From b4a2e1a6a0014446252645db6e61c596e16fbcd4 Mon Sep 17 00:00:00 2001 From: Henri Vasserman Date: Tue, 1 Apr 2025 01:42:12 +0300 Subject: lib/anubis: actually check the result with the correct difficulty (#180) * cmd/anubis actually check the result with the correct difficulty * chore: changelog * test(cmd/anubis): make test check for difficulty * lib: add regression test for CVE-2025-24369 Signed-off-by: Xe Iaso * bump VERSION and CHANGELOG Tracks #181 Signed-off-by: Xe Iaso --------- Signed-off-by: Xe Iaso Co-authored-by: Xe Iaso --- VERSION | 2 +- docs/docs/CHANGELOG.md | 13 +++++++++ lib/anubis.go | 19 ++++++------- lib/anubis_test.go | 76 +++++++++++++++++++++++++++++++++++++++++++++++++- 4 files changed, 98 insertions(+), 12 deletions(-) diff --git a/VERSION b/VERSION index 141f2e8..ace4423 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.15.0 +1.15.1 diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index 931ab9d..18513f5 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] + - Added a periodic cleanup routine for the decaymap that removes expired entries, ensuring stale data is properly pruned. - Added a no-store Cache-Control header to the challenge page - Hide the directory listings for Anubis' internal static content @@ -28,6 +29,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Fixed a typo in the challenge page title. - Disabled running integration tests on Windows hosts due to it's reliance on posix features (see [#133](https://github.com/TecharoHQ/anubis/pull/133#issuecomment-2764732309)). +## v1.15.1 + +Zenos yae Galvus: Echo 1 + +Fixes a recurrence of [CVE-2025-24369](https://github.com/Xe/x/security/advisories/GHSA-56w8-8ppj-2p4f) +due to an incorrect logic change in a refactor. This allows an attacker to mint a valid +access token by passing any SHA-256 hash instead of one that matches the proof-of-work +test. + +This case has been added as a regression test. It was not when CVE-2025-24369 was released +due to the project not having the maturity required to enable this kind of regression testing. + ## v1.15.0 Zenos yae Galvus diff --git a/lib/anubis.go b/lib/anubis.go index 1b2ebfc..732d2c3 100644 --- a/lib/anubis.go +++ b/lib/anubis.go @@ -145,14 +145,13 @@ func New(opts Options) (*Server, error) { } type Server struct { - mux *http.ServeMux - next http.Handler - priv ed25519.PrivateKey - pub ed25519.PublicKey - policy *policy.ParsedConfig - opts Options - DNSBLCache *decaymap.Impl[string, dnsbl.DroneBLResponse] - ChallengeDifficulty int + mux *http.ServeMux + next http.Handler + priv ed25519.PrivateKey + pub ed25519.PublicKey + policy *policy.ParsedConfig + opts Options + DNSBLCache *decaymap.Impl[string, dnsbl.DroneBLResponse] } func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { @@ -441,9 +440,9 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) { } // compare the leading zeroes - if !strings.HasPrefix(response, strings.Repeat("0", s.ChallengeDifficulty)) { + if !strings.HasPrefix(response, strings.Repeat("0", rule.Challenge.Difficulty)) { s.ClearCookie(w) - lg.Debug("difficulty check failed", "response", response, "difficulty", s.ChallengeDifficulty) + lg.Debug("difficulty check failed", "response", response, "difficulty", rule.Challenge.Difficulty) templ.Handler(web.Base("Oh noes!", web.ErrorPage("invalid response")), templ.WithStatus(http.StatusForbidden)).ServeHTTP(w, r) failedValidations.Inc() return diff --git a/lib/anubis_test.go b/lib/anubis_test.go index 58c8834..79a0532 100644 --- a/lib/anubis_test.go +++ b/lib/anubis_test.go @@ -34,6 +34,79 @@ func spawnAnubis(t *testing.T, opts Options) *Server { return s } +type challenge struct { + Challenge string `json:"challenge"` +} + +func makeChallenge(t *testing.T, ts *httptest.Server) challenge { + t.Helper() + + resp, err := ts.Client().Post(ts.URL+"/.within.website/x/cmd/anubis/api/make-challenge", "", nil) + if err != nil { + t.Fatalf("can't request challenge: %v", err) + } + defer resp.Body.Close() + + var chall challenge + if err := json.NewDecoder(resp.Body).Decode(&chall); err != nil { + t.Fatalf("can't read challenge response body: %v", err) + } + + return chall +} + +// Regression test for CVE-2025-24369 +func TestCVE2025_24369(t *testing.T) { + pol := loadPolicies(t, "") + pol.DefaultDifficulty = 4 + + srv := spawnAnubis(t, Options{ + Next: http.NewServeMux(), + Policy: pol, + + CookieDomain: "local.cetacean.club", + CookiePartitioned: true, + CookieName: t.Name(), + }) + + ts := httptest.NewServer(internal.RemoteXRealIP(true, "tcp", srv)) + defer ts.Close() + + chall := makeChallenge(t, ts) + calcString := fmt.Sprintf("%s%d", chall.Challenge, 0) + calculated := internal.SHA256sum(calcString) + nonce := 0 + elapsedTime := 420 + redir := "/" + + cli := ts.Client() + cli.CheckRedirect = func(req *http.Request, via []*http.Request) error { + return http.ErrUseLastResponse + } + + req, err := http.NewRequest(http.MethodGet, ts.URL+"/.within.website/x/cmd/anubis/api/pass-challenge", nil) + if err != nil { + t.Fatalf("can't make request: %v", err) + } + + q := req.URL.Query() + q.Set("response", calculated) + q.Set("nonce", fmt.Sprint(nonce)) + q.Set("redir", redir) + q.Set("elapsedTime", fmt.Sprint(elapsedTime)) + req.URL.RawQuery = q.Encode() + + resp, err := cli.Do(req) + if err != nil { + t.Fatalf("can't do challenge passing") + } + + if resp.StatusCode == http.StatusFound { + t.Log("Regression on CVE-2025-24369") + t.Errorf("wanted HTTP status %d, got: %d", http.StatusForbidden, resp.StatusCode) + } +} + func TestCookieSettings(t *testing.T) { pol := loadPolicies(t, "") pol.DefaultDifficulty = 0 @@ -72,8 +145,9 @@ func TestCookieSettings(t *testing.T) { nonce := 0 elapsedTime := 420 redir := "/" + calculated := "" calcString := fmt.Sprintf("%s%d", chall.Challenge, nonce) - calculated := internal.SHA256sum(calcString) + calculated = internal.SHA256sum(calcString) req, err := http.NewRequest(http.MethodGet, ts.URL+"/.within.website/x/cmd/anubis/api/pass-challenge", nil) if err != nil { -- cgit v1.2.3 From 08bb7f953c5c457ca5801715191371fe9c5b06c9 Mon Sep 17 00:00:00 2001 From: Talya Connor Date: Tue, 1 Apr 2025 11:20:06 +1100 Subject: cmd/anubis: support ED25519_PRIVATE_KEY_HEX_FILE (#185) --- cmd/anubis/main.go | 58 +++++++++++++++++++++++++++++++------------------- docs/docs/CHANGELOG.md | 1 + 2 files changed, 37 insertions(+), 22 deletions(-) diff --git a/cmd/anubis/main.go b/cmd/anubis/main.go index 5f858f3..560a261 100644 --- a/cmd/anubis/main.go +++ b/cmd/anubis/main.go @@ -1,6 +1,7 @@ package main import ( + "bytes" "context" "crypto/ed25519" "crypto/rand" @@ -32,22 +33,23 @@ import ( ) var ( - bind = flag.String("bind", ":8923", "network address to bind HTTP to") - bindNetwork = flag.String("bind-network", "tcp", "network family to bind HTTP to, e.g. unix, tcp") - challengeDifficulty = flag.Int("difficulty", anubis.DefaultDifficulty, "difficulty of the challenge") - cookieDomain = flag.String("cookie-domain", "", "if set, the top-level domain that the Anubis cookie will be valid for") - cookiePartitioned = flag.Bool("cookie-partitioned", false, "if true, sets the partitioned flag on Anubis cookies, enabling CHIPS support") - ed25519PrivateKeyHex = flag.String("ed25519-private-key-hex", "", "private key used to sign JWTs, if not set a random one will be assigned") - metricsBind = flag.String("metrics-bind", ":9090", "network address to bind metrics to") - metricsBindNetwork = flag.String("metrics-bind-network", "tcp", "network family for the metrics server to bind to") - socketMode = flag.String("socket-mode", "0770", "socket mode (permissions) for unix domain sockets.") - robotsTxt = flag.Bool("serve-robots-txt", false, "serve a robots.txt file that disallows all robots") - policyFname = flag.String("policy-fname", "", "full path to anubis policy document (defaults to a sensible built-in policy)") - slogLevel = flag.String("slog-level", "INFO", "logging level (see https://pkg.go.dev/log/slog#hdr-Levels)") - target = flag.String("target", "http://localhost:3923", "target to reverse proxy to") - healthcheck = flag.Bool("healthcheck", false, "run a health check against Anubis") - useRemoteAddress = flag.Bool("use-remote-address", false, "read the client's IP address from the network request, useful for debugging and running Anubis on bare metal") - debugBenchmarkJS = flag.Bool("debug-benchmark-js", false, "respond to every request with a challenge for benchmarking hashrate") + bind = flag.String("bind", ":8923", "network address to bind HTTP to") + bindNetwork = flag.String("bind-network", "tcp", "network family to bind HTTP to, e.g. unix, tcp") + challengeDifficulty = flag.Int("difficulty", anubis.DefaultDifficulty, "difficulty of the challenge") + cookieDomain = flag.String("cookie-domain", "", "if set, the top-level domain that the Anubis cookie will be valid for") + cookiePartitioned = flag.Bool("cookie-partitioned", false, "if true, sets the partitioned flag on Anubis cookies, enabling CHIPS support") + ed25519PrivateKeyHex = flag.String("ed25519-private-key-hex", "", "private key used to sign JWTs, if not set a random one will be assigned") + ed25519PrivateKeyHexFile = flag.String("ed25519-private-key-hex-file", "", "file name containing value for ed25519-private-key-hex") + metricsBind = flag.String("metrics-bind", ":9090", "network address to bind metrics to") + metricsBindNetwork = flag.String("metrics-bind-network", "tcp", "network family for the metrics server to bind to") + socketMode = flag.String("socket-mode", "0770", "socket mode (permissions) for unix domain sockets.") + robotsTxt = flag.Bool("serve-robots-txt", false, "serve a robots.txt file that disallows all robots") + policyFname = flag.String("policy-fname", "", "full path to anubis policy document (defaults to a sensible built-in policy)") + slogLevel = flag.String("slog-level", "INFO", "logging level (see https://pkg.go.dev/log/slog#hdr-Levels)") + target = flag.String("target", "http://localhost:3923", "target to reverse proxy to") + healthcheck = flag.Bool("healthcheck", false, "run a health check against Anubis") + useRemoteAddress = flag.Bool("use-remote-address", false, "read the client's IP address from the network request, useful for debugging and running Anubis on bare metal") + debugBenchmarkJS = flag.Bool("debug-benchmark-js", false, "respond to every request with a challenge for benchmarking hashrate") ) func keyFromHex(value string) (ed25519.PrivateKey, error) { @@ -206,18 +208,30 @@ func main() { } var priv ed25519.PrivateKey - if *ed25519PrivateKeyHex == "" { - _, priv, err = ed25519.GenerateKey(rand.Reader) + if *ed25519PrivateKeyHex != "" && *ed25519PrivateKeyHexFile != "" { + log.Fatal("do not specify both ED25519_PRIVATE_KEY_HEX