zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-06-22 16:11:23 +08:00
Code Issues Packages Projects Releases Wiki Activity
2,093 Commits 55 Branches 15 Tags
1c3280dc0d46e617f9f6173f75b57aee5be9b983
Commit Graph

28 Commits

Author SHA1 Message Date
@aaronjmars 1c3280dc0d fix(security): add host/origin allowlist + validate git refs + quote workflow input (#2185) 
Three defense-in-depth fixes around untrusted input flowing to subprocess execution:

1. **Control-pane HTTP server (scripts/lib/control-pane/server.js)**
   The local control-pane API binds to 127.0.0.1 but had no Host or Origin
   validation, so a DNS-rebinding attack from a malicious website could pivot
   into the loopback endpoints — including POST /api/actions/:id, which spawns
   'cargo run -- graph ...' with caller-supplied query strings. Add a hostname
   allowlist (loopback variants plus the explicitly configured --host) and
   reject mismatched Host (421) or non-loopback Origin (403) before any route
   handler runs.

2. **OpenCode git-summary tool (.opencode/tools/git-summary.ts)**
   The tool was building 'git diff ${baseBranch}...HEAD --stat' with execSync
   and a raw model-supplied baseBranch string. Switch run() to execFileSync
   with an args array (no shell), validate baseBranch against a conservative
   git-ref allowlist (rejects shell metacharacters, leading -, embedded ..),
   and clamp the depth arg to a small positive integer before interpolating
   into 'git log --oneline -<N>'.

3. **Reusable test workflow (.github/workflows/reusable-test.yml)**
   The 'Install dependencies' step interpolated ${{ inputs.package-manager }}
   directly into a bash 'case' and into an echo, so a downstream caller that
   forwarded attacker-controllable input could inject into the runner. Move
   the input into a PACKAGE_MANAGER env var and reference $PACKAGE_MANAGER
   inside the script per the GitHub script-injection guidance.

Detected by Aeon + semgrep p/security-audit (host check via threat-model
manual-review axis; git-summary via detect-child-process; workflow via
run-shell-injection).

Verification: node tests/run-all.js — 2686/2687 pre-existing tests pass; the
one failure (observe.sh legacy output fallback) reproduces on main without
this branch applied. Added 2 new control-pane tests covering the allowlist
classifier and the DNS-rebinding-gate behavior end-to-end.

---
Filed by [Aeon](https://github.com/aaronjmars/aeon-aaron).

Co-authored-by: aeonframework <aeon@aaronjmars.com>
 2026-06-15 13:49:40 -04:00
dependabot[bot] d71ffd56b9 chore(deps): bump actions/setup-node (#2204) 
Bumps the actions-minor-and-patch group with 1 update in the / directory: [actions/setup-node](https://github.com/actions/setup-node).


Updates `actions/setup-node` from 6.3.0 to 6.4.0
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/53b83947a5a98c8d113130e565377fae1a50d02f...48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-06-10 23:39:00 -04:00
ECC Test 3e30f1a56a ci: harden workflows and sponsor code review config 2026-06-09 21:20:17 -04:00
dependabot[bot] 09e2bc58d3 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#2183) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/de0fac2e4500dabe0009e67214ff5f5447ce83dd...df4cb1c069e1874edd31b4311f1884172cec0e10)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-06-07 13:25:31 +08:00
dependabot[bot] cde0b12180 chore(deps): bump pnpm/action-setup from 6.0.6 to 6.0.8 
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 6.0.6 to 6.0.8.
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](https://github.com/pnpm/action-setup/compare/91ab88e2619ed1f46221f0ba42d1492c02baf788...0e279bb959325dab635dd2c09392533439d90093)

---
updated-dependencies:
- dependency-name: pnpm/action-setup
  dependency-version: 6.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-05-17 01:33:19 -04:00
Affaan Mustafa f7035b5644 Harden CI installs against supply-chain lifecycle hooks 2026-05-15 17:29:03 -04:00
Affaan Mustafa c2c54e7c0b ci: restore dependency caches without saving (#1934) 2026-05-15 13:51:51 -04:00
Affaan Mustafa 6fbf58d590 ci: keep package manager cache failures non-blocking 2026-05-12 18:03:30 -04:00
dependabot[bot] c013479019 build(deps): bump pnpm/action-setup from 6.0.0 to 6.0.6 (#1708) 
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 6.0.0 to 6.0.6.
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](https://github.com/pnpm/action-setup/compare/08c4be7e2e672a47d11bd04269e27e5f3e8529cb...91ab88e2619ed1f46221f0ba42d1492c02baf788)

