mirror of
https://github.com/johndoe6345789/metabuilder.git
synced 2026-04-24 13:54:57 +00:00
fix(ci,deps): correct action versions and patch security vulnerabilities
GitHub Actions: - checkout@v4 → @v6 (v6 is current, v4 was wrong downgrade) - upload-artifact@v4 → @v7 (latest), @v6 → @v7 in dbal-tests.yml - download-artifact@v4 → @v8 (latest) - cache@v6 → @v5 (v6 does not exist, v5 is latest) - codeql-action@v4 confirmed correct Security (Dependabot): - next 16.1.5 → 16.1.7 (dockerterminal): HTTP smuggling, CSRF, DoS fixes - PyJWT 2.10.1 → 2.12.0 (5 requirements.txt): unknown crit header bypass - CairoSVG 2.8.2 → 2.9.0 (pcbgenerator): recursive <use> ReDoS - postgres overrides: add hono >=4.12.4, @hono/node-server >=1.19.10, rollup >=4.59.0, serialize-javascript >=7.0.3 for transitive vulns Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
8
.github/workflows/dbal-tests.yml
vendored
8
.github/workflows/dbal-tests.yml
vendored
@@ -16,7 +16,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@v6
|
||||
|
||||
- name: Install system deps
|
||||
run: |
|
||||
@@ -67,7 +67,7 @@ jobs:
|
||||
run: ctest -R dbal_unit_tests --output-on-failure
|
||||
|
||||
- name: Upload results
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
if: always()
|
||||
with:
|
||||
name: unit-test-results
|
||||
@@ -82,7 +82,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@v6
|
||||
|
||||
- name: Install Go (for testcontainers-sidecar)
|
||||
uses: actions/setup-go@v5
|
||||
@@ -162,7 +162,7 @@ jobs:
|
||||
run: ctest -R dbal_integration_tests --output-on-failure -V
|
||||
|
||||
- name: Upload results
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
if: always()
|
||||
with:
|
||||
name: integration-test-results
|
||||
|
||||
96
.github/workflows/gated-pipeline.yml
vendored
96
.github/workflows/gated-pipeline.yml
vendored
@@ -294,7 +294,7 @@ jobs:
|
||||
echo "$(date -Iseconds)" > gate-artifacts/gate-1/start-time.txt
|
||||
|
||||
- name: Upload gate start marker
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-1-start
|
||||
path: gate-artifacts/gate-1/
|
||||
@@ -306,7 +306,7 @@ jobs:
|
||||
needs: gate-1-start
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Setup Python
|
||||
uses: actions/setup-python@v5
|
||||
@@ -389,7 +389,7 @@ jobs:
|
||||
|
||||
- name: Upload validation result
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-1-schema-result
|
||||
path: gate-artifacts/gate-1/
|
||||
@@ -401,7 +401,7 @@ jobs:
|
||||
needs: schema-check
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Setup npm with Nexus
|
||||
uses: ./.github/actions/setup-npm
|
||||
@@ -423,7 +423,7 @@ jobs:
|
||||
|
||||
- name: Upload validation result
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-1-typecheck-result
|
||||
path: gate-artifacts/gate-1/
|
||||
@@ -435,7 +435,7 @@ jobs:
|
||||
needs: schema-check
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Setup npm with Nexus
|
||||
uses: ./.github/actions/setup-npm
|
||||
@@ -468,7 +468,7 @@ jobs:
|
||||
|
||||
- name: Upload validation result
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-1-lint-result
|
||||
path: gate-artifacts/gate-1/
|
||||
@@ -480,7 +480,7 @@ jobs:
|
||||
needs: schema-check
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Setup npm with Nexus
|
||||
uses: ./.github/actions/setup-npm
|
||||
@@ -503,7 +503,7 @@ jobs:
|
||||
|
||||
- name: Upload validation result
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-1-security-result
|
||||
path: gate-artifacts/gate-1/
|
||||
@@ -515,7 +515,7 @@ jobs:
|
||||
needs: schema-check
