git/metabuilder
1
0
Fork 0
mirror of https://github.com/johndoe6345789/metabuilder.git synced 2026-04-24 13:54:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(ci,deps): correct action versions and patch security vulnerabilities

Browse Source 
GitHub Actions:
- checkout@v4 → @v6 (v6 is current, v4 was wrong downgrade)
- upload-artifact@v4 → @v7 (latest), @v6 → @v7 in dbal-tests.yml
- download-artifact@v4 → @v8 (latest)
- cache@v6 → @v5 (v6 does not exist, v5 is latest)
- codeql-action@v4 confirmed correct

Security (Dependabot):
- next 16.1.5 → 16.1.7 (dockerterminal): HTTP smuggling, CSRF, DoS fixes
- PyJWT 2.10.1 → 2.12.0 (5 requirements.txt): unknown crit header bypass
- CairoSVG 2.8.2 → 2.9.0 (pcbgenerator): recursive <use> ReDoS
- postgres overrides: add hono >=4.12.4, @hono/node-server >=1.19.10,
  rollup >=4.59.0, serialize-javascript >=7.0.3 for transitive vulns

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
rw
2026-03-20 20:13:54 +00:00
parent da35b2f82a
commit 9d4244891e
11 changed files with 64 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/dbal-tests.yml vendored
View File

@@ -16,7 +16,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- name: Install system deps
run: |
@@ -67,7 +67,7 @@ jobs:
run: ctest -R dbal_unit_tests --output-on-failure
- name: Upload results
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
if: always()
with:
name: unit-test-results
@@ -82,7 +82,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- name: Install Go (for testcontainers-sidecar)
uses: actions/setup-go@v5
@@ -162,7 +162,7 @@ jobs:
run: ctest -R dbal_integration_tests --output-on-failure -V
- name: Upload results
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
if: always()
with:
name: integration-test-results

