Sanitize DB path traversal (#1179) #1455
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Tests master | |
| on: | |
| # This avoids having duplicate builds for a pull request | |
| push: | |
| branches: | |
| - master | |
| - "*-maintenance" | |
| tags: | |
| - "v*" | |
| pull_request: | |
| branches: | |
| - master | |
| - "*-maintenance" | |
| jobs: | |
| ############################################################################ | |
| # Lint jobs | |
| ############################################################################ | |
| lint: | |
| name: lint | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: "lts/*" | |
| cache: "npm" | |
| cache-dependency-path: "**/package-lock.json" | |
| - name: Install node dependencies | |
| run: make frontend/node_modules | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: "3.9" | |
| cache: "pip" | |
| cache-dependency-path: "**/pyproject.toml" | |
| - uses: actions/cache@v3 | |
| with: | |
| path: ~/.cache/pre-commit | |
| key: pre-commit|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }} | |
| - name: Install python dependencies | |
| id: pip | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install tox pre-commit | |
| python -m pip freeze --local | |
| - name: Run pylint | |
| run: tox -e lint | |
| - name: Run pre-commit | |
| # run pre-commit check even if pylint check fails | |
| if: steps.pip.outcome == 'success' | |
| run: pre-commit run --show-diff-on-failure --color=always --all-files | |
| ############################################################################ | |
| # Node tests | |
| ############################################################################ | |
| node-tests: | |
| name: ${{ matrix.os}} node-${{ matrix.node }} | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node: ["lts/*"] | |
| os: ["ubuntu-latest", "macos-latest", "windows-latest"] | |
| include: | |
| - node: "current" | |
| os: "ubuntu-latest" | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| cache: "npm" | |
| cache-dependency-path: "**/package-lock.json" | |
| - name: Build frontend | |
| run: make | |
| - name: Typecheck and run frontend tests | |
| run: make test-js | |
| ############################################################################ | |
| # Python tests | |
| ############################################################################ | |
| python-tests: | |
| name: ${{ matrix.os }} py${{ matrix.python }} | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: ["ubuntu-latest", "macos-latest", "windows-latest"] | |
| python: ["3.8", "3.9", "3.10", "3.11", "3.12"] | |
| exclude: | |
| - os: "macos-latest" | |
| python: "3.9" | |
| - os: "macos-latest" | |
| python: "3.10" | |
| - os: "macos-latest" | |
| python: "3.11" | |
| - os: "windows-latest" | |
| python: "3.9" | |
| - os: "windows-latest" | |
| python: "3.10" | |
| - os: "windows-latest" | |
| python: "3.11" | |
| include: | |
| - python: "3.12" | |
| install-ffmpeg: true | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ matrix.python }} | |
| cache: "pip" | |
| cache-dependency-path: "**/pyproject.toml" | |
| - name: Install Linux system dependencies | |
| if: runner.os == 'Linux' && matrix.install-ffmpeg | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get -y install ffmpeg | |
| - name: Install macOS system dependencies | |
| if: runner.os == 'macOS' && matrix.install-ffmpeg | |
| run: brew install ffmpeg | |
| - name: Install Windows system dependencies | |
| if: runner.os == 'Windows' && matrix.install-ffmpeg | |
| run: choco install --no-progress --timeout 600 ffmpeg | |
| continue-on-error: true | |
| - name: Workaround for UnicodeDecodeError from tox on Windows | |
| # Refs: | |
| # https://github.com/lektor/lektor/pull/933#issuecomment-923107580 | |
| # https://github.com/tox-dev/tox/issues/1550 | |
| if: runner.os == 'Windows' | |
| run: Out-File $env:GITHUB_ENV utf8 -Append -InputObject 'PYTHONIOENCODING=utf-8' | |
| - name: Install python dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install tox tox-gh-actions coverage[toml] | |
| - name: Run python tests | |
| run: tox | |
| - name: Publish coverage data to codecov | |
| uses: codecov/codecov-action@v3 | |
| ############################################################################ | |
| # Package and (Possibly) Publish to PyPI | |
| ############################################################################ | |
| deploy: | |
| needs: ["lint", "node-tests", "python-tests"] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-python@v4 | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: "lts/*" | |
| - name: Install dependencies | |
| run: python -m pip install build | |
| - name: Build release artifacts | |
| env: | |
| HATCH_BUILD_CLEAN: "true" | |
| run: python -m build | |
| - name: Save release artifacts (for inspection) | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: dist | |
| path: dist/* | |
| - name: Publish release | |
| if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') | |
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| with: | |
| password: ${{ secrets.PYPI_PASSWORD }} |