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Check for oversized files
|
||||
run: |
|
||||
@@ -538,7 +538,7 @@ jobs:
|
||||
|
||||
- name: Upload validation result
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-1-filesize-result
|
||||
path: gate-artifacts/gate-1/
|
||||
@@ -550,7 +550,7 @@ jobs:
|
||||
needs: schema-check
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Check code complexity
|
||||
run: |
|
||||
@@ -575,7 +575,7 @@ jobs:
|
||||
|
||||
- name: Upload validation result
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-1-complexity-result
|
||||
path: gate-artifacts/gate-1/
|
||||
@@ -587,7 +587,7 @@ jobs:
|
||||
needs: schema-check
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Detect stubs and placeholder code
|
||||
run: |
|
||||
@@ -613,7 +613,7 @@ jobs:
|
||||
|
||||
- name: Upload validation result
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-1-stub-result
|
||||
path: gate-artifacts/gate-1/
|
||||
@@ -624,7 +624,7 @@ jobs:
|
||||
needs: [schema-check, typecheck, lint, security-scan, file-size-check, code-complexity-check, stub-detection]
|
||||
steps:
|
||||
- name: Download all gate 1 artifacts
|
||||
uses: actions/download-artifact@v4
|
||||
uses: actions/download-artifact@v8
|
||||
with:
|
||||
pattern: gate-1-*
|
||||
path: gate-artifacts/
|
||||
@@ -652,7 +652,7 @@ jobs:
|
||||
ls -la gate-artifacts/gate-1/
|
||||
|
||||
- name: Upload consolidated gate 1 report
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-1-complete-report
|
||||
path: gate-artifacts/
|
||||
@@ -672,7 +672,7 @@ jobs:
|
||||
unit_changed: ${{ steps.diff.outputs.unit_changed }}
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Detect changed paths
|
||||
id: diff
|
||||
@@ -716,7 +716,7 @@ jobs:
|
||||
echo "$(date -Iseconds)" > gate-artifacts/gate-2/start-time.txt
|
||||
|
||||
- name: Upload gate start marker
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-2-start
|
||||
path: gate-artifacts/gate-2/
|
||||
@@ -729,7 +729,7 @@ jobs:
|
||||
if: ${{ !inputs.skip_tests }}
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Restore cached coverage report
|
||||
id: cache-restore
|
||||
@@ -801,7 +801,7 @@ jobs:
|
||||
|
||||
- name: Upload coverage report
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: coverage-report
|
||||
path: frontends/nextjs/coverage/
|
||||
@@ -816,7 +816,7 @@ jobs:
|
||||
|
||||
- name: Upload validation result
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-2-unit-result
|
||||
path: gate-artifacts/gate-2/
|
||||
@@ -829,7 +829,7 @@ jobs:
|
||||
if: ${{ !inputs.skip_tests }}
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Restore cached test results
|
||||
id: cache-restore
|
||||
@@ -892,7 +892,7 @@ jobs:
|
||||
|
||||
- name: Upload test results
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: playwright-report
|
||||
path: playwright-report/
|
||||
@@ -907,7 +907,7 @@ jobs:
|
||||
|
||||
- name: Upload validation result
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-2-e2e-result
|
||||
path: gate-artifacts/gate-2/
|
||||
@@ -920,7 +920,7 @@ jobs:
|
||||
if: ${{ !inputs.skip_tests }}
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Setup npm with Nexus
|
||||
uses: ./.github/actions/setup-npm
|
||||
@@ -940,7 +940,7 @@ jobs:
|
||||
|
||||
- name: Upload daemon test report
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: playwright-report-dbal-daemon
|
||||
path: frontends/nextjs/playwright-report/
|
||||
@@ -955,7 +955,7 @@ jobs:
|
||||
|
||||
- name: Upload validation result
