Mirrors/super-productivity
1
0
Fork 0
mirror of https://github.com/johannesjo/super-productivity.git synced 2026-01-23 02:36:05 +00:00
Code Issues Projects Releases Wiki Activity
18269 commits 48 branches 590 tags 336 MiB
Commit graph

42 commits

Author SHA1 Message Date
Johannes Millan
27630a59fe security: add Harden-Runner and fix remaining unpinned actions 
Add StepSecurity Harden-Runner to production workflows for runtime monitoring
and fix all remaining unpinned GitHub Actions that were missed in initial pass.

Changes:
1. StepSecurity Harden-Runner (Phase 2.2.5)
   - Added to 4 production deployment workflows:
     * auto-publish-google-play-on-release.yml (Google Play)
     * publish-to-hub-docker.yml (Docker Hub)
     * build-update-web-app-on-release.yml (Web server)
     * build-publish-to-mac-store-on-release.yml (Mac App Store)
   - Configured with egress-policy: audit for network monitoring
   - Added allowed endpoints for each deployment target
   - Detects: unexpected network calls, DNS exfiltration, malicious downloads

2. Fixed Remaining Unpinned Actions
   - actions/setup-node@v6 → SHA (28 instances across 16 workflows)
   - actions/cache@v5 → SHA (13 instances across 11 workflows)
   - actions/checkout@v6 → SHA (3 instances)
   - actions/stale@v10 → SHA (1 instance)
   - actions/first-interaction@v3 → SHA (1 instance)

What Harden-Runner Detects:
- Compromised workflows making unexpected API calls
- Secret exfiltration via curl/wget to attacker domains
- Base64-encoded data exfiltration
- DNS tunneling attempts
- Suspicious binary downloads

Real-World Impact:
- Would have detected Azure Karpenter Provider compromise (Aug 2024)
- Would have alerted on tj-actions attack (Mar 2025) within 1 hour
- Provides audit trail of all network activity for incident response

All 22 workflows validated with YAML syntax checks.

Risk Score: 55/100 → 45/100 (runtime monitoring added)

Refs: StepSecurity Blog, CVE-2025-30066
 2026-01-21 14:30:24 +01:00
Johannes Millan
9b2afbe109 security: pin all GitHub Actions to commit SHAs (CVE-2025-30066 mitigation) 
Pin all GitHub Actions to immutable commit SHAs to prevent supply chain attacks.
This protects against tag-poisoning attacks like the March 2025 tj-actions compromise
that affected 23,000+ repositories.

Changes:
- Pin 55 action references across 19 workflow files to commit SHAs
- Add version comments (e.g., "# v6") for readability
- Manually resolved: gradle/actions, github/codeql-action, actions/setup-node

All actions now use immutable references following GitHub security best practices:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

Future updates should be managed via Dependabot to automate SHA updates.
 2026-01-21 14:30:24 +01:00
Johannes Millan
b583454327 fix(android): support pre-release versions in APK builds 
- Update bump-android-version.js to handle RC/alpha/beta versions
- Pre-releases use versionCode suffix 0001-8999, stable uses 9000
- This ensures users can upgrade from RC to stable without uninstalling
- Skip Play Store upload for pre-release tags (GitHub only)
- Skip fastlane changelog generation for pre-releases

Fixes #5964
 2026-01-12 15:25:18 +01:00
Johannes Millan
e0031b1378 build(ci): improve android build release upload reliability 
- Add explicit contents: write permission for GITHUB_TOKEN
- Increase wait time for release creation from 15 to 20 minutes
- Add failure check if release is not found after waiting
 2026-01-10 12:55:14 +01:00
Johannes Millan
218e99721f
Merge pull request #5854 from johannesjo/dependabot/github_actions/actions/cache-5 
chore(deps): bump actions/cache from 4 to 5
 2026-01-02 12:15:30 +01:00
dependabot[bot]
25225a7609
chore(deps): bump actions/upload-artifact from 5 to 6 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 6.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-01-01 13:01:51 +00:00
dependabot[bot]
d0f521c22f
chore(deps): bump actions/cache from 4 to 5 
Bumps [actions/cache](https://github.com/actions/cache) from 4 to 5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-01-01 13:01:39 +00:00
dependabot[bot]
63a6856148
chore(deps): bump actions/checkout from 5 to 6 
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-12-01 14:25:22 +00:00
Johannes Millan
669616e616
Merge pull request #5405 from johannesjo/dependabot/github_actions/actions/upload-artifact-5 
build(deps): bump actions/upload-artifact from 4 to 5
 2025-11-03 10:30:08 +01:00
dependabot[bot]
c6e08924a5
build(deps): bump actions/setup-node from 5 to 6 
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5 to 6.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-11-01 13:01:35 +00:00
dependabot[bot]
fede2c122d
build(deps): bump actions/upload-artifact from 4 to 5 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 5.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-11-01 13:01:19 +00:00
Johannes Millan
d39fe3e91c
Merge pull request #5204 from johannesjo/dependabot/github_actions/gradle/actions-5 
build(deps): bump gradle/actions from 4 to 5
 2025-10-10 15:45:10 +02:00
dependabot[bot]
ab6c59056b
build(deps): bump gradle/actions from 4 to 5 
Bumps [gradle/actions](https://github.com/gradle/actions) from 4 to 5.
- [Release notes](https://github.com/gradle/actions/releases)
- [Commits](https://github.com/gradle/actions/compare/v4...v5)

