Mirrors/super-productivity
1
0
Fork 0
mirror of https://github.com/johannesjo/super-productivity.git synced 2026-01-23 02:36:05 +00:00
Code Issues Projects Releases Wiki Activity
18269 commits 48 branches 590 tags 336 MiB
Commit graph

63 commits

Author SHA1 Message Date
Corey Newton
ababd99b57
docs(ci): Exclude docs/wiki/** from some actions 
There is no reason to run certain checks on simple documentation
updates. These Actions showed up during the initial v0.1 PR and added
noise to the PR process.
 2026-01-21 20:04:16 -08:00
Johannes Millan
27630a59fe security: add Harden-Runner and fix remaining unpinned actions 
Add StepSecurity Harden-Runner to production workflows for runtime monitoring
and fix all remaining unpinned GitHub Actions that were missed in initial pass.

Changes:
1. StepSecurity Harden-Runner (Phase 2.2.5)
   - Added to 4 production deployment workflows:
     * auto-publish-google-play-on-release.yml (Google Play)
     * publish-to-hub-docker.yml (Docker Hub)
     * build-update-web-app-on-release.yml (Web server)
     * build-publish-to-mac-store-on-release.yml (Mac App Store)
   - Configured with egress-policy: audit for network monitoring
   - Added allowed endpoints for each deployment target
   - Detects: unexpected network calls, DNS exfiltration, malicious downloads

2. Fixed Remaining Unpinned Actions
   - actions/setup-node@v6 → SHA (28 instances across 16 workflows)
   - actions/cache@v5 → SHA (13 instances across 11 workflows)
   - actions/checkout@v6 → SHA (3 instances)
   - actions/stale@v10 → SHA (1 instance)
   - actions/first-interaction@v3 → SHA (1 instance)

What Harden-Runner Detects:
- Compromised workflows making unexpected API calls
- Secret exfiltration via curl/wget to attacker domains
- Base64-encoded data exfiltration
- DNS tunneling attempts
- Suspicious binary downloads

Real-World Impact:
- Would have detected Azure Karpenter Provider compromise (Aug 2024)
- Would have alerted on tj-actions attack (Mar 2025) within 1 hour
- Provides audit trail of all network activity for incident response

All 22 workflows validated with YAML syntax checks.

Risk Score: 55/100 → 45/100 (runtime monitoring added)

Refs: StepSecurity Blog, CVE-2025-30066
 2026-01-21 14:30:24 +01:00
Johannes Millan
9b2afbe109 security: pin all GitHub Actions to commit SHAs (CVE-2025-30066 mitigation) 
Pin all GitHub Actions to immutable commit SHAs to prevent supply chain attacks.
This protects against tag-poisoning attacks like the March 2025 tj-actions compromise
that affected 23,000+ repositories.

Changes:
- Pin 55 action references across 19 workflow files to commit SHAs
- Add version comments (e.g., "# v6") for readability
- Manually resolved: gradle/actions, github/codeql-action, actions/setup-node

All actions now use immutable references following GitHub security best practices:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

Future updates should be managed via Dependabot to automate SHA updates.
 2026-01-21 14:30:24 +01:00
Johannes Millan
aa7103d4a8 build: remove unsplash secrets from lint and test flow 2026-01-21 14:30:24 +01:00
Johannes Millan
4d78d7b9fc fix(ci): add E2E tests to PR workflow 2026-01-17 15:23:45 +01:00
Johannes Millan
6a9d39838c build: don't run e2e tests every 2026-01-17 15:02:11 +01:00
Johannes Millan
218e99721f
Merge pull request #5854 from johannesjo/dependabot/github_actions/actions/cache-5 
chore(deps): bump actions/cache from 4 to 5
 2026-01-02 12:15:30 +01:00
dependabot[bot]
25225a7609
chore(deps): bump actions/upload-artifact from 5 to 6 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 6.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-01-01 13:01:51 +00:00
dependabot[bot]
d0f521c22f
chore(deps): bump actions/cache from 4 to 5 
Bumps [actions/cache](https://github.com/actions/cache) from 4 to 5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-01-01 13:01:39 +00:00
Johannes Millan
afa6bb85ea build(ci): add i18n JSON validation step to lint-and-test workflow 2025-12-19 13:34:45 +01:00
Johannes Millan
e268076332 test(e2e): try to fix e2e tests 2025-12-10 21:26:48 +01:00
dependabot[bot]
63a6856148
chore(deps): bump actions/checkout from 5 to 6 
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-12-01 14:25:22 +00:00
Johannes Millan
669616e616
Merge pull request #5405 from johannesjo/dependabot/github_actions/actions/upload-artifact-5 
build(deps): bump actions/upload-artifact from 4 to 5
 2025-11-03 10:30:08 +01:00
dependabot[bot]
c6e08924a5
build(deps): bump actions/setup-node from 5 to 6 
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5 to 6.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-11-01 13:01:35 +00:00
dependabot[bot]
fede2c122d
build(deps): bump actions/upload-artifact from 4 to 5 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 5.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-11-01 13:01:19 +00:00
dependabot[bot]
fbe03e0f48
build(deps): bump actions/setup-node from 3 to 5 
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3 to 5.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v3...v5)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-01 13:01:44 +00:00
dependabot[bot]
986154c4ad
build(deps): bump actions/checkout from 3 to 5 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-01 23:36:57 +00:00
Johannes Millan
41448e543b build: remove lint:ci etc 2025-08-29 14:39:45 +02:00
Johannes Millan
5a35dbe01c build: fix 2 2025-08-08 20:49:33 +02:00
Johannes Millan
7c00dcc8ba build: fix ? 2025-08-08 20:42:32 +02:00
Johannes Millan
673cdd3079 build: fix unsplash api stuff for build 2025-08-08 20:10:32 +02:00
Johannes Millan
cdf1f89675 build: fix builds failing due to missing env 2025-08-08 19:25:21 +02:00
Johannes Millan
e22fa4ac5f build: remove upload perf metrics 2025-08-04 12:38:38 +02:00
Johannes Millan
d45e6579db build(ci): ensure Playwright system dependencies are installed 
- Use both --with-deps and install-deps commands
- This ensures all system libraries required by Chromium are installed
- Fixes potential missing dependencies in Ubuntu CI environment
 2025-08-03 13:35:48 +02:00
Johannes Millan
902decf1e8 build(ci): install Playwright browsers before running e2e tests 
- Add 'npx playwright install --with-deps chromium' step to CI workflows
- Remove unnecessary Chrome setup action (replaced by Playwright)
- This fixes "Executable doesn't exist" error when launching browser

