diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a962161a..0d9c0301 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,19 +24,21 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Get Package Version id: retrieve-version run: | PKG_VERSION=$(jq -r .version package.json) - echo "package_version=$PKG_VERSION" >> $GITHUB_OUTPUT + echo "package_version=$PKG_VERSION" >> "$GITHUB_OUTPUT" - name: Get Node Version id: retrieve-node-version run: | NODE_NVMRC=$(cat .nvmrc) NODE_VERSION=${NODE_NVMRC/v/''} - echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT + echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT" linux-cli: name: Build Linux CLI @@ -50,6 +52,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -61,7 +65,7 @@ jobs: - name: Update NPM run: | npm install -g node-gyp - node-gyp install $(node -v) + node-gyp install "$(node -v)" - name: Keytar run: | @@ -72,8 +76,8 @@ jobs: keytarUrl="https://github.com/atom/node-keytar/releases/download/v$keytarVersion/$keytarTarGz" mkdir -p ./keytar/linux - wget $keytarUrl -O ./keytar/linux/$keytarTarGz - tar -xvf ./keytar/linux/$keytarTarGz -C ./keytar/linux + wget "$keytarUrl" -O "./keytar/linux/$keytarTarGz" + tar -xvf "./keytar/linux/$keytarTarGz" -C ./keytar/linux - name: Install run: npm install @@ -82,19 +86,19 @@ jobs: run: npm run dist:cli:lin - name: Zip - run: zip -j dist-cli/bwdc-linux-$_PACKAGE_VERSION.zip dist-cli/linux/bwdc keytar/linux/build/Release/keytar.node + run: zip -j "dist-cli/bwdc-linux-$_PACKAGE_VERSION.zip" "dist-cli/linux/bwdc" "keytar/linux/build/Release/keytar.node" - name: Version Test run: | sudo apt-get update sudo apt install libsecret-1-0 dbus-x11 gnome-keyring - eval $(dbus-launch --sh-syntax) + eval "$(dbus-launch --sh-syntax)" - eval $(echo -n "" | /usr/bin/gnome-keyring-daemon --login) - eval $(/usr/bin/gnome-keyring-daemon --components=secrets --start) + eval "$(echo -n "" | /usr/bin/gnome-keyring-daemon --login)" + eval "$(/usr/bin/gnome-keyring-daemon --components=secrets --start)" mkdir -p test/linux - unzip ./dist-cli/bwdc-linux-$_PACKAGE_VERSION.zip -d ./test/linux + unzip "./dist-cli/bwdc-linux-$_PACKAGE_VERSION.zip" -d ./test/linux testVersion=$(./test/linux/bwdc -v) @@ -126,6 +130,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -137,7 +143,7 @@ jobs: - name: Update NPM run: | npm install -g node-gyp - node-gyp install $(node -v) + node-gyp install "$(node -v)" - name: Keytar run: | @@ -148,8 +154,8 @@ jobs: keytarUrl="https://github.com/atom/node-keytar/releases/download/v$keytarVersion/$keytarTarGz" mkdir -p ./keytar/macos - wget $keytarUrl -O ./keytar/macos/$keytarTarGz - tar -xvf ./keytar/macos/$keytarTarGz -C ./keytar/macos + wget "$keytarUrl" -O "./keytar/macos/$keytarTarGz" + tar -xvf "./keytar/macos/$keytarTarGz" -C ./keytar/macos - name: Install run: npm install @@ -158,12 +164,12 @@ jobs: run: npm run dist:cli:mac - name: Zip - run: zip -j dist-cli/bwdc-macos-$_PACKAGE_VERSION.zip dist-cli/macos/bwdc keytar/macos/build/Release/keytar.node + run: zip -j "dist-cli/bwdc-macos-$_PACKAGE_VERSION.zip" "dist-cli/macos/bwdc" "keytar/macos/build/Release/keytar.node" - name: Version Test run: | mkdir -p test/macos - unzip ./dist-cli/bwdc-macos-$_PACKAGE_VERSION.zip -d ./test/macos + unzip "./dist-cli/bwdc-macos-$_PACKAGE_VERSION.zip" -d ./test/macos testVersion=$(./test/macos/bwdc -v) @@ -195,6 +201,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Windows builder run: | @@ -241,7 +249,7 @@ jobs: - name: Version Test shell: pwsh run: | - Expand-Archive -Path "dist-cli\bwdc-windows-${{ env._PACKAGE_VERSION }}.zip" -DestinationPath "test\windows" + Expand-Archive -Path "dist-cli\bwdc-windows-$env:_PACKAGE_VERSION.zip" -DestinationPath "test\windows" $testVersion = Invoke-Expression '& .\test\windows\bwdc.exe -v' echo "version: ${env:_PACKAGE_VERSION}" echo "testVersion: $testVersion" @@ -272,6 +280,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -370,6 +380,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -381,7 +393,7 @@ jobs: - name: Update NPM run: | npm install -g node-gyp - node-gyp install $(node -v) + node-gyp install "$(node -v)" - name: Set up environment run: | @@ -428,6 +440,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -439,7 +453,7 @@ jobs: - name: Update NPM run: | npm install -g node-gyp - node-gyp install $(node -v) + node-gyp install "$(node -v)" - name: Print environment run: | @@ -464,16 +478,16 @@ jobs: - name: Get certificates run: | - mkdir -p $HOME/certificates + mkdir -p "$HOME/certificates" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | - jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/devid-app-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert | - jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/devid-installer-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | - jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/macdev-cert.p12" - name: Log out from Azure uses: bitwarden/gh-actions/azure-logout@main @@ -482,9 +496,9 @@ jobs: env: KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }} run: | - security create-keychain -p $KEYCHAIN_PASSWORD