From a698782439d069d58cf7a8a19538b5fe5975efe8 Mon Sep 17 00:00:00 2001 From: mineme0110 Date: Tue, 9 Dec 2025 23:38:07 +0000 Subject: [PATCH 01/10] fix: use npm ci Signed-off-by: mineme0110 --- .github/workflows/integration-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 3b162fd138..3d5d1d2e03 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -176,6 +176,6 @@ jobs: AGENT_VERSION: ${{ steps.build_local_cloud_agent.outputs.agent_version }} run: | ./docker/run.sh "$AGENT_VERSION" - npm i + npm ci npm test ./docker/stop.sh From 6e3eb141aa0fb3276fdeac70dec4390e602dfe6d Mon Sep 17 00:00:00 2001 From: mineme0110 Date: Tue, 9 Dec 2025 23:40:09 +0000 Subject: [PATCH 02/10] fix: use npm ci Signed-off-by: mineme0110 --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 47e764c2da..19b80216c4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -76,7 +76,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.IDENTUS_CI }} DOCKERHUB_ORG: ${{ vars.DOCKERHUB_ORG }} run: | - npm install + npm ci npx semantic-release - name: Get release version From d43a0b71f251e552b6429554094c469278630156 Mon Sep 17 00:00:00 2001 From: mineme0110 Date: Tue, 9 Dec 2025 23:46:10 +0000 Subject: [PATCH 03/10] fix: use npm ci Signed-off-by: mineme0110 --- .github/workflows/release-clients.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-clients.yml b/.github/workflows/release-clients.yml index b284b82c15..7a828d9c9b 100644 --- a/.github/workflows/release-clients.yml +++ b/.github/workflows/release-clients.yml @@ -63,7 +63,7 @@ jobs: # Ensure npm version ≥ 11.5.1 for Trusted Publishing - name: Upgrade npm - run: npm install -g npm@^11.5.1 + run: npm install -g npm@11.5.1 - name: Setup Gradle uses: gradle/gradle-build-action@ef76a971e2fa3f867b617efd72f2fbd72cf6f8bc # v2.8.0 From c75e664c96fc83c98c521dea7530471e55c7ba74 Mon Sep 17 00:00:00 2001 From: mineme0110 Date: Tue, 9 Dec 2025 23:55:22 +0000 Subject: [PATCH 04/10] fix: use npm ci Signed-off-by: mineme0110 --- .github/workflows/release-clients.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-clients.yml b/.github/workflows/release-clients.yml index 7a828d9c9b..8fb279ac0e 100644 --- a/.github/workflows/release-clients.yml +++ b/.github/workflows/release-clients.yml @@ -57,13 +57,13 @@ jobs: - name: Setup Node.js uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: - node-version: "lts/*" + node-version: "22.16.0§" registry-url: "https://registry.npmjs.org" scope: "@hyperledger" # Ensure npm version ≥ 11.5.1 for Trusted Publishing - name: Upgrade npm - run: npm install -g npm@11.5.1 + run: npm ci - name: Setup Gradle uses: gradle/gradle-build-action@ef76a971e2fa3f867b617efd72f2fbd72cf6f8bc # v2.8.0 From 0fd4dc1595f4667f48ad610ca401b19b93c709d1 Mon Sep 17 00:00:00 2001 From: mineme0110 Date: Wed, 10 Dec 2025 09:29:03 +0000 Subject: [PATCH 05/10] fix: use npm ci Signed-off-by: mineme0110 --- .github/workflows/release-clients.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-clients.yml b/.github/workflows/release-clients.yml index 8fb279ac0e..dfad49a373 100644 --- a/.github/workflows/release-clients.yml +++ b/.github/workflows/release-clients.yml @@ -57,13 +57,13 @@ jobs: - name: Setup Node.js uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: - node-version: "22.16.0§" + node-version: "22.16.0" registry-url: "https://registry.npmjs.org" scope: "@hyperledger" # Ensure npm version ≥ 11.5.1 for Trusted Publishing - name: Upgrade npm - run: npm ci + run: npm install -g npm@11.5.1 - name: Setup Gradle uses: gradle/gradle-build-action@ef76a971e2fa3f867b617efd72f2fbd72cf6f8bc # v2.8.0 From a2ed646979e75ea52b4e9cb95d1e0cae8e0731a0 Mon Sep 17 00:00:00 2001 From: mineme0110 Date: Wed, 10 Dec 2025 12:33:59 +0000 Subject: [PATCH 06/10] fix: use npm ci Signed-off-by: mineme0110 --- .github/workflows/integration-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 3d5d1d2e03..01e4f95791 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -176,6 +176,6 @@ jobs: AGENT_VERSION: ${{ steps.build_local_cloud_agent.outputs.agent_version }} run: | ./docker/run.sh "$AGENT_VERSION" - npm ci + npm install npm test ./docker/stop.sh From 8f64b9bf4b81b901c4f9295e1e43674b92926cff Mon Sep 17 00:00:00 2001 From: mineme0110 Date: Wed, 10 Dec 2025 12:56:13 +0000 Subject: [PATCH 07/10] fix: sonar input validation Signed-off-by: mineme0110 --- .github/workflows/release-clients.