: Microsoft Windows dumpbin check | |
if: startsWith(matrix.osarch, 'windows-') | |
run: > | |
dumpbin /headers "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.42.34433\bin\Hostx64\x64\dumpbin.exe" | findstr /i machine | |
shell: cmd | |
# - name: Microsoft Windows msbuild to PATH | |
# if: startsWith(matrix.osarch, 'windows-') | |
# uses: microsoft/setup-msbuild@v2 | |
# "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\MSBuild\Current\Bin" | |
# "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools" | |
# "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\bin\amd64" | |
# "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.29.30133\bin\HostX64\x64" | |
# "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.42.34433\bin\Hostx64\x64" | |
- run: echo 'RELEASE_TAG:' ${{ env.RELEASE_TAG }} | |
- run: 'echo "GITHUB_RUN_NUMBER: ${{ github.run_number }}"' | |
- run: 'echo "GITHUB_RUN_ID: ${{ github.run_id }}"' | |
- run: 'echo "GITHUB_SHA: ${{ github.sha }}"' | |
- run: echo "${{ matrix.osarch }} // ${{ runner.arch }}" | |
- name: System arch (non Windows) | |
#if: ${{ matrix.osarch != 'windows-intel' && matrix.osarch != 'windows-arm' }} | |
if: ${{ !startsWith(matrix.osarch, 'windows-') }} | |
run: uname -m && arch | |
- name: Checkout | |
uses: actions/checkout@v4 | |
# with: | |
# persist-credentials: false | |
# - name: Git config global dump (pre) | |
# run: 'git config --global --list || echo NO_GIT_GLOBAL_CONFIG || true' | |
# shell: bash | |
# - name: Git config local dump (pre) | |
# run: 'git config --list || echo NO_GIT_GLOBAL_CONFIG || true' | |
# shell: bash | |
# - name: git HTTP authentication instead SSH (NPM >=7) 1 | |
# run: > | |
# git config --global url."https://github.com/".insteadOf ssh://git@github.com/ | |
# shell: bash | |
# - name: git HTTP authentication instead SSH (NPM >=7) 2 | |
# run: > | |
# git config --global url."https://github.com".insteadOf ssh://git@github.com | |
# shell: bash | |
# - name: git HTTP authentication instead SSH (NPM >=7) 3 | |
# run: > | |
# git config --global url."http://github.com/".insteadOf git@github.com: | |
# shell: bash | |
# - name: git HTTP authentication instead SSH (NPM >=7) 4 | |
# run: > | |
# git config --global url."http://".insteadOf git:// | |
# shell: bash | |
- name: Git config global dump (post) | |
run: 'git config --global --list || echo NO_GIT_GLOBAL_CONFIG || true' | |
shell: bash | |
- name: Git config local dump (post) | |
run: 'git config --list || echo NO_GIT_GLOBAL_CONFIG || true' | |
shell: bash | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: '20' | |
#check-latest: true | |
- run: node --version && npm --version | |
- run: npm --global install npm@^10 | |
- run: npm --version | |
- run: python --version || echo ok | |
- run: python3 --version || echo ok | |
- run: pip --version || echo ok | |
# PYTHON 3.12 distutils deprecation remediation: | |
#- run: python3 -m pip install packaging || python -m pip install packaging | |
- run: python3 -m pip install setuptools || python -m pip install setuptools | |
# - run: npm --global install asar | |
- name: package patch 1 | |
run: node scripts/package-ci-patch.js package.json ${{ github.run_id }} && cat package.json | grep -i VERSION && cat package.json | |
shell: bash | |
- name: package patch 2 | |
run: node scripts/package-ci-patch.js src/package.json ${{ github.run_id }} && cat src/package.json | grep -i VERSION && cat src/package.json | |
shell: bash | |
- name: package lock patch | |
run: node scripts/package-lock-patch.js && cat package-lock.json | grep -i divina-player-js | |
shell: bash | |
- run: git --no-pager diff | |
- run: npm cache clean --force | |
- run: npm cache verify | |
- run: cat package-lock.json | grep -i divina-player-js | |
- name: NPM install (arm64) | |
#if: ${{ matrix.osarch == 'linux-arm' || matrix.osarch == 'windows-arm' || matrix.osarch == 'macos-arm' }} | |
if: endsWith(matrix.osarch, '-arm') | |
run: npm ci --foreground-scripts --arch=arm64 --cpu=arm64 | |
#export npm_config_arch=arm64 && export npm_config_cpu=arm64 && | |
- name: NPM install (x64) | |
#if: ${{ matrix.osarch == 'linux-intel' || matrix.osarch == 'windows-intel' || matrix.osarch == 'macos-intel' }} | |
if: endsWith(matrix.osarch, '-intel') | |
run: npm ci --foreground-scripts --arch=x64 --cpu=x64 | |
#export npm_config_arch=x64 && export npm_config_cpu=x64 && | |
- name: Electron version + arch (Windows) | |
#if: ${{ matrix.osarch == 'windows-intel' || matrix.osarch == 'windows-arm' }} | |
if: startsWith(matrix.osarch, 'windows-') | |
run: > | |
(dumpbin /headers "node_modules\electron\dist\electron.exe" | findstr /i machine) && (node_modules\\electron\\dist\\electron.exe --no-sandbox --version || echo INVALID_ARCH || true) && (node_modules\\electron\\dist\\electron.exe --no-sandbox --abi || echo INVALID_ARCH || true) | |
shell: cmd | |
continue-on-error: true | |
- name: Electron version + arch (Linux) | |