build.keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security default-keychain -s build.keychain - security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain + security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security set-keychain-settings -lut 1200 build.keychain security import "$HOME/certificates/devid-app-cert.p12" -k build.keychain -P "" \ @@ -496,12 +510,12 @@ jobs: security import "$HOME/certificates/macdev-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain - name: Load package version run: | $rootPath = $env:GITHUB_WORKSPACE; - $packageVersion = (Get-Content -Raw -Path $rootPath\package.json | ConvertFrom-Json).version; + $packageVersion = (Get-Content -Raw -Path "$rootPath\package.json" | ConvertFrom-Json).version; Write-Output "Setting package version to $packageVersion"; Write-Output "PACKAGE_VERSION=$packageVersion" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append; @@ -511,10 +525,12 @@ jobs: run: npm install - name: Set up private auth key + env: + _APP_STORE_CONNECT_AUTH_KEY: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} run: | mkdir ~/private_keys cat << EOF > ~/private_keys/AuthKey_UFD296548T.p8 - ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} + ${_APP_STORE_CONNECT_AUTH_KEY} EOF - name: Build application diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml index 41866281..2d65e016 100644 --- a/.github/workflows/integration-test.yml +++ b/.github/workflows/integration-test.yml @@ -30,13 +30,15 @@ jobs: steps: - name: Check out repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Get Node version id: retrieve-node-version run: | NODE_NVMRC=$(cat .nvmrc) NODE_VERSION=${NODE_NVMRC/v/''} - echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT + echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT" - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index baedf185..ad1709b8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -27,6 +27,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Branch check if: ${{ inputs.release_type != 'Dry Run' }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b959bf17..c776df21 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -23,13 +23,15 @@ jobs: steps: - name: Check out repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Get Node version id: retrieve-node-version run: | NODE_NVMRC=$(cat .nvmrc) NODE_VERSION=${NODE_NVMRC/v/''} - echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT + echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT" - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index b2d9ad9c..87b01fd0 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -52,6 +52,7 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: token: ${{ steps.app-token.outputs.token }} + persist-credentials: true - name: Setup git run: | @@ -62,7 +63,7 @@ jobs: id: current-version run: | CURRENT_VERSION=$(cat package.json | jq -r '.version') - echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT + echo "version=$CURRENT_VERSION" >> "$GITHUB_OUTPUT" - name: Verify input version if: ${{ inputs.version_number_override != '' }} @@ -77,8 +78,7 @@ jobs: fi # Check if version is newer. - printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V - if [ $? -eq 0 ]; then + if printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V; then echo "Version check successful." else echo "Version check failed." @@ -110,26 +110,34 @@ jobs: - name: Set final version output id: set-final-version-output + env: + _BUMP_VERSION_OVERRIDE_OUTCOME: ${{ steps.bump-version-override.outcome }} + _INPUT_VERSION_NUMBER_OVERRIDE: ${{ inputs.version_number_override }} + _BUMP_VERSION_AUTOMATIC_OUTCOME: ${{ steps.bump-version-automatic.outcome }} + _CALCULATE_NEXT_VERSION: ${{ steps.calculate-next-version.outputs.version }} + run: | - if [[ "${{ steps.bump-version-override.outcome }}" == "success" ]]; then - echo "version=${{ inputs.version_number_override }}" >> $GITHUB_OUTPUT - elif [[ "${{ steps.bump-version-automatic.outcome }}" == "success" ]]; then - echo "version=${{ steps.calculate-next-version.outputs.version }}" >> $GITHUB_OUTPUT + if [[ "$_BUMP_VERSION_OVERRIDE_OUTCOME" == "success" ]]; then + echo "version=$_INPUT_VERSION_NUMBER_OVERRIDE" >> "$GITHUB_OUTPUT" + elif [[ "$_BUMP_VERSION_AUTOMATIC_OUTCOME" == "success" ]]; then + echo "version=$_CALCULATE_NEXT_VERSION" >> "$GITHUB_OUTPUT" fi - name: Check if version changed id: version-changed run: | if [ -n "$(git status --porcelain)" ]; then - echo "changes_to_commit=TRUE" >> $GITHUB_OUTPUT + echo "changes_to_commit=TRUE" >> "$GITHUB_OUTPUT" else - echo "changes_to_commit=FALSE" >> $GITHUB_OUTPUT + echo "changes_to_commit=FALSE" >> "$GITHUB_OUTPUT" echo "No changes to commit!"; fi - name: Commit files if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }} - run: git commit -m "Bumped version to ${{ steps.set-final-version-output.outputs.version }}" -a + env: + _VERSION: ${{ steps.set-final-version-output.outputs.version }} + run: git commit -m "Bumped version to $_VERSION" -a - name: Push changes if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}