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-clients.yml b/.github/workflows/release-clients.yml index dfad49a373..a7d0db9652 100644 --- a/.github/workflows/release-clients.yml +++ b/.github/workflows/release-clients.yml @@ -84,8 +84,16 @@ jobs: - name: Rename OpenAPI specification if: ${{ !inputs.releaseTag }} working-directory: cloud-agent/service/api/http + env: + REVISION: ${{ inputs.revision }} run: | - mv cloud-agent-openapi-spec-${{ inputs.revision }}.yaml cloud-agent-openapi-spec.yaml + set -euo pipefail + case "$REVISION" in + # allow alphanumerics, dot, dash, underscore + ''|*[!A-Za-z0-9._-]*) + echo "Invalid revision value"; exit 1 ;; + esac + mv "cloud-agent-openapi-spec-${REVISION}.yaml" cloud-agent-openapi-spec.yaml - name: Set revision version if: ${{ !inputs.releaseTag }} From e6c45a6e2a70b1ac39c83375bd94b93707f69171 Mon Sep 17 00:00:00 2001 From: mineme0110 Date: Thu, 11 Dec 2025 18:16:48 +0000 Subject: [PATCH 08/10] fix: pin dependencies Signed-off-by: mineme0110 --- .github/workflows/integration-tests.yml | 2 +- .github/workflows/release-clients.yml | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 01e4f95791..3d5d1d2e03 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -176,6 +176,6 @@ jobs: AGENT_VERSION: ${{ steps.build_local_cloud_agent.outputs.agent_version }} run: | ./docker/run.sh "$AGENT_VERSION" - npm install + npm ci npm test ./docker/stop.sh diff --git a/.github/workflows/release-clients.yml b/.github/workflows/release-clients.yml index a7d0db9652..9f6513ced5 100644 --- a/.github/workflows/release-clients.yml +++ b/.github/workflows/release-clients.yml @@ -63,7 +63,13 @@ jobs: # Ensure npm version ≥ 11.5.1 for Trusted Publishing - name: Upgrade npm - run: npm install -g npm@11.5.1 + run: | + URL="https://registry.npmjs.org/npm/-/npm-11.5.1.tgz" + EXPECTED_HASH="f4c82fbff74154f73bd5ce5a2b749700d55eaddebda97b16076bf7033040de34" + curl -sSfL "$URL" -o npm.tgz + echo "$EXPECTED_HASH npm.tgz" | sha256sum -c - + npm install -g npm.tgz + rm npm.tgz - name: Setup Gradle uses: gradle/gradle-build-action@ef76a971e2fa3f867b617efd72f2fbd72cf6f8bc # v2.8.0 From bcf98f412e0cdb054aa7d27746f4d3aabcc55fd4 Mon Sep 17 00:00:00 2001 From: mineme0110 Date: Thu, 11 Dec 2025 19:02:23 +0000 Subject: [PATCH 09/10] fix: npm ci Signed-off-by: mineme0110 --- .github/workflows/integration-tests.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 3d5d1d2e03..c054f4ffd1 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -176,6 +176,11 @@ jobs: AGENT_VERSION: ${{ steps.build_local_cloud_agent.outputs.agent_version }} run: | ./docker/run.sh "$AGENT_VERSION" - npm ci + if [ -f package-lock.json ]; then + npm ci + else + npm install --package-lock-only + npm ci + fi npm test ./docker/stop.sh From adbdb0e3616edef9aeb0631729c7cab0621d672e Mon Sep 17 00:00:00 2001 From: mineme0110 Date: Fri, 12 Dec 2025 13:24:49 +0000 Subject: [PATCH 10/10] fix: npm ci Signed-off-by: mineme0110 --- .github/workflows/release-clients.yml | 35 ++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-clients.yml b/.github/workflows/release-clients.yml index 9f6513ced5..cea751ec0b 100644 --- a/.github/workflows/release-clients.yml +++ b/.github/workflows/release-clients.yml @@ -104,7 +104,16 @@ jobs: - name: Set revision version if: ${{ !inputs.releaseTag }} working-directory: cloud-agent/client/generator - run: yarn version --new-version ${{ inputs.revision }} --no-git-tag-version + env: + REVISION: ${{ inputs.revision }} + run: | + set -euo pipefail + case "$REVISION" in + # allow alphanumerics, dot, dash, underscore + ''|*[!A-Za-z0-9._-]*) + echo "Invalid revision value"; exit 1 ;; + esac + yarn version --new-version "$REVISION" --no-git-tag-version - name: Install generator dependencies working-directory: cloud-agent/client/generator @@ -115,11 +124,29 @@ jobs: run: yarn generate:all - name: Set version for clients + env: + REVISION: ${{ inputs.revision }} + RELEASE_TAG: ${{ github.event.inputs.releaseTag }} run: | - if [ -z "${{ github.event.inputs.releaseTag }}" ]; then - echo "VERSION_TAG=cloud-agent-v${{ inputs.revision }}" >> $GITHUB_ENV + set -euo pipefail + case "$REVISION" in + # allow alphanumerics, dot, dash, underscore + ''|*[!A-Za-z0-9._-]*) + echo "Invalid revision value"; exit 1 ;; + esac + case "${RELEASE_TAG:-}" in + # allow empty or safe tag characters + ''|*[!A-Za-z0-9._-]*) + if [ -n "${RELEASE_TAG:-}" ]; then + echo "Invalid releaseTag value"; exit 1 + fi + ;; + esac + + if [ -z "${RELEASE_TAG:-}" ]; then + echo "VERSION_TAG=cloud-agent-v${REVISION}" >> "$GITHUB_ENV" else - echo "VERSION_TAG=${{ github.event.inputs.releaseTag }}" >> $GITHUB_ENV + echo "VERSION_TAG=${RELEASE_TAG}" >> "$GITHUB_ENV" fi # The npm publish step uses Trusted Publisher via OIDC