#if: ${{ matrix.osarch == 'linux-intel' || matrix.osarch == 'linux-arm' }} | |
if: startsWith(matrix.osarch, 'linux-') | |
run: > | |
(file node_modules/electron/dist/electron) && (node_modules/electron/dist/electron --no-sandbox --version || echo INVALID_ARCH) && (node_modules/electron/dist/electron --no-sandbox --abi || echo INVALID_ARCH) | |
- name: Electron version + arch (MacOS) | |
#if: ${{ matrix.osarch == 'macos-intel' || matrix.osarch == 'macos-arm' }} | |
if: startsWith(matrix.osarch, 'macos-') | |
run: > | |
(file node_modules/electron/dist/Electron.app/Contents/MacOS/Electron) && (node_modules/electron/dist/Electron.app/Contents/MacOS/Electron --no-sandbox --version || echo INVALID_ARCH) && (node_modules/electron/dist/Electron.app/Contents/MacOS/Electron --no-sandbox --abi || echo INVALID_ARCH) | |
- run: npm list -g node-gyp || echo ok | |
- run: npm list node-gyp || echo ok | |
- name: PR action (just build) | |
if: ${{ github.event_name == 'pull_request' }} | |
run: npm run build:prod | |
# && npm run test SEE https://github.com/edrlab/thorium-reader/issues/1697 | |
- name: non-PR action (build and package) ARM | |
#if: ${{ github.event_name != 'pull_request' && (matrix.osarch == 'linux-arm' || matrix.osarch == 'windows-arm' || matrix.osarch == 'macos-arm') }} | |
if: ${{ github.event_name != 'pull_request' && endsWith(matrix.osarch, '-arm') }} | |
#run: sed 's/x64/arm64/g' ./package.json > ./package.json.new && mv ./package.json.new ./package.json && npm run package:${{ matrix.packname }} && sed 's/arm64/x64/g' ./package.json > ./package.json.new && mv ./package.json.new ./package.json | |
run: > | |
node -e 'const path = require("path"); const fs = require("fs"); const filePath = path.join(process.cwd(), "package.json"); let fileStr = fs.readFileSync(filePath, { encoding: "utf8" }); fileStr = fileStr.replace(/x64/g, "arm64"); fs.writeFileSync(filePath, fileStr, { encoding: "utf8" });' && npm run package:${{ matrix.packname }} | |
- name: non-PR action (build and package) INTEL | |
#if: ${{ github.event_name != 'pull_request' && (matrix.osarch == 'linux-intel' || matrix.osarch == 'windows-intel' || matrix.osarch == 'macos-intel') }} | |
if: ${{ github.event_name != 'pull_request' && endsWith(matrix.osarch, '-intel') }} | |
run: npm run package:${{ matrix.packname }} | |
#- run: ls -alsR release | |
#- run: npm install @octokit/rest | |
- name: GitHub Tagged Release Delete/ReCreate and Upload Build Artefacts | |
if: ${{ github.event_name != 'pull_request' }} | |
run: node scripts/release-github.mjs | |
# - name: Upload Artifact | |
# if: ${{ github.event_name != 'pull_request' }} | |
# uses: actions/upload-artifact@v2 | |
# with: | |
# name: Thorium | |
# path: ./release/*.exe | |
# - name: Delete Release | |
# if: ${{ github.event_name != 'pull_request' }} | |
# uses: author/action-rollback@stable | |
# with: | |
# tag: $RELEASE_TAG | |
# always_delete_tag: true | |
# - name: GitHub Release | |
# if: ${{ github.event_name != 'pull_request' }} | |
# id: create_release | |
# uses: actions/create-release@v1 | |
# with: | |
# tag_name: $RELEASE_TAG | |
# release_name: '[$RELEASE_TAG] continuous test build (prerelease)' | |
# body: 'GitHub Action build job: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID' | |
# draft: false | |
# prerelease: true | |
# - name: GitHub Release Assets | |
# if: ${{ github.event_name != 'pull_request' }} | |
# id: upload-release-asset | |
# uses: actions/upload-release-asset@v1 | |
# with: | |
# upload_url: ${{ steps.create_release.outputs.upload_url }} | |
# asset_path: ./release/*.exe | |
# asset_name: Thorium.exe | |
# asset_content_type: application/octet-stream | |
# - name: GitHub Script Release And Assets | |
# if: ${{ github.event_name != 'pull_request' }} | |
# env: | |
# - GH_RELEASE_ID: ${{ steps.create_release.outputs.id }} | |
# uses: actions/github-script@v2 | |
# with: | |
# github-token: ${{ secrets.GITHUB_TOKEN }} | |
# script: | | |
# console.log('process.versions', process.versions, process.env.GH_RELEASE_ID); | |
# const fs = require('fs').promises; | |
# const { repo: { owner, repo }, sha } = context; | |
# /* | |
# const release = await github.repos.createRelease({ | |
# name: `[${process.env.RELEASE_TAG}] continuous test build (prerelease)`, | |
# body: `GitHub Action build job: ${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}`, | |
# owner, | |
# repo, | |
# tag_name: process.env.RELEASE_TAG, | |
# draft: false, | |
# prerelease: true, | |
# target_commitish: sha | |
# }); | |
# */ | |
# for (let file of await fs.readdir('release')) { | |
# if (!file.endsWith('.exe') || !file.endsWith('.AppImage') || !file.endsWith('.msi') || !file.endsWith('.deb') || !file.endsWith('.dmg')) { | |
# continue; | |
# } | |
# await github.repos.uploadReleaseAsset({ | |
# owner, | |
# repo, | |
# release_id: process.env.GH_RELEASE_ID, // release.data.id, | |
# name: file, | |
# data: await fs.readFile(`./release/${file}`) | |
# }); | |
# } |