mirror of
https://github.com/ether/etherpad-lite.git
synced 2026-07-17 16:47:05 +00:00
* chore(docker): clear most CVEs in published image — npm/pnpm/uuid + drop curl Cuts published-image vulnerabilities from 18 (4H/13M/1L) across 8 packages to 12 (2H/9M/1L) across 3 packages. The remaining three (curl/libcurl, git, busybox) are all upstream Alpine 3.23 packages with "not fixed" status — libcurl is pulled in transitively by git and cannot be removed independently. Changes: - Provision pnpm via corepack instead of `npm install -g pnpm`, then remove the bundled npm. The base image's npm@10.9.7 ships old transitives (picomatch 4.0.3 → CVE-2026-33671/33672, brace-expansion 2.0.2 → CVE-2026-33750) that we don't otherwise need at runtime; corepack handles pnpm directly without npm. Fixes 1H + 1M. - Bump PnpmVersion 10.28.2 → 10.33.2 to align with the rest of the workflow and pull in pnpm's patched bundled brace-expansion (5.0.5 vs 5.0.4). Fixes 1M. - Add `uuid@<14.0.0` → `>=14.0.0` to pnpm.overrides (GHSA-w5hq-g745-h8pq). Fixes 1M. - Drop `curl` from the runtime apk add list and switch HEALTHCHECK to wget (busybox built-in). curl was only invoked by the healthcheck and by dev/CI scripts that don't run in the container. Removes the curl CLI binary; libcurl remains as a git transitive dep, so the `apk/alpine/curl` advisories scout reports against libcurl persist but aren't reachable from any code we ship. As a side-effect this also clears nghttp2 (CVE-2026-27135) which was a curl-CLI dep. - Switch HEALTHCHECK URL from `localhost` to `127.0.0.1` — alpine/musl resolves localhost to ::1 first and Etherpad only binds IPv4. Verified locally: docker build → docker run → healthy → docker scout cves shows 12 CVEs / 3 packages. * fix(docker): refresh corepack before preparing pnpm (Qodo) Node 22's bundled corepack ships a stale signing-key list and can reject newer pnpm releases (nodejs/corepack#612), which would fail the image build at `corepack prepare`. Mirror the snap/snapcraft.yaml workaround: `npm install -g corepack@latest` before activating pnpm, in both adminbuild and build stages. npm is still removed afterwards. * docs(changelog): note docker image dropping curl/npm/npx (Qodo) Address Qodo's "backwards-incompatible change without mitigation" rule violations by documenting the removal in the 2.7.3 breaking-changes section. Operators who exec into the container can apk add curl on demand or use the busybox wget / pnpm already present. * chore: pnpm * chore: pnpm * chore: pnpm * chore: pnpm * chore: pnpm * chore: pnpm * chore: pnpm * chore: pnpm * chore: pnpm --------- Co-authored-by: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
153 lines
4.7 KiB
YAML
153 lines
4.7 KiB
YAML
name: "Loadtest"
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 8 * * *' # Daily at 08:00 UTC
|
|
workflow_dispatch: # Allow manual trigger
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
PNPM_HOME: ~/.pnpm-store
|
|
LOG_LEVEL: DEBUG
|
|
|
|
jobs:
|
|
withoutplugins:
|
|
# run on pushes to any branch
|
|
# run on PRs from external forks
|
|
if: |
|
|
(github.event_name != 'pull_request')
|
|
|| (github.event.pull_request.head.repo.id != github.event.pull_request.base.repo.id)
|
|
name: without plugins
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
-
|
|
name: Checkout repository
|
|
uses: actions/checkout@v6
|
|
- uses: actions/cache@v5
|
|
name: Cache pnpm store
|
|
with:
|
|
path: ${{ env.PNPM_HOME }}
|
|