and ED25519_PRIVATE_KEY_HEX_FILE") + } else if *ed25519PrivateKeyHex != "" { + priv, err = keyFromHex(*ed25519PrivateKeyHex) if err != nil { - log.Fatalf("failed to generate ed25519 key: %v", err) + log.Fatalf("failed to parse and validate ED25519_PRIVATE_KEY_HEX: %v", err) + } + } else if *ed25519PrivateKeyHexFile != "" { + hex, err := os.ReadFile(*ed25519PrivateKeyHexFile) + if err != nil { + log.Fatalf("failed to read ED25519_PRIVATE_KEY_HEX_FILE %s: %v", *ed25519PrivateKeyHexFile, err) } - slog.Warn("generating random key, Anubis will have strange behavior when multiple instances are behind the same load balancer target, for more information: see https://anubis.techaro.lol/docs/admin/installation#key-generation") + priv, err = keyFromHex(string(bytes.TrimSpace(hex))) + if err != nil { + log.Fatalf("failed to parse and validate content of ED25519_PRIVATE_KEY_HEX_FILE: %v", err) + } } else { - priv, err = keyFromHex(*ed25519PrivateKeyHex) + _, priv, err = ed25519.GenerateKey(rand.Reader) if err != nil { - log.Fatalf("failed to parse and validate ED25519_PRIVATE_KEY_HEX: %v", err) + log.Fatalf("failed to generate ed25519 key: %v", err) } + + slog.Warn("generating random key, Anubis will have strange behavior when multiple instances are behind the same load balancer target, for more information: see https://anubis.techaro.lol/docs/admin/installation#key-generation") } s, err := libanubis.New(libanubis.Options{ diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index 18513f5..026e0ba 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -28,6 +28,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Added a wait with button continue + 30 second auto continue after 30s if you click "Why am I seeing this?" - Fixed a typo in the challenge page title. - Disabled running integration tests on Windows hosts due to it's reliance on posix features (see [#133](https://github.com/TecharoHQ/anubis/pull/133#issuecomment-2764732309)). +- Added support for passing the ed25519 signing key in a file with `-ed25519-private-key-hex-file` or `ED25519_PRIVATE_KEY_HEX_FILE`. ## v1.15.1 -- cgit v1.2.3 From 2b28439137f978b7f37aad118571e28de504b90b Mon Sep 17 00:00:00 2001 From: Talya Connor Date: Tue, 1 Apr 2025 13:35:51 +1100 Subject: docs: document ED25519_PRIVATE_KEY_HEX_FILE (#186) --- docs/docs/admin/installation.mdx | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/docs/docs/admin/installation.mdx b/docs/docs/admin/installation.mdx index ee17a89..b8bc904 100644 --- a/docs/docs/admin/installation.mdx +++ b/docs/docs/admin/installation.mdx @@ -41,21 +41,22 @@ Anubis has very minimal system requirements. I suspect that 128Mi of ram may be Anubis uses these environment variables for configuration: -| Environment Variable | Default value | Explanation | -| :------------------------ | :---------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `BIND` | `:8923` | The network address that Anubis listens on. For `unix`, set this to a path: `/run/anubis/instance.sock` | -| `BIND_NETWORK` | `tcp` | The address family that Anubis listens on. Accepts `tcp`, `unix` and anything Go's [`net.Listen`](https://pkg.go.dev/net#Listen) supports. | -| `COOKIE_DOMAIN` | unset | The domain the Anubis challenge pass cookie should be set to. This should be set to the domain you bought from your registrar (EG: `techaro.lol` if your webapp is running on `anubis.techaro.lol`). See [here](https://stackoverflow.com/a/1063760) for more information. | -| `COOKIE_PARTITIONED` | `false` | If set to `true`, enables the [partitioned (CHIPS) flag](https://developers.google.com/privacy-sandbox/cookies/chips), meaning that Anubis inside an iframe has a different set of cookies than the domain hosting the iframe. | -| `DIFFICULTY` | `5` | The difficulty of the challenge, or the number of leading zeroes that must be in successful responses. | -| `ED25519_PRIVATE_KEY_HEX` | | The hex-encoded ed25519 private key used to sign Anubis responses. If this is not set, Anubis will generate one for you. This should be exactly 64 characters long. See below for details. | -| `METRICS_BIND` | `:9090` | The network address that Anubis serves Prometheus metrics on. See `BIND` for more information. | -| `METRICS_BIND_NETWORK` | `tcp` | The address family that the Anubis metrics server listens on. See `BIND_NETWORK` for more information. | -| `SOCKET_MODE` | `0770` | _Only used when at least one of the `*_BIND_NETWORK` variables are set to `unix`._ The socket mode (permissions) for Unix domain sockets. | -| `POLICY_FNAME` | unset | The file containing [bot policy configuration](./policies.md). See the bot policy documentation for more details. If unset, the default bot policy configuration is used. | -| `SERVE_ROBOTS_TXT` | `false` | If set `true`, Anubis will serve a default `robots.txt` file that disallows all known AI scrapers by name and then additionally disallows every scraper. This is useful if facts and circumstances make it difficult to change the underlying service to serve such a `robots.txt` file. | -| `TARGET` | `http://localhost:3923` | The URL of the service that Anubis should forward valid requests to. Supports Unix domain sockets, set this to a URI like so: `unix:///path/to/socket.sock`. | -| `USE_REMOTE_ADDRESS` | unset | If set to `true`, Anubis will take the client's IP from the network socket. For