elias/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-06-16 16:36:53 +08:00
Code Issues Packages Projects Releases Wiki Activity
2,093 Commits 42 Branches 15 Tags
Commit Graph

28 Commits

Author SHA1 Message Date
@aaronjmars
1c3280dc0d
fix(security): add host/origin allowlist + validate git refs + quote workflow input (#2185) 
Three defense-in-depth fixes around untrusted input flowing to subprocess execution:

1. **Control-pane HTTP server (scripts/lib/control-pane/server.js)**
   The local control-pane API binds to 127.0.0.1 but had no Host or Origin
   validation, so a DNS-rebinding attack from a malicious website could pivot
   into the loopback endpoints — including POST /api/actions/:id, which spawns
   'cargo run -- graph ...' with caller-supplied query strings. Add a hostname
   allowlist (loopback variants plus the explicitly configured --host) and
   reject mismatched Host (421) or non-loopback Origin (403) before any route
   handler runs.

2. **OpenCode git-summary tool (.opencode/tools/git-summary.ts)**
   The tool was building 'git diff ${baseBranch}...HEAD --stat' with execSync
   and a raw model-supplied baseBranch string. Switch run() to execFileSync
   with an args array (no shell), validate baseBranch against a conservative
   git-ref allowlist (rejects shell metacharacters, leading -, embedded ..),
   and clamp the depth arg to a small positive integer before interpolating
   into 'git log --oneline -<N>'.

3. **Reusable test workflow (.github/workflows/reusable-test.yml)**
   The 'Install dependencies' step interpolated ${{ inputs.package-manager }}
   directly into a bash 'case' and into an echo, so a downstream caller that
   forwarded attacker-controllable input could inject into the runner. Move
   the input into a PACKAGE_MANAGER env var and reference $PACKAGE_MANAGER
   inside the script per the GitHub script-injection guidance.

Detected by Aeon + semgrep p/security-audit (host check via threat-model
manual-review axis; git-summary via detect-child-process; workflow via
run-shell-injection).

Verification: node tests/run-all.js — 2686/2687 pre-existing tests pass; the
one failure (observe.sh legacy output fallback) reproduces on main without
this branch applied. Added 2 new control-pane tests covering the allowlist
classifier and the DNS-rebinding-gate behavior end-to-end.

---
Filed by [Aeon](https://github.com/aaronjmars/aeon-aaron).

Co-authored-by: aeonframework <aeon@aaronjmars.com>
 2026-06-15 13:49:40 -04:00
dependabot[bot]
d71ffd56b9
chore(deps): bump actions/setup-node (#2204) 
Bumps the actions-minor-and-patch group with 1 update in the / directory: [actions/setup-node](https://github.com/actions/setup-node).


Updates `actions/setup-node` from 6.3.0 to 6.4.0
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](53b83947a5...48b55a011b)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-06-10 23:39:00 -04:00
ECC Test
3e30f1a56a ci: harden workflows and sponsor code review config 2026-06-09 21:20:17 -04:00
dependabot[bot]
09e2bc58d3
chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#2183) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](de0fac2e45...df4cb1c069)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-06-07 13:25:31 +08:00
dependabot[bot]
cde0b12180 chore(deps): bump pnpm/action-setup from 6.0.6 to 6.0.8 
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 6.0.6 to 6.0.8.
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](91ab88e261...0e279bb959)

---
updated-dependencies:
- dependency-name: pnpm/action-setup
  dependency-version: 6.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-05-17 01:33:19 -04:00
Affaan Mustafa
f7035b5644 Harden CI installs against supply-chain lifecycle hooks 2026-05-15 17:29:03 -04:00
Affaan Mustafa
c2c54e7c0b
ci: restore dependency caches without saving (#1934) 2026-05-15 13:51:51 -04:00
Affaan Mustafa
6fbf58d590 ci: keep package manager cache failures non-blocking 2026-05-12 18:03:30 -04:00
dependabot[bot]
c013479019
build(deps): bump pnpm/action-setup from 6.0.0 to 6.0.6 (#1708) 
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 6.0.0 to 6.0.6.
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](08c4be7e2e...91ab88e261)