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-2-dbal-result
|
||||
path: gate-artifacts/gate-2/
|
||||
@@ -971,7 +971,7 @@ jobs:
|
||||
(needs.test-dbal-daemon.result == 'success' || needs.test-dbal-daemon.result == 'skipped')
|
||||
steps:
|
||||
- name: Download all gate 2 artifacts
|
||||
uses: actions/download-artifact@v4
|
||||
uses: actions/download-artifact@v8
|
||||
with:
|
||||
pattern: gate-2-*
|
||||
path: gate-artifacts/
|
||||
@@ -995,7 +995,7 @@ jobs:
|
||||
ls -la gate-artifacts/gate-2/
|
||||
|
||||
- name: Upload consolidated gate 2 report
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-2-complete-report
|
||||
path: gate-artifacts/
|
||||
@@ -1021,7 +1021,7 @@ jobs:
|
||||
echo "$(date -Iseconds)" > gate-artifacts/gate-3/start-time.txt
|
||||
|
||||
- name: Upload gate start marker
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-3-start
|
||||
path: gate-artifacts/gate-3/
|
||||
@@ -1035,7 +1035,7 @@ jobs:
|
||||
build-success: ${{ steps.build-step.outcome }}
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Setup npm with Nexus
|
||||
uses: ./.github/actions/setup-npm
|
||||
@@ -1050,7 +1050,7 @@ jobs:
|
||||
run: npm run build -w frontends/nextjs
|
||||
|
||||
- name: Upload build artifacts
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: dist
|
||||
path: frontends/nextjs/.next/
|
||||
@@ -1065,7 +1065,7 @@ jobs:
|
||||
|
||||
- name: Upload validation result
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-3-build-result
|
||||
path: gate-artifacts/gate-3/
|
||||
@@ -1078,7 +1078,7 @@ jobs:
|
||||
if: github.event_name == 'pull_request'
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
@@ -1108,7 +1108,7 @@ jobs:
|
||||
|
||||
- name: Upload validation result
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-3-quality-result
|
||||
path: gate-artifacts/gate-3/
|
||||
@@ -1120,7 +1120,7 @@ jobs:
|
||||
if: always() && needs.build.result == 'success' && (needs.quality-check.result == 'success' || needs.quality-check.result == 'skipped')
|
||||
steps:
|
||||
- name: Download all gate 3 artifacts
|
||||
uses: actions/download-artifact@v4
|
||||
uses: actions/download-artifact@v8
|
||||
with:
|
||||
pattern: gate-3-*
|
||||
path: gate-artifacts/
|
||||
@@ -1141,7 +1141,7 @@ jobs:
|
||||
ls -la gate-artifacts/gate-3/
|
||||
|
||||
- name: Upload consolidated gate 3 report
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: gate-3-complete-report
|
||||
path: gate-artifacts/
|
||||
@@ -1157,7 +1157,7 @@ jobs:
|
||||
if: github.event_name == 'pull_request' && !github.event.pull_request.draft
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
@@ -1326,7 +1326,7 @@ jobs:
|
||||
url: https://staging.metabuilder.example.com
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Setup npm with Nexus
|
||||
uses: ./.github/actions/setup-npm
|
||||
@@ -1376,7 +1376,7 @@ jobs:
|
||||
url: https://metabuilder.example.com
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Setup npm with Nexus
|
||||
uses: ./.github/actions/setup-npm
|
||||
@@ -1445,7 +1445,7 @@ jobs:
|
||||
platforms: linux/amd64,linux/arm64
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v4
|
||||
@@ -1590,7 +1590,7 @@ jobs:
|
||||
require_prebuilt: false
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v4
|
||||
@@ -1682,7 +1682,7 @@ jobs:
|
||||
if: ${{ !inputs.skip_containers }}
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v4
|
||||
@@ -1806,7 +1806,7 @@ jobs:
|
||||
watch_paths: deployment/config/dbal dbal/shared
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v4
|
||||