production deployments, it is expected that a reverse proxy is used in front of Anubis, which pass the IP using headers, instead. | +| Environment Variable | Default value | Explanation | +| :----------------------------- | :---------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `BIND` | `:8923` | The network address that Anubis listens on. For `unix`, set this to a path: `/run/anubis/instance.sock` | +| `BIND_NETWORK` | `tcp` | The address family that Anubis listens on. Accepts `tcp`, `unix` and anything Go's [`net.Listen`](https://pkg.go.dev/net#Listen) supports. | +| `COOKIE_DOMAIN` | unset | The domain the Anubis challenge pass cookie should be set to. This should be set to the domain you bought from your registrar (EG: `techaro.lol` if your webapp is running on `anubis.techaro.lol`). See [here](https://stackoverflow.com/a/1063760) for more information. | +| `COOKIE_PARTITIONED` | `false` | If set to `true`, enables the [partitioned (CHIPS) flag](https://developers.google.com/privacy-sandbox/cookies/chips), meaning that Anubis inside an iframe has a different set of cookies than the domain hosting the iframe. | +| `DIFFICULTY` | `5` | The difficulty of the challenge, or the number of leading zeroes that must be in successful responses. | +| `ED25519_PRIVATE_KEY_HEX` | unset | The hex-encoded ed25519 private key used to sign Anubis responses. If this is not set, Anubis will generate one for you. This should be exactly 64 characters long. See below for details. | +| `ED25519_PRIVATE_KEY_HEX_FILE` | unset | Path to a file containing the hex-encoded ed25519 private key. Only one of this or its sister option may be set. | +| `METRICS_BIND` | `:9090` | The network address that Anubis serves Prometheus metrics on. See `BIND` for more information. | +| `METRICS_BIND_NETWORK` | `tcp` | The address family that the Anubis metrics server listens on. See `BIND_NETWORK` for more information. | +| `SOCKET_MODE` | `0770` | _Only used when at least one of the `*_BIND_NETWORK` variables are set to `unix`._ The socket mode (permissions) for Unix domain sockets. | +| `POLICY_FNAME` | unset | The file containing [bot policy configuration](./policies.md). See the bot policy documentation for more details. If unset, the default bot policy configuration is used. | +| `SERVE_ROBOTS_TXT` | `false` | If set `true`, Anubis will serve a default `robots.txt` file that disallows all known AI scrapers by name and then additionally disallows every scraper. This is useful if facts and circumstances make it difficult to change the underlying service to serve such a `robots.txt` file. | +| `TARGET` | `http://localhost:3923` | The URL of the service that Anubis should forward valid requests to. Supports Unix domain sockets, set this to a URI like so: `unix:///path/to/socket.sock`. | +| `USE_REMOTE_ADDRESS` | unset | If set to `true`, Anubis will take the client's IP from the network socket. For production deployments, it is expected that a reverse proxy is used in front of Anubis, which pass the IP using headers, instead. | ### Key generation -- cgit v1.2.3 From 661d72474b8b879c5eca86c16ca5b95eaa59c101 Mon Sep 17 00:00:00 2001 From: Patrick Linnane Date: Tue, 1 Apr 2025 10:14:02 -0700 Subject: various: fix minor typos (#187) Signed-off-by: Patrick Linnane --- docs/docs/CHANGELOG.md | 1 + internal/test/playwright_test.go | 10 +++++----- web/js/proof-of-work.mjs | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index 026e0ba..b7e1336 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -29,6 +29,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Fixed a typo in the challenge page title. - Disabled running integration tests on Windows hosts due to it's reliance on posix features (see [#133](https://github.com/TecharoHQ/anubis/pull/133#issuecomment-2764732309)). - Added support for passing the ed25519 signing key in a file with `-ed25519-private-key-hex-file` or `ED25519_PRIVATE_KEY_HEX_FILE`. +- Fixed minor typos ## v1.15.1 diff --git a/internal/test/playwright_test.go b/internal/test/playwright_test.go index 9cd9ffe..ae4022e 100644 --- a/internal/test/playwright_test.go +++ b/internal/test/playwright_test.go @@ -222,17 +222,17 @@ func TestPlaywrightBrowser(t *testing.T) { t.Skip("skipping hard challenge with deadline") } - var perfomedAction action + var performedAction action var err error for i := 0; i < 5; i++ { - perfomedAction, err = executeTestCase(t, tc, typ, anubisURL) - if perfomedAction == tc.action { + performedAction, err = executeTestCase(t, tc, typ, anubisURL) + if performedAction == tc.action { break } time.Sleep(time.Duration(i+1) * 250 * time.Millisecond) } - if perfomedAction != tc.action { - t.Errorf("unexpected test result, expected %s, got %s", tc.action, perfomedAction) + if performedAction != tc.action { + t.Errorf("unexpected test result, expected %s, got %s", tc.action, performedAction) } if err != nil { t.Fatalf("test error: %v", err) diff --git a/web/js/proof-of-work.mjs b/web/js/proof-of-work.mjs index a04f5ca..5ef3a8a 100644 --- a/web/js/proof-of-work.mjs +++ b/web/js/proof-of-work.mjs @@ -106,7 +106,7 @@ function processTask() { const oldNonce = nonce; nonce += threads; - // send a progess update every 1024 iterations. since each thread checks + // send a progress update every 1024 iterations. since each thread checks // separate values, one simple way to do this