96
.github/workflows/gated-pipeline.yml vendored
View File

@@ -294,7 +294,7 @@ jobs:
echo "$(date -Iseconds)" > gate-artifacts/gate-1/start-time.txt
- name: Upload gate start marker
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-1-start
path: gate-artifacts/gate-1/
@@ -306,7 +306,7 @@ jobs:
needs: gate-1-start
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Setup Python
uses: actions/setup-python@v5
@@ -389,7 +389,7 @@ jobs:
- name: Upload validation result
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-1-schema-result
path: gate-artifacts/gate-1/
@@ -401,7 +401,7 @@ jobs:
needs: schema-check
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Setup npm with Nexus
uses: ./.github/actions/setup-npm
@@ -423,7 +423,7 @@ jobs:
- name: Upload validation result
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-1-typecheck-result
path: gate-artifacts/gate-1/
@@ -435,7 +435,7 @@ jobs:
needs: schema-check
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Setup npm with Nexus
uses: ./.github/actions/setup-npm
@@ -468,7 +468,7 @@ jobs:
- name: Upload validation result
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-1-lint-result
path: gate-artifacts/gate-1/
@@ -480,7 +480,7 @@ jobs:
needs: schema-check
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Setup npm with Nexus
uses: ./.github/actions/setup-npm
@@ -503,7 +503,7 @@ jobs:
- name: Upload validation result
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-1-security-result
path: gate-artifacts/gate-1/
@@ -515,7 +515,7 @@ jobs:
needs: schema-check
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Check for oversized files
run: |
@@ -538,7 +538,7 @@ jobs:
- name: Upload validation result
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-1-filesize-result
path: gate-artifacts/gate-1/
@@ -550,7 +550,7 @@ jobs:
needs: schema-check
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Check code complexity
run: |
@@ -575,7 +575,7 @@ jobs:
- name: Upload validation result
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-1-complexity-result
path: gate-artifacts/gate-1/
@@ -587,7 +587,7 @@ jobs:
needs: schema-check
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Detect stubs and placeholder code
run: |
@@ -613,7 +613,7 @@ jobs:
- name: Upload validation result
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-1-stub-result
path: gate-artifacts/gate-1/
@@ -624,7 +624,7 @@ jobs:
needs: [schema-check, typecheck, lint, security-scan, file-size-check, code-complexity-check, stub-detection]
steps:
- name: Download all gate 1 artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@v8
with:
pattern: gate-1-*
path: gate-artifacts/
@@ -652,7 +652,7 @@ jobs:
ls -la gate-artifacts/gate-1/
- name: Upload consolidated gate 1 report
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-1-complete-report
path: gate-artifacts/
@@ -672,7 +672,7 @@ jobs:
unit_changed: ${{ steps.diff.outputs.unit_changed }}
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Detect changed paths
id: diff
@@ -716,7 +716,7 @@ jobs:
echo "$(date -Iseconds)" > gate-artifacts/gate-2/start-time.txt
- name: Upload gate start marker
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-2-start
path: gate-artifacts/gate-2/
@@ -729,7 +729,7 @@ jobs:
if: ${{ !inputs.skip_tests }}
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Restore cached coverage report
id: cache-restore
@@ -801,7 +801,7 @@ jobs:
- name: Upload coverage report
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: coverage-report
path: frontends/nextjs/coverage/
@@ -816,7 +816,7 @@ jobs:
- name: Upload validation result
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-2-unit-result
path: gate-artifacts/gate-2/
@@ -829,7 +829,7 @@ jobs:
if: ${{ !inputs.skip_tests }}
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Restore cached test results
id: cache-restore
@@ -892,7 +892,7 @@ jobs:
- name: Upload test results
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: playwright-report
path: playwright-report/
@@ -907,7 +907,7 @@ jobs:
- name: Upload validation result
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-2-e2e-result
path: gate-artifacts/gate-2/
@@ -920,7 +920,7 @@ jobs:
if: ${{ !inputs.skip_tests }}
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Setup npm with Nexus
uses: ./.github/actions/setup-npm
@@ -940,7 +940,7 @@ jobs:
- name: Upload daemon test report
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: playwright-report-dbal-daemon
path: frontends/nextjs/playwright-report/
@@ -955,7 +955,7 @@ jobs:
- name: Upload validation result
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-2-dbal-result
path: gate-artifacts/gate-2/
@@ -971,7 +971,7 @@ jobs:
(needs.test-dbal-daemon.result == 'success' || needs.test-dbal-daemon.result == 'skipped')
steps:
- name: Download all gate 2 artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@v8
with:
pattern: gate-2-*
path: gate-artifacts/
@@ -995,7 +995,7 @@ jobs:
ls -la gate-artifacts/gate-2/
- name: Upload consolidated gate 2 report
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-2-complete-report
path: gate-artifacts/
@@ -1021,7 +1021,7 @@ jobs:
echo "$(date -Iseconds)" > gate-artifacts/gate-3/start-time.txt
- name: Upload gate start marker
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-3-start
path: gate-artifacts/gate-3/
@@ -1035,7 +1035,7 @@ jobs:
build-success: ${{ steps.build-step.outcome }}
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Setup npm with Nexus
uses: ./.github/actions/setup-npm
@@ -1050,7 +1050,7 @@ jobs:
run: npm run build -w frontends/nextjs
- name: Upload build artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: dist
path: frontends/nextjs/.next/
@@ -1065,7 +1065,7 @@ jobs:
- name: Upload validation result
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-3-build-result
path: gate-artifacts/gate-3/
@@ -1078,7 +1078,7 @@ jobs:
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
fetch-depth: 0
@@ -1108,7 +1108,7 @@ jobs:
- name: Upload validation result
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-3-quality-result
path: gate-artifacts/gate-3/
@@ -1120,7 +1120,7 @@ jobs:
if: always() && needs.build.result == 'success' && (needs.quality-check.result == 'success' || needs.quality-check.result == 'skipped')
steps:
- name: Download all gate 3 artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@v8
with:
pattern: gate-3-*
path: gate-artifacts/
@@ -1141,7 +1141,7 @@ jobs:
ls -la gate-artifacts/gate-3/
- name: Upload consolidated gate 3 report
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: gate-3-complete-report
path: gate-artifacts/
@@ -1157,7 +1157,7 @@ jobs:
if: github.event_name == 'pull_request' && !github.event.pull_request.draft
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
fetch-depth: 0
@@ -1326,7 +1326,7 @@ jobs:
url: https://staging.metabuilder.example.com
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Setup npm with Nexus
uses: ./.github/actions/setup-npm
@@ -1376,7 +1376,7 @@ jobs:
url: https://metabuilder.example.com
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Setup npm with Nexus
uses: ./.github/actions/setup-npm
@@ -1445,7 +1445,7 @@ jobs:
platforms: linux/amd64,linux/arm64
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Set up QEMU
uses: docker/setup-qemu-action@v4
@@ -1590,7 +1590,7 @@ jobs:
require_prebuilt: false
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Set up QEMU
uses: docker/setup-qemu-action@v4
@@ -1682,7 +1682,7 @@ jobs:
if: ${{ !inputs.skip_containers }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Set up QEMU
uses: docker/setup-qemu-action@v4
@@ -1806,7 +1806,7 @@ jobs:
watch_paths: deployment/config/dbal dbal/shared
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
@@ -1989,7 +1989,7 @@ jobs:
language: ${{ inputs.codeql_languages == 'all' && fromJSON('["javascript-typescript","python","cpp","go"]') || fromJSON(format('["{0}"]', inputs.codeql_languages)) }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
fetch-depth: 0
@@ -2055,7 +2055,7 @@ jobs:
if: always()
steps:
- name: Download all gate artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@v8
with:
pattern: gate-*-complete-report
path: all-gate-artifacts/
@@ -2120,7 +2120,7 @@ jobs:
}
- name: Upload complete audit trail
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: complete-gate-audit-trail
path: all-gate-artifacts/