---
updated-dependencies:
- dependency-name: pnpm/action-setup
  dependency-version: 6.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-11 01:12:31 -04:00
dependabot[bot] 01b171947c chore(deps): bump actions/cache from 5.0.4 to 5.0.5 (#1497) 
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.4 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/668228422ae6a00e4ad889ee87cd7109ec5666a7...27d5ce7f107fe9357f9df03efb73ab90386fccae)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-11 01:11:50 -04:00
Affaan Mustafa 6b7bd7156c fix: relax pnpm strict build checks in CI 2026-04-15 16:44:58 -07:00
Affaan Mustafa 85e331e49a Merge pull request #1369 from affaan-m/dependabot/github_actions/pnpm/action-setup-6.0.0 
build(deps): bump pnpm/action-setup from 5.0.0 to 6.0.0
 2026-04-13 01:05:16 -07:00
Affaan Mustafa 1a950e4f83 fix: allow pnpm cache probe under node 18 2026-04-13 00:21:42 -07:00
Affaan Mustafa ef7613c526 fix: use corepack pnpm on node 18 2026-04-13 00:17:17 -07:00
Affaan Mustafa bd207aabe1 fix: use pnpm 9 for node 18 workflow jobs 2026-04-13 00:13:54 -07:00
Affaan Mustafa 6eadf786f5 fix: pin pnpm version for setup action v6 2026-04-13 00:10:39 -07:00
Affaan Mustafa adb46a95a6 chore: update pnpm action version comments 2026-04-12 23:53:57 -07:00
dependabot[bot] 4b92288a27 build(deps): bump pnpm/action-setup from 5.0.0 to 6.0.0 
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 5.0.0 to 6.0.0.
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](https://github.com/pnpm/action-setup/compare/fc06bc1257f339d1d5d8b3a19a8cae5388b55320...08c4be7e2e672a47d11bd04269e27e5f3e8529cb)

---
updated-dependencies:
- dependency-name: pnpm/action-setup
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-12 04:52:33 +00:00
dependabot[bot] 45faeb90a7 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 7.0.0 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f...043fb46d1a93c77aae656e7c1c64a875d1fc6a0a)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-12 04:52:29 +00:00
dependabot[bot] 87363f0e59 chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#1060) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/34e114876b0b11c390a56381ad16ebd13914f8d5...de0fac2e4500dabe0009e67214ff5f5447ce83dd)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Affaan Mustafa <me@affaanmustafa.com>
 2026-03-31 14:07:40 -07:00
dependabot[bot] a1cebd29f7 chore(deps): bump actions/upload-artifact from 4.6.2 to 7.0.0 (#1061) 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/ea165f8d65b6e75b540449e92b4886f43607fa02...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-03-31 14:06:07 -07:00
dependabot[bot] 09398b42c2 chore(deps): bump actions/setup-node from 4.4.0 to 6.3.0 (#1058) 
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.4.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/49933ea5288caeca8642d1e84afbd3f7d6820020...53b83947a5a98c8d113130e565377fae1a50d02f)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-03-31 14:06:02 -07:00
dependabot[bot] d1e2209a52 chore(deps): bump actions/cache from 4.3.0 to 5.0.4 (#1057) 
Bumps [actions/cache](https://github.com/actions/cache) from 4.3.0 to 5.0.4.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/0057852bfaa89a56745cba8c7296529d2fc39830...668228422ae6a00e4ad889ee87cd7109ec5666a7)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.4
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-03-31 14:04:33 -07:00
Andriy Kalashnykov 46f37ae4fb chore: pin actions to commit SHAs and add Skills section to CLAUDE.md 
Pin all GitHub Actions to commit SHAs instead of mutable version tags
across ci.yml, release.yml, maintenance.yml, and all reusable workflows.
This prevents supply-chain attacks via tag hijacking.

Add the required Skills section to CLAUDE.md mapping project files
(README.md, .github/workflows/*.yml) to their respective review skills.
 2026-03-29 17:16:56 -04:00
dagecko 28a1fbc3f2 fix: pin 6 actions to commit SHA, extract 1 expression to env var 2026-03-28 15:57:55 -04:00
to.watanabe d8e3b9d593 fix(ci): remove --ignore-engines for Yarn Berry (v4+) 
Yarn Berry removed the --ignore-engines flag; engine checking is no
longer a core feature. The deprecated flag causes yarn install to exit
with error code 1.
 2026-03-28 12:27:04 +09:00
to.watanabe 7148d9006f fix(ci): enable Corepack for yarn and relax pnpm strict mode 
All 18 pnpm/yarn CI jobs fail on main because:
1. pnpm v9+ refuses to install when package.json declares
   "packageManager": "yarn@4.9.2" — fixed by setting
   COREPACK_ENABLE_STRICT=0 and --no-frozen-lockfile
2. CI runners only have Yarn Classic (v1.x) but the project
   uses Yarn Berry (v4.x) — fixed by activating Corepack
   before the cache/install steps
 2026-03-28 12:27:04 +09:00
Roei Bar Aviv 7c0bc25982 feat: add comprehensive CI/CD pipeline 
Adds GitHub Actions workflows for CI, maintenance, and releases with multi-platform testing matrix.
 2026-01-28 23:05:43 -08:00