is by bit masking the // nonce for multiples of 1024. unfortunately, if the number of threads // is not prime, only some of the threads will be sending the status -- cgit v1.2.3 From 6af7c5891fd8b459f24577e4e85add05f966840e Mon Sep 17 00:00:00 2001 From: Patrick Linnane Date: Tue, 1 Apr 2025 14:56:27 -0700 Subject: ci: add `zizmor` (#188) Signed-off-by: Patrick Linnane --- .github/workflows/zizmor.yml | 35 +++++++++++++++++++++++++++++++++++ docs/docs/CHANGELOG.md | 1 + 2 files changed, 36 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..c2a03ab --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,35 @@ +name: zizmor + +on: + push: + paths: + - '.github/workflows/*.ya?ml' + pull_request: + paths: + - '.github/workflows/*.ya?ml' + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v5 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index b7e1336..e55eaea 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -30,6 +30,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Disabled running integration tests on Windows hosts due to it's reliance on posix features (see [#133](https://github.com/TecharoHQ/anubis/pull/133#issuecomment-2764732309)). - Added support for passing the ed25519 signing key in a file with `-ed25519-private-key-hex-file` or `ED25519_PRIVATE_KEY_HEX_FILE`. - Fixed minor typos +- Added `zizmor` for GitHub Actions static analysis ## v1.15.1 -- cgit v1.2.3 From fc237a16900362eac5395a424d88fe6381b4affa Mon Sep 17 00:00:00 2001 From: Patrick Linnane Date: Tue, 1 Apr 2025 15:33:44 -0700 Subject: workflows: fix zizmor findings (part 1) (#190) Signed-off-by: Patrick Linnane --- .github/workflows/docker-pr.yml | 5 ++++- .github/workflows/docker.yml | 1 + .github/workflows/docs-deploy.yml | 2 ++ .github/workflows/go.yml | 2 ++ docs/docs/CHANGELOG.md | 1 + 5 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-pr.yml b/.github/workflows/docker-pr.yml index b124f75..03539f7 100644 --- a/.github/workflows/docker-pr.yml +++ b/.github/workflows/docker-pr.yml @@ -19,6 +19,7 @@ jobs: with: fetch-tags: true fetch-depth: 0 + persist-credentials: false - name: Set up Homebrew uses: Homebrew/actions/setup-homebrew@master @@ -62,4 +63,6 @@ jobs: - run: | echo "Test this with:" - echo "docker pull ${{ steps.build.outputs.docker_image }}" \ No newline at end of file + echo "docker pull ${DOCKER_IMAGE}" + env: + DOCKER_IMAGE: ${{ steps.build.outputs.docker_image }} diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index c3a532f..d094453 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -25,6 +25,7 @@ jobs: with: fetch-tags: true fetch-depth: 0 + persist-credentials: false - name: Set up Homebrew uses: Homebrew/actions/setup-homebrew@master diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml index 1636c48..652351f 100644 --- a/.github/workflows/docs-deploy.yml +++ b/.github/workflows/docs-deploy.yml @@ -17,6 +17,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 09b543a..3c333dd 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -16,6 +16,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: build essential run: | diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index e55eaea..c40bc07 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -31,6 +31,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Added support for passing the ed25519 signing key in a file with `-ed25519-private-key-hex-file` or `ED25519_PRIVATE_KEY_HEX_FILE`. - Fixed minor typos - Added `zizmor` for GitHub Actions static analysis +- Fixed most `zizmor` findings ## v1.15.1 -- cgit v1.2.3 From 01c2e458435427014556e91e2bece71056d96e12 Mon Sep 17 00:00:00 2001 From: Patrick Linnane Date: Tue, 1 Apr 2025 21:09:46 -0700 Subject: dependabot: enable (#189) * dependabot: enable Signed-off-by: Patrick Linnane * dependabot: group updates Signed-off-by: Patrick Linnane --------- Signed-off-by: Patrick Linnane Signed-off-by: Xe Iaso Co-authored-by: Xe Iaso --- .github/dependabot.yml | 28 ++++++++++++++++++++++++++++ docs/docs/CHANGELOG.md | 1 + 2 files changed, 29 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..dbe7232 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,28 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + groups: + github-actions: + patterns: + - "*" + + - package-ecosystem: gomod + directory: / + schedule: + interval: weekly + groups: + gomod: + patterns: + - "*" + + - package-ecosystem: npm + directory: / + schedule: + interval: weekly + groups: + npm: + patterns: + - "*" diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index c40bc07..fabbff5 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -32,6 +32,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Fixed minor typos - Added `zizmor` for GitHub Actions static analysis - Fixed most `zizmor` findings +- Enabled Dependabot ## v1.15.1 -- cgit v1.2.3 From 455a9664b4e82aefb6ccdbc0cd05db2f30ef35af Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Apr 2025 00:15:07 -0400 Subject: build(deps-dev): bump postcss-cli from 11.0.0 to 11.0.1 in the npm group (#197) Bumps the npm group with 1 update: [postcss-cli](https://github.com/postcss/postcss-cli). Updates `postcss-cli` from 11.0.0 to 11.0.1 - [Release notes](https://github.com/postcss/postcss-cli/releases) - [Changelog](https://github.com/postcss/postcss-cli/blob/master/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss-cli/compare/11.0.0...11.0.1) --- updated-dependencies: - dependency-name: postcss-cli dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 298 +++++++++++------------------------------------------- package.json | 2 +- 2 files changed, 58 insertions(+), 242 deletions(-) diff --git a/package-lock.json b/package-lock.json index 0e60570..e94f885 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,73 +1,22 @@ { "name": "@xeserv/xess", - "version": "1.0.0", + "version": "1.0.0-see-VERSION-file", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@xeserv/xess", - "version": "1.0.0", + "version": "1.0.0-see-VERSION-file", "license": "ISC", "devDependencies": { "cssnano": "^7.0.6", "cssnano-preset-advanced": "^7.0.6", - "postcss-cli": "^11.0.0", + "postcss-cli": "^11.0.1", "postcss-import": "^16.1.0", "postcss-import-url": "^7.2.0", "postcss-url": "^10.1.3" } }, - "node_modules/@nodelib/fs.scandir": { - "version": "2.1.5", - "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz", - "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==", - "dev": true, - "license": "MIT", - "dependencies": { - "@nodelib/fs.stat": "2.0.5", - "run-parallel": "^1.1.9" - }, - "engines": { - "node": ">= 8" - } - }, - "node_modules/@nodelib/fs.stat": { - "version": "2.0.5", - "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz", - "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">= 8" - } - }, - "node_modules/@nodelib/fs.walk": { - "version": "1.2.8", - "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz", - "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==", - "dev": true, - "license": "MIT", - "dependencies": { - "@nodelib/fs.scandir": "2.1.5", - "fastq": "^1.6.0" - }, - "engines": { - "node": ">= 8" - } - }, - "node_modules/@sindresorhus/merge-streams": { - "version": "2.3.0", - "resolved": "https://registry.npmjs.org/@sindresorhus/merge-streams/-/merge-streams-2.3.0.tgz", - "integrity": "sha512-LtoMMhxAlorcGhmFYI+LhPgbPZCkgP6ra1YL604EeF6U98pLlQ3iWIGMdWSC+vWmPBWBNgmDBAhnAobLROJmwg==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=18" - }, - "funding": { - "url": "https://github.com/sponsors/sindresorhus" - } - }, "node_modules/@trysound/sax": { "version": "0.2.0", "resolved": "https://registry.npmjs.org/@trysound/sax/-/sax-0.2.0.tgz", @@ -573,13 +522,13 @@ "license": "MIT" }, "node_modules/dependency-graph": { - "version": "0.11.0", - "resolved": "https://registry.npmjs.org/dependency-graph/-/dependency-graph-0.11.0.tgz", - "integrity": "sha512-JeMq7fEshyepOWDfcfHK06N3MhyPhz++vtqWhMT5O9A3K42rdsEDpfdVqjaqaAhsw6a+ZqeDvQVtD0hFHQWrzg==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/dependency-graph/-/dependency-graph-1.0.0.tgz", + "integrity": "sha512-cW3gggJ28HZ/LExwxP2B++aiKxhJXMSIt9K48FOXQkm+vuG5gyatXnLsONRJdzO/7VfjDIiaOOa/bs4l464Lwg==", "dev": true, "license": "MIT", "engines": { - "node": ">= 0.6.0" + "node": ">=4" } }, "node_modules/dom-serializer": { @@ -678,33 +627,6 @@ "node": ">=6" } }, - "node_modules/fast-glob": { - "version": "3.3.3", - "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.3.tgz", - "integrity": "sha512-7MptL8U0cqcFdzIzwOTHoilX9x5BrNqye7Z/LuC7kCMRio1EMSyqRK3BEAUD7sXRq4iT4AzTVuZdhgQ2TCvYLg==", - "dev": true, - "license": "MIT", - "dependencies": { - "@nodelib/fs.stat": "^2.0.2", - "@nodelib/fs.walk": "^1.2.3", - "glob-parent": "^5.1.2", - "merge2": "^1.3.0", - "micromatch": "^4.0.8" - }, - "engines": { - "node": ">=8.6.0" - } - }, - "node_modules/fastq": { - "version": "1.18.0", - "resolved": "https://registry.npmjs.org/fastq/-/fastq-1.18.0.tgz", - "integrity": "sha512-QKHXPW0hD8g4UET03SdOdunzSouc9N4AuHdsX8XNcTsuz+yYFILVNIX4l9yHABMhiEI9Db0JTTIpu0wB+Y1QQw==", - "dev": true, - "license": "ISC", - "dependencies": { - "reusify": "^1.0.4" - } - }, "node_modules/fill-range": { "version": "7.1.1", "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", @@ -782,19 +704,6 @@ "node": "6.* || 8.* || >= 10.*" } }, - "node_modules/get-stdin": { - "version": "9.0.0", - "resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-9.0.0.tgz", - "integrity": "sha512-dVKBjfWisLAicarI2Sf+JuBE/DghV4UzNAVe9yhEJuzeREd3JhOTE9cUaJTeSa77fsbQUK3pcOpJfM59+VKZaA==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=12" - }, - "funding": { - "url": "https://github.com/sponsors/sindresorhus" - } - }, "node_modules/glob-parent": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz", @@ -808,27 +717,6 @@ "node": ">= 6" } }, - "node_modules/globby": { - "version": "14.0.2", - "resolved": "https://registry.npmjs.org/globby/-/globby-14.0.2.tgz", - "integrity": "sha512-s3Fq41ZVh7vbbe2PN3nrW7yC7U7MFVc5c98/iTl9c2GawNMKx/J648KQRW6WKkuU8GIbbh2IXfIRQjOZnXcTnw==", - "dev": true, - "license": "MIT", - "dependencies": { - "@sindresorhus/merge-streams": "^2.1.0", - "fast-glob": "^3.3.2", - "ignore": "^5.2.4", - "path-type": "^5.0.0", - "slash": "^5.1.0", - "unicorn-magic": "^0.1.0" - }, - "engines": { - "node": ">=18" - }, - "funding": { - "url": "https://github.com/sponsors/sindresorhus" - } - }, "node_modules/graceful-fs": { "version": "4.2.11", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz", @@ -856,16 +744,6 @@ "dev": true, "license": "ISC" }, - "node_modules/ignore": { - "version": "5.3.2", - "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.2.tgz", - "integrity": "sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">= 