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-pnpm-store-
|
|
- uses: pnpm/action-setup@v6
|
|
name: Install pnpm
|
|
with:
|
|
run_install: false
|
|
- name: Use Node.js
|
|
uses: actions/setup-node@v6
|
|
with:
|
|
node-version: 22
|
|
cache: pnpm
|
|
-
|
|
name: Install all dependencies and symlink for ep_etherpad-lite
|
|
run: pnpm install --frozen-lockfile
|
|
-
|
|
name: Install etherpad-load-test
|
|
run: sudo npm install -g etherpad-load-test
|
|
-
|
|
name: Run load test
|
|
run: src/tests/frontend/travis/runnerLoadTest.sh 25 50
|
|
|
|
withplugins:
|
|
# run on pushes to any branch
|
|
# run on PRs from external forks
|
|
if: |
|
|
(github.event_name != 'pull_request')
|
|
|| (github.event.pull_request.head.repo.id != github.event.pull_request.base.repo.id)
|
|
name: with Plugins
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
-
|
|
name: Checkout repository
|
|
uses: actions/checkout@v6
|
|
- uses: actions/cache@v5
|
|
name: Cache pnpm store
|
|
with:
|
|
path: ${{ env.PNPM_HOME }}
|
|
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-pnpm-store-
|
|
- uses: pnpm/action-setup@v6
|
|
name: Install pnpm
|
|
with:
|
|
run_install: false
|
|
- name: Use Node.js
|
|
uses: actions/setup-node@v6
|
|
with:
|
|
node-version: 22
|
|
cache: pnpm
|
|
-
|
|
name: Install etherpad-load-test
|
|
run: sudo npm install -g etherpad-load-test
|
|
-
|
|
name: Install etherpad plugins
|
|
run: >
|
|
pnpm add -w
|
|
ep_align
|
|
ep_author_hover
|
|
ep_cursortrace
|
|
ep_font_size
|
|
ep_hash_auth
|
|
ep_headings2
|
|
ep_markdown
|
|
ep_readonly_guest
|
|
ep_set_title_on_pad
|
|
ep_spellcheck
|
|
ep_subscript_and_superscript
|
|
ep_table_of_contents
|
|
# Etherpad core dependencies must be installed after installing the
|
|
# plugin's dependencies, otherwise npm will try to hoist common
|
|
# dependencies by removing them from src/node_modules and installing them
|
|
# in the top-level node_modules. As of v6.14.10, npm's hoist logic appears
|
|
# to be buggy, because it sometimes removes dependencies from
|
|
# src/node_modules but fails to add them to the top-level node_modules.
|
|
# Even if npm correctly hoists the dependencies, the hoisting seems to
|
|
# confuse tools such as `npm outdated`, `npm update`, and some ESLint
|
|
# rules.
|
|
-
|
|
name: Install all dependencies and symlink for ep_etherpad-lite
|
|
run: pnpm install --frozen-lockfile
|
|
-
|
|
name: Run load test
|
|
run: src/tests/frontend/travis/runnerLoadTest.sh 25 50
|
|
|
|
long:
|
|
# run on pushes to any branch
|
|
# run on PRs from external forks
|
|
if: |
|
|
(github.event_name != 'pull_request')
|
|
|| (github.event.pull_request.head.repo.id != github.event.pull_request.base.repo.id)
|
|
name: long running
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
-
|
|
name: Checkout repository
|
|
uses: actions/checkout@v6
|
|
- uses: actions/cache@v5
|
|
name: Cache pnpm store
|
|
with:
|
|
path: ${{ env.PNPM_HOME }}
|
|
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-pnpm-store-
|
|
- uses: pnpm/action-setup@v6
|
|
name: Install pnpm
|
|
with:
|
|
run_install: false
|
|
- name: Use Node.js
|
|
uses: actions/setup-node@v6
|
|
with:
|
|
node-version: 22
|
|
cache: pnpm
|
|
-
|
|
name: Install all dependencies and symlink for ep_etherpad-lite
|
|
run: pnpm install --frozen-lockfile
|
|
-
|
|
name: Install etherpad-load-test
|
|
run: sudo npm install -g etherpad-load-test
|
|
-
|
|
name: Run load test
|
|
run: src/tests/frontend/travis/runnerLoadTest.sh 5000 5
|