admin/n8n-enterprise-unlocked
1
0
Fork 0
mirror of https://github.com/Abdulazizzn/n8n-enterprise-unlocked.git synced 2025-12-16 17:46:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Secure input handling in release workflow (no-changelog) (#15037)

Browse Source
This commit is contained in:
shortstacked
2025-05-02 11:05:45 +01:00
committed by GitHub
parent f8ead7d3eb
commit 88afd66471
2 changed files with 52 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
.github/workflows/release-push-to-channel.yml vendored
View File

@@ -4,8 +4,9 @@ on:
workflow_dispatch: workflow_dispatch:
inputs: inputs:
version: version:
description: 'n8n Release version to push to a channel' description: 'n8n Release version to push to a channel (e.g., 1.2.3 or 1.2.3-beta.4)'
required: true required: true
type: string
release-channel: release-channel:
description: 'Release channel' description: 'Release channel'
@@ -17,9 +18,31 @@ on:
- stable - stable
jobs: jobs:
validate-inputs:
name: Validate Inputs
runs-on: ubuntu-latest
outputs:
version: ${{ steps.check_version.outputs.version }}
release_channel: ${{ github.event.inputs.release-channel }}
steps:
- name: Check Version Format
id: check_version
run: |
input_version="${{ github.event.inputs.version }}"
version_regex='^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$'
if [[ "$input_version" =~ $version_regex ]]; then
echo "Version format is valid: $input_version"
echo "version=$input_version" >> $GITHUB_OUTPUT
else
echo "::error::Invalid version format provided: '$input_version'. Must match regex '$version_regex'."
exit 1
fi
release-to-npm: release-to-npm:
name: Release to NPM name: Release to NPM
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: validate-inputs
timeout-minutes: 5 timeout-minutes: 5
steps: steps:
- uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
@@ -28,19 +51,22 @@ jobs:
- run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc - run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
- if: github.event.inputs.release-channel == 'beta' - name: Add beta/next tags to NPM
if: needs.validate-inputs.outputs.release_channel == 'beta'
run: | run: |
npm dist-tag add n8n@${{ github.event.inputs.version }} next npm dist-tag add "n8n@${{ needs.validate-inputs.outputs.version }}" next
npm dist-tag add n8n@${{ github.event.inputs.version }} beta npm dist-tag add "n8n@${{ needs.validate-inputs.outputs.version }}" beta
- if: github.event.inputs.release-channel == 'stable' - name: Add latest/stable tags to NPM
if: needs.validate-inputs.outputs.release_channel == 'stable'
run: | run: |
npm dist-tag add n8n@${{ github.event.inputs.version }} latest npm dist-tag add "n8n@${{ needs.validate-inputs.outputs.version }}" latest
npm dist-tag add n8n@${{ github.event.inputs.version }} stable npm dist-tag add "n8n@${{ needs.validate-inputs.outputs.version }}" stable
release-to-docker-hub: release-to-docker-hub:
name: Release to DockerHub name: Release to DockerHub
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: validate-inputs
timeout-minutes: 5 timeout-minutes: 5
steps: steps:
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
@@ -48,19 +74,22 @@ jobs:
username: ${{ secrets.DOCKER_USERNAME }} username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }} password: ${{ secrets.DOCKER_PASSWORD }}
- if: github.event.inputs.release-channel == 'stable' - name: Tag stable/latest Docker image
if: needs.validate-inputs.outputs.release_channel == 'stable'
run: | run: |
docker buildx imagetools create -t ${{ secrets.DOCKER_USERNAME }}/n8n:stable ${{ secrets.DOCKER_USERNAME }}/n8n:${{ github.event.inputs.version }} docker buildx imagetools create -t "${{ secrets.DOCKER_USERNAME }}/n8n:stable" "${{ secrets.DOCKER_USERNAME }}/n8n:${{ needs.validate-inputs.outputs.version }}"
docker buildx imagetools create -t ${{ secrets.DOCKER_USERNAME }}/n8n:latest ${{ secrets.DOCKER_USERNAME }}/n8n:${{ github.event.inputs.version }} docker buildx imagetools create -t "${{ secrets.DOCKER_USERNAME }}/n8n:latest" "${{ secrets.DOCKER_USERNAME }}/n8n:${{ needs.validate-inputs.outputs.version }}"
- if: github.event.inputs.release-channel == 'beta' - name: Tag beta/next Docker image
if: needs.validate-inputs.outputs.release_channel == 'beta'
run: | run: |