4" - } - }, "node_modules/is-binary-path": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz", @@ -1022,30 +900,6 @@ "dev": true, "license": "CC0-1.0" }, - "node_modules/merge2": { - "version": "1.4.1", - "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz", - "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">= 8" - } - }, - "node_modules/micromatch": { - "version": "4.0.8", - "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz", - "integrity": "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==", - "dev": true, - "license": "MIT", - "dependencies": { - "braces": "^3.0.3", - "picomatch": "^2.3.1" - }, - "engines": { - "node": ">=8.6" - } - }, "node_modules/mime": { "version": "2.5.2", "resolved": "https://registry.npmjs.org/mime/-/mime-2.5.2.tgz", @@ -1139,19 +993,6 @@ "dev": true, "license": "MIT" }, - "node_modules/path-type": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/path-type/-/path-type-5.0.0.tgz", - "integrity": "sha512-5HviZNaZcfqP95rwpv+1HDgUamezbqdSYTyzjTvwtJSnIH+3vnbmWsItli8OFEndS984VT55M3jduxZbX351gg==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=12" - }, - "funding": { - "url": "https://github.com/sponsors/sindresorhus" - } - }, "node_modules/picocolors": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz", @@ -1230,23 +1071,22 @@ } }, "node_modules/postcss-cli": { - "version": "11.0.0", - "resolved": "https://registry.npmjs.org/postcss-cli/-/postcss-cli-11.0.0.tgz", - "integrity": "sha512-xMITAI7M0u1yolVcXJ9XTZiO9aO49mcoKQy6pCDFdMh9kGqhzLVpWxeD/32M/QBmkhcGypZFFOLNLmIW4Pg4RA==", + "version": "11.0.1", + "resolved": "https://registry.npmjs.org/postcss-cli/-/postcss-cli-11.0.1.tgz", + "integrity": "sha512-0UnkNPSayHKRe/tc2YGW6XnSqqOA9eqpiRMgRlV1S6HdGi16vwJBx7lviARzbV1HpQHqLLRH3o8vTcB0cLc+5g==", "dev": true, "license": "MIT", "dependencies": { "chokidar": "^3.3.0", - "dependency-graph": "^0.11.0", + "dependency-graph": "^1.0.0", "fs-extra": "^11.0.0", - "get-stdin": "^9.0.0", - "globby": "^14.0.0", "picocolors": "^1.0.0", "postcss-load-config": "^5.0.0", "postcss-reporter": "^7.0.0", "pretty-hrtime": "^1.0.3", "read-cache": "^1.0.0", "slash": "^5.0.0", + "tinyglobby": "^0.2.12", "yargs": "^17.0.0" }, "bin": { @@ -1984,27 +1824,6 @@ "node": ">=0.4.x" } }, - "node_modules/queue-microtask": { - "version": "1.2.3", - "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz", - "integrity": "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==", - "dev": true, - "funding": [ - { - "type": "github", - "url": "https://github.com/sponsors/feross" - }, - { - "type": "patreon", - "url": "https://www.patreon.com/feross" - }, - { - "type": "consulting", - "url": "https://feross.org/support" - } - ], - "license": "MIT" - }, "node_modules/read-cache": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/read-cache/-/read-cache-1.0.0.tgz", @@ -2069,41 +1888,6 @@ "url": "0.10.x" } }, - "node_modules/reusify": { - "version": "1.0.4", - "resolved": "https://registry.npmjs.org/reusify/-/reusify-1.0.4.tgz", - "integrity": "sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw==", - "dev": true, - "license": "MIT", - "engines": { - "iojs": ">=1.0.0", - "node": ">=0.10.0" - } - }, - "node_modules/run-parallel": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz", - "integrity": "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==", - "dev": true, - "funding": [ - { - "type": "github", - "url": "https://github.com/sponsors/feross" - }, - { - "type": "patreon", - "url": "https://www.patreon.com/feross" - }, - { - "type": "consulting", - "url": "https://feross.org/support" - } - ], - "license": "MIT", - "dependencies": { - "queue-microtask": "^1.2.2" - } - }, "node_modules/semver": { "version": "6.3.1", "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz", @@ -2242,30 +2026,62 @@ "dev": true, "license": "Apache-2.0" }, - "node_modules/to-regex-range": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz", - "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==", + "node_modules/tinyglobby": { + "version": "0.2.12", + "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.12.tgz", + "integrity": "sha512-qkf4trmKSIiMTs/E63cxH+ojC2unam7rJ0WrauAzpT3ECNTxGRMlaXxVbfxMUC/w0LaYk6jQ4y/nGR9uBO3tww==", "dev": true, "license": "MIT", "dependencies": { - "is-number": "^7.0.0" + "fdir": "^6.4.3", + "picomatch": "^4.0.2" }, "engines": { - "node": ">=8.0" + "node": ">=12.0.0" + }, + "funding": { + "url": "https://github.com/sponsors/SuperchupuDev" } }, - "node_modules/unicorn-magic": { - "version": "0.1.0", - "resolved": "https://registry.npmjs.org/unicorn-magic/-/unicorn-magic-0.1.0.tgz", - "integrity": "sha512-lRfVq8fE8gz6QMBuDM6a+LO3IAzTi05H6gCVaUpir2E1Rwpo4ZUog45KpNXKC/Mn3Yb9UDuHumeFTo9iV/D9FQ==", + "node_modules/tinyglobby/node_modules/fdir": { + "version": "6.4.3", + "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.4.3.tgz", + "integrity": "sha512-PMXmW2y1hDDfTSRc9gaXIuCCRpuoz3Kaz8cUelp3smouvfT632ozg2vrT6lJsHKKOF59YLbOGfAWGUcKEfRMQw==", + "dev": true, + "license": "MIT", + "peerDependencies": { + "picomatch": "^3 || ^4" + }, + "peerDependenciesMeta": { + "picomatch": { + "optional": true + } + } + }, + "node_modules/tinyglobby/node_modules/picomatch": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz", + "integrity": "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==", "dev": true, "license": "MIT", "engines": { - "node": ">=18" + "node": ">=12" }, "funding": { - "url": "https://github.com/sponsors/sindresorhus" + "url": "https://github.com/sponsors/jonschlinkert" + } + }, + "node_modules/to-regex-range": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz", + "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "is-number": "^7.0.0" + }, + "engines": { + "node": ">=8.0" } }, "node_modules/universalify": { @@ -2408,4 +2224,4 @@ } } } -} \ No newline at end of file +} diff --git a/package.json b/package.json index e13b3b3..bf1fd6e 100644 --- a/package.json +++ b/package.json @@ -15,7 +15,7 @@ "devDependencies": { "cssnano": "^7.0.6", "cssnano-preset-advanced": "^7.0.6", - "postcss-cli": "^11.0.0", + "postcss-cli": "^11.0.1", "postcss-import": "^16.1.0", "postcss-import-url": "^7.2.0", "postcss-url": "^10.1.3" -- cgit v1.2.3 From 515453c607f09fe0bd1be10b38a1a0e9fef7d75f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Apr 2025 00:15:49 -0400 Subject: build(deps): bump actions/cache from 3 to 4 in the github-actions group (#198) Bumps the github-actions group with 1 update: [actions/cache](https://github.com/actions/cache). Updates `actions/cache` from 3 to 4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 3c333dd..0be7b37 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -59,7 +59,7 @@ jobs: ${{ runner.os }}-golang- - name: Cache playwright binaries - uses: actions/cache@v3 + uses: actions/cache@v4 id: playwright-cache with: path: | -- cgit v1.2.3 From 573dfd099fa53c0cdbc3256cf15ea36af5bb9cb0 Mon Sep 17 00:00:00 2001 From: Xe Iaso Date: Wed, 2 Apr 2025 00:44:51 -0400 Subject: README: add repology status image Signed-off-by: Xe Iaso --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 5762dcf..3438948 100644 --- a/README.md +++ b/README.md @@ -29,3 +29,7 @@ For live chat, please join the [Patreon](https://patreon.com/cadey) and ask in t ## Star History [![Star History Chart](https://api.star-history.com/svg?repos=TecharoHQ/anubis&type=Date)](https://www.star-history.com/#TecharoHQ/anubis&Date) + +## Packaging Status + +[![Packaging status](https://repology.org/badge/vertical-allrepos/anubis-anti-crawler.svg)](https://repology.org/project/anubis-anti-crawler/versions) -- cgit v1.2.3 From 266d8c0cc25f9d93ea7da87eb199bc87e41c653e Mon Sep 17 00:00:00 2001 From: Xe Iaso Date: Wed, 2 Apr 2025 19:57:28 -0400 Subject: add a Makefile (#191) * add a Makefile Based on advice from IRC, a makefile helps downstream packagers understand how to build the software. Signed-off-by: Xe Iaso * Apply review suggestions Signed-off-by: Xe Iaso --------- Signed-off-by: Xe Iaso --- Makefile | 25 +++++++++++++++++++++++++ docs/docs/CHANGELOG.md | 1 + docs/docs/developer/building-anubis.md | 11 +++++++---- package.json | 1 + 4 files changed, 34 insertions(+), 4 deletions(-) create mode 100644 Makefile diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..380d9f1 --- /dev/null +++ b/Makefile @@ -0,0 +1,25 @@ +NODE_MODULES = node_modules + +.PHONY: build assets deps lint test + +$(NODE_MODULES): + npm run assets + +assets: $(NODE_MODULES) + +deps: assets + npm ci + go mod download + +build: deps + npm run build + @echo "Anubis is now built to ./var/anubis" + +all: build + +lint: + go vet ./... + staticcheck ./... + +test: + npm run test \ No newline at end of file diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index fabbff5..11c85ca 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -30,6 +30,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Disabled running integration tests on Windows hosts due to it's reliance on posix features (see [#133](https://github.com/TecharoHQ/anubis/pull/133#issuecomment-2764732309)). - Added support for passing the ed25519 signing key in a file with `-ed25519-private-key-hex-file` or `ED25519_PRIVATE_KEY_HEX_FILE`. - Fixed minor typos +- Added a Makefile to enable comfortable workflows for downstream packagers. - Added `zizmor` for GitHub Actions static analysis - Fixed most `zizmor` findings - Enabled Dependabot diff --git a/docs/docs/developer/building-anubis.md b/docs/docs/developer/building-anubis.md index a55b8e7..69b2404 100644 --- a/docs/docs/developer/building-anubis.md +++ b/docs/docs/developer/building-anubis.md @@ -22,20 +22,23 @@ In order to build a production-ready binary of Anubis, you need the following pa ## Install dependencies ```text -go mod download -npm ci +make deps ``` +This will download Go and NPM dependencies. + ## Building static assets ```text -npm run assets +make assets ``` +This will build all static assets (CSS, JavaScript) for distribution. + ## Building Anubis to the `./var` folder ```text -go build -o ./var/anubis ./cmd/anubis +make build ``` From this point it is up to you to make sure that `./var/anubis` ends up in the right place. You may want to consult the `./run` folder for useful files such as a systemd unit and `anubis.env.default` file. diff --git a/package.json b/package.json index bf1fd6e..844c92d 100644 --- a/package.json +++ b/package.json @@ -7,6 +7,7 @@ "test": "npm run assets && go test ./...", "test:integration": "npm run assets && go test -v ./internal/test", "assets": "go generate ./... && ./web/build.sh && ./xess/build.sh", + "build": "npm run assets && go build -o ./var/anubis ../cmd/anubis", "dev": "npm run assets && go run ./cmd/anubis --use-remote-address", "container": "npm run assets && go run ./cmd/containerbuild" }, -- cgit v1.2.3