From 4992daa1e7df88118be08f045a8925939a67b54c Mon Sep 17 00:00:00 2001 From: alphadelta332 Date: Sun, 14 Jun 2026 18:48:44 +1000 Subject: [PATCH] Harden GitHub release controls --- .github/PULL_REQUEST_TEMPLATE.md | 1 + .github/workflows/publish-release.yml | 40 ++++++++++++++++++++++++++- .github/workflows/static-checks.yml | 9 +++++- SECURITY.md | 4 ++- 4 files changed, 51 insertions(+), 3 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 4c6db84..1004824 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -12,5 +12,6 @@ - [ ] Working copy branch was switched without changing its `LogbookVersion` - [ ] Updated copy was smoke tested manually in Excel - [ ] Binary workbook change is expected +- [ ] Release tag will be created only after this PR is merged to `main` ## Notes diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index f02726d..72aae4d 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -8,15 +8,21 @@ on: permissions: contents: write +concurrency: + group: publish-release + cancel-in-progress: false + jobs: publish: name: Publish GitHub release assets runs-on: windows-latest + timeout-minutes: 15 steps: - name: Check out repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: + fetch-depth: 0 persist-credentials: false - name: Validate release metadata @@ -27,6 +33,36 @@ jobs: if ($env:GITHUB_REF_NAME -ne "v$version") { throw "Tag $env:GITHUB_REF_NAME does not match version.txt ($version). Expected v$version." } + git merge-base --is-ancestor $env:GITHUB_SHA origin/main + if ($LASTEXITCODE -ne 0) { + throw "Tag $env:GITHUB_REF_NAME does not point to a commit on main." + } + + - name: Build release integrity files + shell: pwsh + run: | + $version = (Get-Content version.txt -Raw).Trim() + $assets = @( + Get-Item Electronic_Logbook_Master.xlsm + Get-Item README.pdf + ) + + $manifestAssets = foreach ($asset in $assets) { + $hash = (Get-FileHash $asset.FullName -Algorithm SHA256).Hash.ToLowerInvariant() + "$hash $($asset.Name)" | Add-Content SHA256SUMS.txt -Encoding ascii + [ordered]@{ + name = $asset.Name + size = $asset.Length + sha256 = $hash + } + } + + [ordered]@{ + version = $version + tag = $env:GITHUB_REF_NAME + commit = $env:GITHUB_SHA + assets = @($manifestAssets) + } | ConvertTo-Json -Depth 4 | Set-Content release-manifest.json -Encoding utf8 - name: Publish release shell: pwsh @@ -36,6 +72,8 @@ jobs: gh release create $env:GITHUB_REF_NAME ` Electronic_Logbook_Master.xlsm ` README.pdf ` + SHA256SUMS.txt ` + release-manifest.json ` --title $env:GITHUB_REF_NAME ` --generate-notes ` --verify-tag diff --git a/.github/workflows/static-checks.yml b/.github/workflows/static-checks.yml index faf97e6..3edb66c 100644 --- a/.github/workflows/static-checks.yml +++ b/.github/workflows/static-checks.yml @@ -10,14 +10,21 @@ on: permissions: contents: read +concurrency: + group: static-checks-${{ github.ref }} + cancel-in-progress: true + jobs: release-metadata: name: Release metadata runs-on: windows-latest + timeout-minutes: 10 steps: - name: Check out repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Validate release metadata shell: pwsh diff --git a/SECURITY.md b/SECURITY.md index 51c46e1..7ed7c04 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -8,7 +8,7 @@ Only the latest published release is supported for security fixes. Please do not open a public issue for suspected security vulnerabilities. -Report the issue privately to the repository owner with: +Use GitHub's private vulnerability reporting for this repository. Include: - the affected version - a short description of the issue @@ -20,3 +20,5 @@ Report the issue privately to the repository owner with: Electronic Logbook is a macro-enabled Excel workbook. Users should only download releases from this repository's GitHub Releases page and should not run modified workbooks from untrusted sources. The workbook update system downloads release files and VBA update code from this repository. Maintainers must protect the `main` branch, protect release tags, and verify that release workbooks do not contain private tokens or personal data before publishing. + +Published releases include `SHA256SUMS.txt` and `release-manifest.json` so downloaded assets can be checked against the release metadata.