-
Notifications
You must be signed in to change notification settings - Fork 20
chore: alpha 4 release #229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from 34 commits
699c9b3
755e532
71d5cdc
9a2cb9e
b03ae8c
4105527
6941a39
fca61fb
fc1d179
32a319a
048d06f
a7f2e4c
c694877
e1f6324
5b7a8dc
615dc70
b20861a
59d3fa0
250e19b
f3e8e93
d7d92fd
33dbae1
17e2501
51ce8ee
b48204e
1f1552a
72b0589
b07845d
e84b778
d6847b5
d2359aa
7e5e1ed
11dd3ee
5d4f1a7
df4d717
81e1843
0354aad
64adab9
9fb435a
8a82b9f
71792f7
b937355
8a09814
5ba2a51
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| param( | ||
| [string]$Token | ||
| ) | ||
|
|
||
| if ([string]::IsNullOrEmpty($Token)) { | ||
| # For PRs from forks, secrets are not available. We use a dummy token to allow the build to pass. | ||
| if ($env:GITHUB_EVENT_NAME -eq 'pull_request') { | ||
| Write-Host "Warning: No UPLOADTHING_TOKEN provided. Using dummy token for PR build." | ||
| $Token = "DUMMY_TOKEN_FOR_CI_ONLY" | ||
| } else { | ||
| Write-Error "No UPLOADTHING_TOKEN provided. Fails for Release builds." | ||
| exit 1 | ||
| } | ||
| } | ||
|
|
||
| $constantsPath = "GenHub/GenHub.Core/Constants/ApiConstants.cs" | ||
| if (-not (Test-Path $constantsPath)) { | ||
| Write-Error "Could not find $constantsPath" | ||
| exit 1 | ||
| } | ||
|
|
||
| $tokenBytes = [System.Text.Encoding]::UTF8.GetBytes($Token) | ||
| $key = New-Object byte[] 32 | ||
| [System.Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($key) | ||
|
|
||
| $obfuscated = New-Object byte[] $tokenBytes.Length | ||
| for ($i = 0; $i -lt $tokenBytes.Length; $i++) { | ||
| $obfuscated[$i] = $tokenBytes[$i] -bxor $key[$i % $key.Length] | ||
| } | ||
|
|
||
| $dataStr = ($obfuscated | ForEach-Object { "0x{0:x2}" -f $_ }) -join ", " | ||
| $keyStr = ($key | ForEach-Object { "0x{0:x2}" -f $_ }) -join ", " | ||
|
|
||
| $content = Get-Content $constantsPath -Raw | ||
|
|
||
| # Use regex replace to be robust against whitespace | ||
| # Pattern: byte[] data = []; // [PLACEHOLDER_DATA] | ||
| $content = [System.Text.RegularExpressions.Regex]::Replace($content, 'byte\[\]\s+data\s*=\s*\[\];\s*//\s*\[PLACEHOLDER_DATA\]', "byte[] data = [$dataStr];") | ||
| $content = [System.Text.RegularExpressions.Regex]::Replace($content, 'byte\[\]\s+key\s*=\s*\[\];\s*//\s*\[PLACEHOLDER_KEY\]', "byte[] key = [$keyStr];") | ||
|
|
||
| if ($content -notmatch "0x") { | ||
| Write-Error "Token injection failed! Placeholders were not found or replaced." | ||
| exit 1 | ||
| } | ||
|
|
||
| Set-Content $constantsPath $content | ||
| Write-Host "Successfully injected and obfuscated UPLOADTHING_TOKEN into ApiConstants.cs" | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -123,6 +123,11 @@ jobs: | |
| echo "VERSION=$version" >> $env:GITHUB_OUTPUT | ||
| echo "CHANNEL=$channel" >> $env:GITHUB_OUTPUT | ||
|
|
||
| - name: Inject Secrets | ||
| shell: pwsh | ||
| run: | | ||
| ./.github/scripts/inject-token.ps1 -Token "${{ secrets.UPLOADTHING_TOKEN }}" | ||
|
|
||
|
Comment on lines
+126
to
+130
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Guard secret injection to trusted contexts only. Running the token-injection step on PR CI (especially public repos) risks embedding 🔒 Suggested guard (apply to both Windows & Linux steps)- - name: Inject Secrets
- shell: pwsh
- run: |
- ./.github/scripts/inject-token.ps1 -Token "${{ secrets.UPLOADTHING_TOKEN }}"
+ - name: Inject Secrets
+ if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && secrets.UPLOADTHING_TOKEN != '' }}
+ shell: pwsh
+ run: |
+ ./.github/scripts/inject-token.ps1 -Token "${{ secrets.UPLOADTHING_TOKEN }}"Also applies to: 288-292 🤖 Prompt for AI Agents |
||
| - name: Build Projects | ||
| shell: pwsh | ||
| run: | | ||
|
|
@@ -142,6 +147,7 @@ jobs: | |
| Write-Host "Building Windows project" | ||