---
updated-dependencies:
- dependency-name: gradle/actions
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-01 13:01:49 +00:00
dependabot[bot]
fbe03e0f48
build(deps): bump actions/setup-node from 3 to 5 
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3 to 5.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v3...v5)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-01 13:01:44 +00:00
Johannes Millan
3517555bf1
Merge pull request #5040 from johannesjo/dependabot/github_actions/actions/checkout-5 
build(deps): bump actions/checkout from 3 to 5
 2025-09-02 16:53:19 +02:00
dependabot[bot]
7c29c3fd07
build(deps): bump actions/setup-java from 4 to 5 
Bumps [actions/setup-java](https://github.com/actions/setup-java) from 4 to 5.
- [Release notes](https://github.com/actions/setup-java/releases)
- [Commits](https://github.com/actions/setup-java/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-java
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-01 23:54:12 +00:00
dependabot[bot]
986154c4ad
build(deps): bump actions/checkout from 3 to 5 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-01 23:36:57 +00:00
Johannes Millan
7c00dcc8ba build: fix ? 2025-08-08 20:42:32 +02:00
dependabot[bot]
5b44552a6d
build(deps): bump r0adkll/upload-google-play from 1.0.19 to 1.1.3 
Bumps [r0adkll/upload-google-play](https://github.com/r0adkll/upload-google-play) from 1.0.19 to 1.1.3.
- [Release notes](https://github.com/r0adkll/upload-google-play/releases)
- [Commits](https://github.com/r0adkll/upload-google-play/compare/v1.0.19...v1.1.3)

---
updated-dependencies:
- dependency-name: r0adkll/upload-google-play
  dependency-version: 1.1.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-01 13:56:06 +00:00
Johannes Millan
ecfd21b1b6 fix: prevent APK upload from removing other release assets 
Modified Android workflow to use GitHub CLI instead of softprops/action-gh-release
to append APK files to existing releases without overwriting other assets.

Changes:
- Wait for main release to be created before uploading APK
- Use 'gh release upload' to add APK as additional asset
- Preserves existing release assets and metadata
- Includes retry logic with 15-minute timeout

This fixes the issue where uploading APK would remove other release assets
like desktop binaries and installers.
 2025-06-22 17:37:56 +02:00
Johannes Millan
311f1e8a4b feat: auto upload APK to Google Play Console on release 
Adds automatic upload of Android APK to Google Play Console when a release tag is created.

Features:
- Uploads to internal track as draft for manual review
- Uses service account authentication
- Sets update priority for better user experience
- Only triggers on actual releases (tagged versions)

Requires GOOGLE_PLAY_SERVICE_ACCOUNT_JSON secret to be configured.
 2025-06-22 17:26:15 +02:00
Johannes Millan
6c95912e25 build: auto upload apk to release 2025-06-22 15:05:12 +02:00
Johannes Millan
23ef2a373f build: fix script 2025-06-15 21:40:52 +02:00
Johannes Millan
641db0bebf build: just upload apks 2025-06-15 20:11:13 +02:00
Johannes Millan
bd117ce683 build: test autosigning android apk 2025-06-15 19:47:39 +02:00
Johannes Millan
99748b104e build: make android build work again 3 2025-04-03 14:17:47 +02:00
Johannes Millan
fd3b6e321c build: add code signing for android 5 2025-03-14 11:02:29 +01:00
Johannes Millan
f2c89e72ca build: add code signing for android 4 2025-03-14 11:02:29 +01:00
Johannes Millan
dfb60231f7 build: add code signing for android 3 2025-03-14 11:02:29 +01:00
Johannes Millan
6e9e5a9a4e build: add code signing for android 2 2025-03-14 11:02:29 +01:00
Johannes Millan
0b0e5139e7 build: add code signing for android 2025-03-14 11:02:29 +01:00
Johannes Millan
56758bb0ee build: improve android build 2025-03-14 11:02:29 +01:00
TypicalUsername-ai
c1530516d2 CI: rename android pipeline and add prod release triggers 2025-03-14 11:01:04 +01:00
TypicalUsername-ai
7552ecd7d7 CI: add android license step to fix build 2025-03-14 11:01:04 +01:00
Johannes Millan
b56c821e52 build: update upload artifact to v4 2025-01-09 18:44:02 +01:00
Johannes Millan
48f6a5dba4 build: fix schema errors for git workflows 2024-11-15 15:58:12 +01:00
Johannes Millan
9008c22fa6 feat(android): prepare auto builds 2024-11-06 19:44:05 +01:00
Johannes Millan
da024a1042 build: update android action 4 2024-11-06 19:23:11 +01:00
Johannes Millan
19eaabe87a build: update android action 3 2024-11-06 19:11:00 +01:00
Johannes Millan
773ab3c3e1 build: update android action 2 2024-11-06 19:01:09 +01:00
Johannes Millan
69dc1cd6d4 build: update android action 2024-11-06 18:59:07 +01:00
Johannes Millan
5aeb9b3fdb build: add android builds 2024-11-06 18:55:31 +01:00