The CI was failing because Playwright browsers weren't installed.
The server now starts successfully in ~60 seconds.
 2025-08-03 13:23:17 +02:00
Johannes Millan
9134bb9f4b fix(ci): correct e2e test result path and improve test stability 
- Fix artifact upload path from e2e-test-results to .tmp/e2e-test-results
- Re-enable serial execution for plugin-iframe tests to avoid race conditions
- Skip flaky reminders-schedule-page tests in CI temporarily
- Update both build.yml and lint-and-test-pr.yml workflows

The CI was failing because test results were being written to .tmp/e2e-test-results
but the artifact upload was looking in e2e-test-results (without .tmp prefix)
 2025-08-03 11:13:09 +02:00
dependabot[bot]
db26ef544e
build(deps): bump browser-actions/setup-chrome from 1 to 2 
Bumps [browser-actions/setup-chrome](https://github.com/browser-actions/setup-chrome) from 1 to 2.
- [Release notes](https://github.com/browser-actions/setup-chrome/releases)
- [Changelog](https://github.com/browser-actions/setup-chrome/blob/master/CHANGELOG.md)
- [Commits](https://github.com/browser-actions/setup-chrome/compare/v1...v2)

---
updated-dependencies:
- dependency-name: browser-actions/setup-chrome
  dependency-version: '2'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-08-01 13:32:56 +00:00
Johannes Millan
07d87fecd7 build: fix? 2025-06-11 13:11:50 +02:00
Johannes Millan
4afcad35b2 build: remove perf result posting for now 2025-06-09 13:41:16 +02:00
Johannes Millan
d9adf5b073 build: upload also failed test html report 2025-05-06 18:17:30 +02:00
Johannes Millan
b56c821e52 build: update upload artifact to v4 2025-01-09 18:44:02 +01:00
Johannes Millan
a6296be822 build: add new scss linting 2025-01-04 14:02:55 +01:00
Johannes Millan
7cbbbaed98 build: fix PR tests 2024-11-18 09:56:21 +01:00
Johannes Millan
27d95e887d build: make pr comment work 2024-11-14 19:06:14 +01:00
Johannes Millan
f8c71a1894 build: adjust pr script 2024-10-25 15:18:09 +02:00
Johannes Millan
8680481578 build: add debug info for new perf comment 2024-10-25 14:59:32 +02:00
Johannes Millan
ba820c3764 build: adjust actions script for posting metrics as comment 2024-10-25 14:43:31 +02:00
Johannes Millan
b8df214108 build: add performance test results via github actions 2024-10-25 14:02:58 +02:00
Johannes Millan
b8cdc2527d build: increase screenshot retention days 2024-09-18 09:42:32 +02:00
Johannes Millan
657a69e479 build: upload e2e screenshots always for now 2024-09-07 13:25:08 +02:00
Johannes Millan
600dd5fe66 build: fix naming 2024-09-07 13:23:56 +02:00
Johannes Millan
33db1bec01 build: upload e2e screenshots on failure 2024-09-03 09:43:30 +02:00
Johannes Millan
3efd0e4e74 build: update node version for GitHub actions 2024-04-09 20:19:16 +02:00
dependabot[bot]
5f4e5ea1fa build(deps): bump actions/cache from 3 to 4 
Bumps [actions/cache](https://github.com/actions/cache) from 3 to 4.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-03-01 13:45:34 +01:00
Johannes Millan
b2f2348c44 build: upgrade checkout action 2023-12-29 12:57:34 +01:00
Johannes Millan
5245e94414 build: update node to v16 everywhere 2022-08-19 13:30:20 +02:00
Johannes Millan
acc56ff923 build: fix attempt for npm install 2 2022-08-19 13:26:38 +02:00
Johannes Millan
ab4706b77e build: downgrade to actions/checkout@v2 2022-08-19 13:22:29 +02:00
Johannes Millan
d498174f73 build: fix github install not working anymore 2022-08-19 13:19:18 +02:00
Johannes Millan
a441fde1bf build: use node 14 everywhere 2022-07-13 13:53:52 +02:00