| dotnet build "${{ env.WINDOWS_PROJECT }}" -c ${{ env.BUILD_CONFIGURATION }} @buildProps | ||
|
|
||
|
|
||
| - name: Publish Windows App | ||
| shell: pwsh | ||
| run: | | ||
|
|
@@ -279,6 +285,11 @@ jobs: | |
| echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT | ||
| echo "VERSION=$VERSION" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: Inject Secrets | ||
| shell: pwsh | ||
| run: | | ||
| ./.github/scripts/inject-token.ps1 -Token "${{ secrets.UPLOADTHING_TOKEN }}" | ||
|
|
||
| - name: Build Projects | ||
| run: | | ||
| BUILD_PROPS="-p:Version=${{ steps.buildinfo.outputs.VERSION }} -p:GitShortHash=${{ steps.buildinfo.outputs.SHORT_HASH }} -p:PullRequestNumber=${{ steps.buildinfo.outputs.PR_NUMBER }} -p:BuildChannel=${{ steps.buildinfo.outputs.CHANNEL }}" | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. WARNING: BuildChannel output is never set in this job
|
||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| name: Deploy Landing Page to GitHub Pages | ||
|
|
||
| on: | ||
| workflow_run: | ||
| workflows: ["GenHub Release"] | ||
| types: [completed] | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: write | ||
| pages: write | ||
| id-token: write | ||
|
|
||
| jobs: | ||
| deploy: | ||
| runs-on: ubuntu-latest | ||
| if: ${{ github.event.workflow_run.conclusion == 'success' }} | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. WARNING: Manual workflow dispatch will never run For
Comment on lines
+14
to
+17
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Manual dispatch will be skipped due to condition check. The condition 🐛 Proposed fix jobs:
deploy:
runs-on: ubuntu-latest
- if: ${{ github.event.workflow_run.conclusion == 'success' }}
+ if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}🤖 Prompt for AI Agents |
||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: actions/configure-pages@v5 | ||
|
|
||
| - id: release_info | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| run: | | ||
| LATEST_TAG=$(gh release list --limit 1 --json tagName -q '.[0].tagName') | ||
|
|
||
| BUILD_NUM=$(echo "$LATEST_TAG" | cut -d'.' -f3) | ||
| DISPLAY_NAME="Alpha ${BUILD_NUM}" | ||
|
|
||
| echo "latest_tag=$LATEST_TAG" >> $GITHUB_OUTPUT | ||
| echo "display_name=$DISPLAY_NAME" >> $GITHUB_OUTPUT | ||
|
Comment on lines
+24
to
+34
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Add error handling for missing releases. If no releases exist, 🛡️ Suggested defensive check - id: release_info
env:
GH_TOKEN: ${{ github.token }}
run: |
LATEST_TAG=$(gh release list --limit 1 --json tagName -q '.[0].tagName')
+
+ if [ -z "$LATEST_TAG" ]; then
+ echo "::error::No releases found"
+ exit 1
+ fi
BUILD_NUM=$(echo "$LATEST_TAG" | cut -d'.' -f3)
DISPLAY_NAME="Alpha ${BUILD_NUM}"🤖 Prompt for AI Agents |
||
|
|
||
| - run: | | ||
| mkdir -p ./public | ||
| cp Landing-page/index.html ./public/index.html | ||
|
|
||
| if [ -d "Landing-page/assets" ]; then | ||
| cp -r Landing-page/assets ./public/assets | ||
| fi | ||
|
|
||
| DOWNLOAD_URL="https://github.com/community-outpost/GenHub/releases/download/${{ steps.release_info.outputs.latest_tag }}/GenHub-win-Setup.exe" | ||
|
|
||
| sed -i "s|VERSION_PLACEHOLDER|${{ steps.release_info.outputs.display_name }}|g" ./public/index.html | ||
| sed -i "s|URL_PLACEHOLDER|${DOWNLOAD_URL}|g" ./public/index.html | ||
|
|
||
| - uses: actions/upload-pages-artifact@v3 | ||
| with: | ||
| path: ./public | ||
|
|
||
| - uses: actions/deploy-pages@v4 | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Strengthen placeholder validation to avoid false positives.
The current
-notmatch "0x"check can succeed even if placeholders are not replaced (e.g., other hex literals exist), causing silent token injection failure. Prefer explicitly checking for leftover placeholders.🔧 Suggested fix
📝 Committable suggestion
🤖 Prompt for AI Agents