diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 0ac37895d..7c028e2a6 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -8,6 +8,8 @@ on: jobs: docker-build-publish: + permissions: + contents: read name: Build and Publish Docker Image runs-on: ubuntu-latest diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index f9a7a7357..c6c41230b 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -29,7 +29,7 @@ jobs: fetch-depth: 0 - name: Install Dependencies - run: npm install --workspaces + run: npm ci --workspaces - name: Code Linting run: | diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index 6301eb168..3f95db566 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -16,9 +16,7 @@ permissions: jobs: pr_title: permissions: - contents: write - pull-requests: write - statuses: write + pull-requests: read name: Validate & Label PR runs-on: ubuntu-latest steps: @@ -45,6 +43,17 @@ jobs: revert test break + release-drafter: + permissions: + contents: write + pull-requests: read + name: Release Drafter + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit - uses: release-drafter/release-drafter@139054aeaa9adc52ab36ddf67437541f039b88e2 # v7 with: commitish: main diff --git a/.github/workflows/sample-publish.yml b/.github/workflows/sample-publish.yml index 5e27cdbd6..ae446749f 100644 --- a/.github/workflows/sample-publish.yml +++ b/.github/workflows/sample-publish.yml @@ -31,10 +31,8 @@ jobs: working-directory: plugins/git-proxy-plugin-samples run: npm run build - - name: Install peers and publish + - name: Publish git-proxy-plugin-samples working-directory: plugins/git-proxy-plugin-samples - run: | - npm install --include=peer - npm publish --provenance --access=public + run: npm publish --provenance --access=public env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/src/proxy/processors/push-action/parsePush.ts b/src/proxy/processors/push-action/parsePush.ts index 2a324c055..d4bb6361b 100644 --- a/src/proxy/processors/push-action/parsePush.ts +++ b/src/proxy/processors/push-action/parsePush.ts @@ -56,6 +56,11 @@ async function exec(req: Request, action: Action): Promise { if (!req.body || req.body.length === 0) { throw new Error('No body found in request'); } + + if (Array.isArray(req.body) || !Buffer.isBuffer(req.body)) { + throw new Error('Invalid body type'); + } + const [packetLines, packDataOffset] = parsePacketLines(req.body); const refUpdates = packetLines.filter((line) => line.includes(BRANCH_PREFIX));