@@ -1989,7 +1989,7 @@ jobs:
|
||||
language: ${{ inputs.codeql_languages == 'all' && fromJSON('["javascript-typescript","python","cpp","go"]') || fromJSON(format('["{0}"]', inputs.codeql_languages)) }}
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
@@ -2055,7 +2055,7 @@ jobs:
|
||||
if: always()
|
||||
steps:
|
||||
- name: Download all gate artifacts
|
||||
uses: actions/download-artifact@v4
|
||||
uses: actions/download-artifact@v8
|
||||
with:
|
||||
pattern: gate-*-complete-report
|
||||
path: all-gate-artifacts/
|
||||
@@ -2120,7 +2120,7 @@ jobs:
|
||||
}
|
||||
|
||||
- name: Upload complete audit trail
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: complete-gate-audit-trail
|
||||
path: all-gate-artifacts/
|
||||
|
||||
@@ -343,6 +343,7 @@ Multi-version peer deps. React 18/19, TypeScript 5.9.3, Next.js 14-16, @reduxjs/
|
||||
| `loadFromDirectory` vs `loadFromFile` | Both must stay in sync — `loadFromDirectory` is used in production; check both when adding schema parsing features |
|
||||
| New DBAL entity missing from frontend | Add JSON schema in `dbal/shared/api/schema/entities/{package}/`, seed in `dbal/shared/seeds/database/`, rebuild `dbal-init` + DBAL image |
|
||||
| ComponentNode schema vs C++ struct | JSON schema must match C++ struct in `types.generated.hpp` (pageId, parentId, childIds, order), NOT the Redux slice shape |
|
||||
| GitHub Actions version assumptions | NEVER assume an action version is invalid — use `WebFetch` on `https://github.com/actions/{name}/releases` to verify before changing |
|
||||
|
||||
### Critical Folders to Check Before Any Task
|
||||
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
"@emotion/styled": "^11.14.1",
|
||||
"@mui/icons-material": "^7.3.7",
|
||||
"@mui/material": "^7.3.7",
|
||||
"next": "16.1.5",
|
||||
"next": "16.1.7",
|
||||
"react": "19.2.3",
|
||||
"react-dom": "19.2.3"
|
||||
},
|
||||
|
||||
@@ -24,7 +24,7 @@ python-dotenv==1.0.0
|
||||
|
||||
# Security & Encryption
|
||||
cryptography==46.0.5
|
||||
pyjwt==2.10.1
|
||||
pyjwt==2.12.0
|
||||
|
||||
# HTTP & Requests
|
||||
requests==2.32.4
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
Flask==3.1.3
|
||||
Flask-CORS==6.0.0
|
||||
pyjwt==2.10.1
|
||||
pyjwt==2.12.0
|
||||
rocksdict==0.3.29
|
||||
werkzeug==3.1.6
|
||||
jsonschema==4.20.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
Flask==3.1.3
|
||||
flask-cors==6.0.0
|
||||
docker==7.1.0
|
||||
PyJWT==2.10.1
|
||||
PyJWT==2.12.0
|
||||
requests==2.32.4
|
||||
|
||||
@@ -66,6 +66,10 @@
|
||||
"react-dom": "^19.2.4",
|
||||
"minimatch": "10.2.4",
|
||||
"tar": "7.5.11",
|
||||
"hono": ">=4.12.4",
|
||||
"@hono/node-server": ">=1.19.10",
|
||||
"rollup": ">=4.59.0",
|
||||
"serialize-javascript": ">=7.0.3",
|
||||
"esbuild": ">=0.25.0",
|
||||
"@esbuild-kit/core-utils": {
|
||||
"esbuild": ">=0.25.0"
|
||||
|
||||
@@ -6,7 +6,7 @@ requests==2.32.4
|
||||
pydantic==2.5.2
|
||||
SQLAlchemy==2.0.23
|
||||
python-dateutil==2.8.2
|
||||
PyJWT==2.10.1
|
||||
PyJWT==2.12.0
|
||||
gunicorn==23.0.0
|
||||
email-validator==2.1.0
|
||||
imapclient==3.0.1
|
||||
|
||||
@@ -3,6 +3,6 @@ svg.path==7.0
|
||||
fonttools==4.60.2
|
||||
pytest==8.4.1
|
||||
pytest-timeout==2.4.0
|
||||
cairosvg==2.8.2
|
||||
cairosvg==2.9.0
|
||||
pillow==12.1.1
|
||||
shapely==2.1.1
|
||||
|
||||
@@ -14,7 +14,7 @@ cryptography==46.0.5
|
||||
flask==3.1.3
|
||||
flask-cors==6.0.0
|
||||
flask-limiter==3.5.0
|
||||
PyJWT==2.10.1
|
||||
PyJWT==2.12.0
|
||||
|
||||
# Database
|
||||
sqlalchemy==2.0.23
|
||||
|
||||
Reference in New Issue
Block a user