Skip to content
SATP-Hermes Gateway CI/CD

ci: fix Command injection vulnerability #24

Sign in to view logs

ci: fix Command injection vulnerability

ci: fix Command injection vulnerability #24

Workflow file for this run

.github/workflows/satp-hermes-main.yaml at 06da022
name: SATP-Hermes Gateway CI/CD
# -----------------------------------------------------------------------------
# PROCESS OVERVIEW
#
# Purpose:
# CI/CD pipeline for the SATP (Secure Asset Transfer Protocol) Hermes Gateway plugin.
# It builds and tests the plugin, generates code artifacts (protobuf, OpenAPI, Solidity),
# validates code quality, produces Docker images and (on push) publishes them to registries.
#
# Architecture:
# This workflow has been modularized into separate stage-specific workflow files:
# - .github/workflows/satp-hermes-build.yaml - Build and dependency management
# - .github/workflows/satp-hermes-lint.yaml - Code quality validation
# - .github/workflows/satp-hermes-codegen.yaml - Code generation (protobuf, OpenAPI, Solidity)
# - .github/workflows/satp-hermes-test.yaml - Unit and integration testing
# - .github/workflows/satp-hermes-docker.yaml - Docker image building and publishing
# - .github/workflows/satp-hermes-release.yaml - GitHub release creation
#
# Triggers:
# - push: branches [main, satp-dev, satp-stg]
# - pull_request: branches [main, satp-dev, satp-stg]
# - workflow_dispatch: manual triggers with release options
#
# High-level job flow and intent:
# 1) build-stage: Installs dependencies, runs minimal configure/build for the SATP plugin
# 2) lint-stage: Runs ESLint, OpenAPI linting and protobuf linting for the SATP plugin
# 3) codegen-stage: Generates protobuf artifacts, OpenAPI SDKs and Solidity ABIs
# 4) test-stage: Runs unit and integration tests across multiple scenarios
# 5) docker-stage: Builds and publishes Docker images with appropriate tagging
# 6) release-stage: Creates GitHub releases (release mode only)
#
# DEVELOPMENT MODE (Default):
# - Triggered by push/PR events on release branches
# - Creates date-based development tags (YYYY-MM-DD-dev-{hash})
# - Builds, tests, and publishes development images without affecting 'latest' tag
#
# RELEASE MODE:
# - Triggered manually via workflow_dispatch with is_release=true
# - Uses package.json version for release tags (e.g., 0.0.1-beta)
# - Updates 'latest' tag to point to new release
# - Additional options: custom version, branch selection, test skipping
# - Creates GitHub release with changelog and Docker image information
#
# Core Pipeline Features:
# - Builds all monorepo dependencies and generates protocol artifacts (protobuf, OpenAPI, Solidity)
# - Runs comprehensive test suites including unit tests and integration tests across multiple scenarios
# - Validates code quality through linting and static analysis
# - Creates deployable Docker images and publishes them to container registries
# - Supports multiple deployment environments (main, dev, staging) with appropriate tagging
#
# Artifacts published by jobs (names to reference):
# - satp-hermes-build-output: build outputs (dist)
# - satp-hermes-yarn-cache: cached .yarn directory (fallback to package-specific .yarn)
# - satp-hermes-generated-protobuf: generated protobuf types
# - satp-hermes-generated-openapi: bundled OpenAPI YAML/JSON and generated TS SDK
# - satp-hermes-generated-solidity: generated solidity artifacts/ABIs
# - satp-unit-junit-report, satp-integration-junit-report-*: JUnit test reports
# - coverage-reports-satp-hermes: coverage artifacts (uploaded by tests when present)
# -----------------------------------------------------------------------------
permissions:
contents: write # Required for test result publishing
checks: write # Required for test result reports
packages: write # Required for publishing to GitHub Container Registry
env:
NODEJS_VERSION: v22.18.0
on:
pull_request:
branches: [main, satp-dev, satp-stg]
push:
branches: [main, satp-dev, satp-stg]
workflow_dispatch:
inputs:
is_release:
description: 'Create release version using package.json version'
required: false
default: false
type: boolean
release_branch:
description: 'Branch to create release from (for manual releases)'
required: false
default: 'main'
type: choice
options:
- main
- satp-stg
- satp-dev
custom_version:
description: 'Custom version tag (leave empty to use package.json version)'
required: false
type: string
skip_tests:
description: 'Skip test execution (for emergency releases only)'
required: false
default: false
type: boolean
jobs:
check_satp_code_changed:
outputs:
status: ${{ steps.changes_satp.outputs.satp_code_changed}}
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 #v2.11.1
id: changes_satp
with:
filters: |
satp_code_changed:
- './packages/cactus-plugin-satp-hermes/**'
- '.github/workflows/satp-hermes-build.yaml'
- '.github/workflows/satp-hermes-codegen.yaml'
- '.github/workflows/satp-hermes-docker.yaml'
- '.github/workflows/satp-hermes-lint.yaml'
- '.github/workflows/satp-hermes-main.yaml'
- '.github/workflows/satp-hermes-test.yaml'
should_run_satp_pipelines:
needs: [check_satp_code_changed]
runs-on: ubuntu-22.04
outputs:
run: ${{ steps.set_satp_run.outputs.run }}
steps:
- name: Set run output
id: set_satp_run
run: |
if [[ "${{ needs.check_satp_code_changed.outputs.status }}" == "true" || "${{ env.RUN_SATP_HERMES_PIPELINE }}" == "true" ]]; then
echo "run=true" >> "$GITHUB_OUTPUT"
elif [[ "${{ needs.check_satp_code_changed.outputs.status }}" == "false" && "${{ env.RUN_SATP_HERMES_PIPELINE }}" == "false" ]]; then
echo "run=false" >> "$GITHUB_OUTPUT"
fi
env:
RUN_SATP_HERMES_PIPELINE: ${{ env.RUN_SATP_HERMES_PIPELINE }}
# Stage 1: Build and Dependencies
build-stage:
needs: [should_run_satp_pipelines]
if: needs.should_run_satp_pipelines.outputs.run == 'true'
uses: ./.github/workflows/satp-hermes-build.yaml
# Stage 2: Code Quality Validation
lint-stage:
needs: [build-stage, should_run_satp_pipelines]
if: needs.should_run_satp_pipelines.outputs.run == 'true'
uses: ./.github/workflows/satp-hermes-lint.yaml
# Stage 3: Code Generation
codegen-stage:
needs: [build-stage, lint-stage, should_run_satp_pipelines]
if: needs.should_run_satp_pipelines.outputs.run == 'true'
uses: ./.github/workflows/satp-hermes-codegen.yaml
# Stage 4: Test Execution
test-stage:
needs: [build-stage, codegen-stage, should_run_satp_pipelines]
if: needs.should_run_satp_pipelines.outputs.run == 'true'
uses: ./.github/workflows/satp-hermes-test.yaml
with:
skip_tests: ${{ github.event.inputs.skip_tests == 'true' }}
# Stage 5: Docker Build and Publishing
docker-stage:
needs: [build-stage, test-stage, should_run_satp_pipelines]
if: needs.should_run_satp_pipelines.outputs.run == 'true' &&
((github.event.inputs.skip_tests == 'true' &&
github.event.inputs.is_release == 'true') ||
(needs.test-stage.result == 'success') ||
(github.event_name == 'push' && (github.ref == 'refs/heads/main' ||
github.ref == 'refs/heads/satp-dev' || github.ref == 'refs/heads/satp-stg')) ||
(github.event_name == 'pull_request' && (github.base_ref == 'main' ||
github.base_ref == 'satp-dev' || github.base_ref == 'satp-stg')) ||
github.event_name == 'workflow_dispatch')
uses: ./.github/workflows/satp-hermes-docker.yaml
with:
skip_tests: ${{ github.event.inputs.skip_tests == 'true' }}
is_release: ${{ github.event.inputs.is_release == 'true' }}
custom_version: ${{ github.event.inputs.custom_version }}
secrets: inherit
# Stage 6: Release Creation (Release Mode Only)
release-stage:
needs: [docker-stage, should_run_satp_pipelines]
if: needs.should_run_satp_pipelines.outputs.run == 'true' && github.event_name == 'workflow_dispatch' && github.event.inputs.is_release == 'true'
uses: ./.github/workflows/satp-hermes-release.yaml
with:
is_release: ${{ github.event.inputs.is_release == 'true' }}
release_branch: ${{ github.event.inputs.release_branch || 'main' }}
custom_version: ${{ github.event.inputs.custom_version }}
tag_version: ${{ needs.docker-stage.outputs.tag_version }}
secrets: inherit