Skip to content
CI

Security hardening: XSS, open redirect, CSRF, XXE, memory safety #21

Sign in to view logs

Security hardening: XSS, open redirect, CSRF, XXE, memory safety

Security hardening: XSS, open redirect, CSRF, XXE, memory safety #21

Workflow file for this run

.github/workflows/ci.yml at 5fcecc4
name: CI
on:
push:
branches: [main, master]
tags: ['v*']
pull_request:
branches: [main, master]
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
node: [18, 20, 22]
steps:
- uses: actions/checkout@v4
- name: Install system dependencies
run: |
sudo apt-get update
sudo apt-get install -y \
liblasso3-dev \
libxml2-dev \
libxmlsec1-dev \
libglib2.0-dev
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node }}
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Build
run: npm run build
- name: Run tests
run: npm test
- name: Type check
run: npm run check
- name: Verify tag matches package.json version
if: startsWith(github.ref, 'refs/tags/v')
run: |
TAG_VERSION="${GITHUB_REF#refs/tags/v}"
PKG_VERSION=$(node -p "require('./package.json').version")
if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
echo "❌ Tag version ($TAG_VERSION) does not match package.json version ($PKG_VERSION)"
exit 1
fi
echo "✅ Tag version matches package.json version: $PKG_VERSION"
build:
needs: test
if: startsWith(github.ref, 'refs/tags/v')
strategy:
matrix:
include:
- os: ubuntu-latest
target: linux-x64
- os: macos-14
target: darwin-arm64
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- name: Install system dependencies (Linux)
if: runner.os == 'Linux'
run: |
sudo apt-get update
sudo apt-get install -y \
liblasso3-dev \
libxml2-dev \
libxmlsec1-dev \
libglib2.0-dev
- name: Install system dependencies (macOS)
if: runner.os == 'macOS'
run: brew install lasso libxml2 xmlsec1 glib pkg-config
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Build prebuilds
run: npm run prebuildify
- name: Upload prebuilds
uses: actions/upload-artifact@v4
with:
name: prebuilds-${{ matrix.target }}
path: prebuilds/
build-linux-arm64:
needs: test
if: startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: arm64
- name: Build in arm64 container
uses: docker/build-push-action@v5
with:
context: .
file: .github/Dockerfile.arm64
platforms: linux/arm64
push: false
outputs: type=local,dest=./output
- name: Move prebuilds
run: mv output/prebuilds prebuilds
- name: Upload prebuilds
uses: actions/upload-artifact@v4
with:
name: prebuilds-linux-arm64
path: prebuilds/
publish:
needs: [build, build-linux-arm64]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
registry-url: 'https://registry.npmjs.org'
cache: 'npm'
- name: Download all prebuilds
uses: actions/download-artifact@v4
with:
pattern: prebuilds-*
path: prebuilds/
merge-multiple: true
- name: List prebuilds
run: ls -laR prebuilds/
- name: Install dependencies
run: npm ci --ignore-scripts
- name: Build TypeScript
run: npm run build:ts
- name: Remove prepare script (avoid rebuild during publish)
run: npm pkg delete scripts.prepare
- name: Publish to npm
run: npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}