---
updated-dependencies:
- dependency-name: pnpm/action-setup
  dependency-version: 6.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-11 01:12:31 -04:00
dependabot[bot]
01b171947c
chore(deps): bump actions/cache from 5.0.4 to 5.0.5 (#1497) 
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.4 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](668228422a...27d5ce7f10)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-11 01:11:50 -04:00
Affaan Mustafa
6b7bd7156c fix: relax pnpm strict build checks in CI 2026-04-15 16:44:58 -07:00
Affaan Mustafa
85e331e49a
Merge pull request #1369 from affaan-m/dependabot/github_actions/pnpm/action-setup-6.0.0 
build(deps): bump pnpm/action-setup from 5.0.0 to 6.0.0
 2026-04-13 01:05:16 -07:00
Affaan Mustafa
1a950e4f83 fix: allow pnpm cache probe under node 18 2026-04-13 00:21:42 -07:00
Affaan Mustafa
ef7613c526 fix: use corepack pnpm on node 18 2026-04-13 00:17:17 -07:00
Affaan Mustafa
bd207aabe1 fix: use pnpm 9 for node 18 workflow jobs 2026-04-13 00:13:54 -07:00
Affaan Mustafa
6eadf786f5 fix: pin pnpm version for setup action v6 2026-04-13 00:10:39 -07:00
Affaan Mustafa
adb46a95a6 chore: update pnpm action version comments 2026-04-12 23:53:57 -07:00
dependabot[bot]
4b92288a27
build(deps): bump pnpm/action-setup from 5.0.0 to 6.0.0 
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 5.0.0 to 6.0.0.
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](fc06bc1257...08c4be7e2e)

---
updated-dependencies:
- dependency-name: pnpm/action-setup
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-12 04:52:33 +00:00
dependabot[bot]
45faeb90a7
build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 7.0.0 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](bbbca2ddaa...043fb46d1a)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-12 04:52:29 +00:00
dependabot[bot]
87363f0e59
chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 (#1060) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](34e114876b...de0fac2e45)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Affaan Mustafa <me@affaanmustafa.com>
 2026-03-31 14:07:40 -07:00
dependabot[bot]
a1cebd29f7
chore(deps): bump actions/upload-artifact from 4.6.2 to 7.0.0 (#1061) 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](ea165f8d65...bbbca2ddaa)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-03-31 14:06:07 -07:00
dependabot[bot]
09398b42c2
chore(deps): bump actions/setup-node from 4.4.0 to 6.3.0 (#1058) 
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.4.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](49933ea528...53b83947a5)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-03-31 14:06:02 -07:00
dependabot[bot]
d1e2209a52
chore(deps): bump actions/cache from 4.3.0 to 5.0.4 (#1057) 
Bumps [actions/cache](https://github.com/actions/cache) from 4.3.0 to 5.0.4.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](0057852bfa...668228422a)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.4
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-03-31 14:04:33 -07:00
Andriy Kalashnykov
46f37ae4fb
chore: pin actions to commit SHAs and add Skills section to CLAUDE.md 
Pin all GitHub Actions to commit SHAs instead of mutable version tags
across ci.yml, release.yml, maintenance.yml, and all reusable workflows.
This prevents supply-chain attacks via tag hijacking.

Add the required Skills section to CLAUDE.md mapping project files
(README.md, .github/workflows/*.yml) to their respective review skills.
 2026-03-29 17:16:56 -04:00
dagecko
28a1fbc3f2 fix: pin 6 actions to commit SHA, extract 1 expression to env var 2026-03-28 15:57:55 -04:00
to.watanabe
d8e3b9d593 fix(ci): remove --ignore-engines for Yarn Berry (v4+) 
Yarn Berry removed the --ignore-engines flag; engine checking is no
longer a core feature. The deprecated flag causes yarn install to exit
with error code 1.
 2026-03-28 12:27:04 +09:00
to.watanabe
7148d9006f fix(ci): enable Corepack for yarn and relax pnpm strict mode 
All 18 pnpm/yarn CI jobs fail on main because:
1. pnpm v9+ refuses to install when package.json declares
   "packageManager": "yarn@4.9.2" — fixed by setting
   COREPACK_ENABLE_STRICT=0 and --no-frozen-lockfile
2. CI runners only have Yarn Classic (v1.x) but the project
   uses Yarn Berry (v4.x) — fixed by activating Corepack
   before the cache/install steps
 2026-03-28 12:27:04 +09:00
Roei Bar Aviv
7c0bc25982
feat: add comprehensive CI/CD pipeline 
Adds GitHub Actions workflows for CI, maintenance, and releases with multi-platform testing matrix.
 2026-01-28 23:05:43 -08:00