etherpad-lite/.github/workflows/update-plugins.yml
John McLear 958590d1c8
chore(docker): clear most CVEs in published image (npm/pnpm/uuid + drop curl) (#7674)
* chore(docker): clear most CVEs in published image — npm/pnpm/uuid + drop curl

Cuts published-image vulnerabilities from 18 (4H/13M/1L) across 8 packages
to 12 (2H/9M/1L) across 3 packages. The remaining three (curl/libcurl,
git, busybox) are all upstream Alpine 3.23 packages with "not fixed"
status — libcurl is pulled in transitively by git and cannot be
removed independently.

Changes:

- Provision pnpm via corepack instead of `npm install -g pnpm`, then
  remove the bundled npm. The base image's npm@10.9.7 ships old
  transitives (picomatch 4.0.3 → CVE-2026-33671/33672, brace-expansion
  2.0.2 → CVE-2026-33750) that we don't otherwise need at runtime;
  corepack handles pnpm directly without npm. Fixes 1H + 1M.

- Bump PnpmVersion 10.28.2 → 10.33.2 to align with the rest of the
  workflow and pull in pnpm's patched bundled brace-expansion (5.0.5
  vs 5.0.4). Fixes 1M.

- Add `uuid@<14.0.0` → `>=14.0.0` to pnpm.overrides
  (GHSA-w5hq-g745-h8pq). Fixes 1M.

- Drop `curl` from the runtime apk add list and switch HEALTHCHECK to
  wget (busybox built-in). curl was only invoked by the healthcheck and
  by dev/CI scripts that don't run in the container. Removes the curl
  CLI binary; libcurl remains as a git transitive dep, so the
  `apk/alpine/curl` advisories scout reports against libcurl persist
  but aren't reachable from any code we ship. As a side-effect this
  also clears nghttp2 (CVE-2026-27135) which was a curl-CLI dep.

- Switch HEALTHCHECK URL from `localhost` to `127.0.0.1` — alpine/musl
  resolves localhost to ::1 first and Etherpad only binds IPv4.

Verified locally: docker build → docker run → healthy → docker scout
cves shows 12 CVEs / 3 packages.

* fix(docker): refresh corepack before preparing pnpm (Qodo)

Node 22's bundled corepack ships a stale signing-key list and can reject
newer pnpm releases (nodejs/corepack#612), which would fail the image
build at `corepack prepare`. Mirror the snap/snapcraft.yaml workaround:
`npm install -g corepack@latest` before activating pnpm, in both
adminbuild and build stages. npm is still removed afterwards.

* docs(changelog): note docker image dropping curl/npm/npx (Qodo)

Address Qodo's "backwards-incompatible change without mitigation" rule
violations by documenting the removal in the 2.7.3 breaking-changes
section. Operators who exec into the container can apk add curl on
demand or use the busybox wget / pnpm already present.

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

---------

Co-authored-by: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
2026-05-06 22:00:13 +02:00

115 lines
4.1 KiB
YAML

name: Update Plugins
on:
schedule:
- cron: '0 6 * * *' # Daily at 06:00 UTC
workflow_dispatch: # Allow manual trigger
# The cross-repo work (cloning ether/ep_* repos, pushing updates, merging
# Dependabot PRs) is authenticated via secrets.PLUGINS_PAT. The default
# GITHUB_TOKEN only needs read access to this repo for actions/checkout.
permissions:
contents: read
jobs:
update-plugins:
runs-on: ubuntu-latest
steps:
- name: Check out etherpad-lite
uses: actions/checkout@v6
- uses: pnpm/action-setup@v6
name: Install pnpm
with:
run_install: false
- name: Use Node.js
uses: actions/setup-node@v6
with:
node-version: 22
- name: Install bin dependencies
working-directory: ./bin
run: pnpm install
- name: Configure git
run: |
git config --global user.name 'github-actions[bot]'
git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com'
- name: Clone and update all plugins
env:
GH_TOKEN: ${{ secrets.PLUGINS_PAT }}
run: |
# Configure git to use the PAT for all ether/ repos
git config --global url."https://x-access-token:${GH_TOKEN}@github.com/ether/".insteadOf "https://github.com/ether/"
cd ..
# List all ep_* repos from ether org
plugins=$(gh repo list ether --limit 200 --json name --jq '.[] | select(.name | startswith("ep_")) | .name')
failed=""
succeeded=""
skipped=""
for plugin in $plugins; do
echo "============================================================"
echo "Processing $plugin"
echo "============================================================"
# Clone if not present
if [ ! -d "$plugin" ]; then
git clone "https://github.com/ether/${plugin}.git" "$plugin" || { echo "SKIP: clone failed"; skipped="$skipped $plugin"; continue; }
fi
# Pull latest
(cd "$plugin" && git pull --ff-only) || { echo "SKIP: pull failed"; skipped="$skipped $plugin"; continue; }
# Run checkPlugin with autopush — continue on failure
if cd etherpad-lite/bin && pnpm run checkPlugin "$plugin" autopush 2>&1; then
succeeded="$succeeded $plugin"
else
echo "WARN: checkPlugin failed for $plugin"
failed="$failed $plugin"
fi
cd ../..
done
echo ""
echo "============================================================"
echo "SUMMARY"
echo "============================================================"
echo "Succeeded:$(echo $succeeded | wc -w) -$succeeded"
echo "Failed:$(echo $failed | wc -w) -$failed"
echo "Skipped:$(echo $skipped | wc -w) -$skipped"
- name: Merge clean Dependabot PRs on plugin repos
env:
GH_TOKEN: ${{ secrets.PLUGINS_PAT }}
run: |
# For every ep_* repo under ether, merge any Dependabot PR whose
# mergeStateStatus is CLEAN (no conflicts, branch up to date, all
# required checks green). Anything else is left alone for a human.
plugins=$(gh repo list ether --limit 200 --json name --jq '.[] | select(.name | startswith("ep_")) | .name')
merged=""
for plugin in $plugins; do
repo="ether/${plugin}"
prs=$(gh pr list --repo "$repo" \
--author "app/dependabot" \
--state open \
--json number,mergeStateStatus,title \
--jq '.[] | select(.mergeStateStatus=="CLEAN") | .number') || continue
for pr in $prs; do
echo "Merging ${repo}#${pr}"
if gh pr merge --repo "$repo" --squash --delete-branch "$pr"; then
merged="$merged ${repo}#${pr}"
else
echo "WARN: failed to merge ${repo}#${pr}"
fi
done
done
echo ""
echo "Merged Dependabot PRs:$merged"