docker buildx imagetools create -t ${{ secrets.DOCKER_USERNAME }}/n8n:beta ${{ secrets.DOCKER_USERNAME }}/n8n:${{ github.event.inputs.version }} docker buildx imagetools create -t "${{ secrets.DOCKER_USERNAME }}/n8n:beta" "${{ secrets.DOCKER_USERNAME }}/n8n:${{ needs.validate-inputs.outputs.version }}"
docker buildx imagetools create -t ${{ secrets.DOCKER_USERNAME }}/n8n:next ${{ secrets.DOCKER_USERNAME }}/n8n:${{ github.event.inputs.version }} docker buildx imagetools create -t "${{ secrets.DOCKER_USERNAME }}/n8n:next" "${{ secrets.DOCKER_USERNAME }}/n8n:${{ needs.validate-inputs.outputs.version }}"
release-to-github-container-registry: release-to-github-container-registry:
name: Release to GitHub Container Registry name: Release to GitHub Container Registry
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: validate-inputs
timeout-minutes: 5 timeout-minutes: 5
steps: steps:
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
@@ -69,20 +98,22 @@ jobs:
username: ${{ github.actor }} username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- if: github.event.inputs.release-channel == 'stable' - name: Tag stable/latest GHCR image
if: needs.validate-inputs.outputs.release_channel == 'stable'
run: | run: |
docker buildx imagetools create -t ghcr.io/${{ github.repository_owner }}/n8n:stable ghcr.io/${{ github.repository_owner }}/n8n:${{ github.event.inputs.version }} docker buildx imagetools create -t "ghcr.io/${{ github.repository_owner }}/n8n:stable" "ghcr.io/${{ github.repository_owner }}/n8n:${{ needs.validate-inputs.outputs.version }}"
docker buildx imagetools create -t ghcr.io/${{ github.repository_owner }}/n8n:latest ghcr.io/${{ github.repository_owner }}/n8n:${{ github.event.inputs.version }} docker buildx imagetools create -t "ghcr.io/${{ github.repository_owner }}/n8n:latest" "ghcr.io/${{ github.repository_owner }}/n8n:${{ needs.validate-inputs.outputs.version }}"
- if: github.event.inputs.release-channel == 'beta' - name: Tag beta/next GHCR image
if: needs.validate-inputs.outputs.release_channel == 'beta'
run: | run: |
docker buildx imagetools create -t ghcr.io/${{ github.repository_owner }}/n8n:beta ghcr.io/${{ github.repository_owner }}/n8n:${{ github.event.inputs.version }} docker buildx imagetools create -t "ghcr.io/${{ github.repository_owner }}/n8n:beta" "ghcr.io/${{ github.repository_owner }}/n8n:${{ needs.validate-inputs.outputs.version }}"
docker buildx imagetools create -t ghcr.io/${{ github.repository_owner }}/n8n:next ghcr.io/${{ github.repository_owner }}/n8n:${{ github.event.inputs.version }} docker buildx imagetools create -t "ghcr.io/${{ github.repository_owner }}/n8n:next" "ghcr.io/${{ github.repository_owner }}/n8n:${{ needs.validate-inputs.outputs.version }}"
update-docs: update-docs:
name: Update latest and next in the docs name: Update latest and next in the docs
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [release-to-npm, release-to-docker-hub] needs: [validate-inputs, release-to-npm, release-to-docker-hub]
steps: steps:
- continue-on-error: true - continue-on-error: true
run: curl -u docsWorkflows:${{ secrets.N8N_WEBHOOK_DOCS_PASSWORD }} --request GET 'https://internal.users.n8n.cloud/webhook/update-latest-next' run: curl -u docsWorkflows:${{ secrets.N8N_WEBHOOK_DOCS_PASSWORD }} --request GET 'https://internal.users.n8n.cloud/webhook/update-latest-next'

45
.github/workflows/units-tests-dispatch.yml vendored
View File

@@ -1,45 +0,0 @@
name: Runs unit tests for a given ref
on:
workflow_dispatch:
inputs:
ref:
description: 'GitHub ref to test.'
required: false
default: 'master'
type: string
prNumber:
description: 'PR number to run tests for.'
required: false
type: number
skipFrontendTests:
description: 'Skip Frontend tests'
required: false
default: false
type: boolean
jobs:
prepare:
name: Prepare
runs-on: ubuntu-latest
outputs:
branch: ${{ steps.compute-branch.outputs.branch }}
steps:
- name: Compute branch
id: compute-branch
run: |
BRANCH_NAME=""
if [[ "${{ inputs.prNumber }}" != "" && "${{ inputs.prNumber }}" != "null" ]]; then
BRANCH_NAME="refs/pull/${{ inputs.prNumber }}/merge"
else
BRANCH_NAME="${{ inputs.ref }}"
fi
echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT
unit-test:
name: Unit tests
needs: prepare
uses: ./.github/workflows/units-tests-reusable.yml
with:
ref: ${{ needs.prepare.outputs.branch }}
skipFrontendTests: ${{ inputs.skipFrontendTests }}