mirror of
https://github.com/wailsapp/wails.git
synced 2025-05-01 21:21:54 +08:00
Merge branch 'master' into feature/allow-disable-panic-recovery
This commit is contained in:
Andrey Pshenkin
commit
125c4ab485
2
.github/workflows/pr-v2.yml
vendored
2
.github/workflows/pr-v2.yml
vendored
@ -17,7 +17,7 @@ jobs:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Verify Changed files
|
||||
uses: tj-actions/verify-changed-files@v17
|
||||
uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1
|
||||
id: verify-changed-files
|
||||
with:
|
||||
files: |
|
||||
|
||||
1
.github/workflows/semgrep.yml
vendored
1
.github/workflows/semgrep.yml
vendored
@ -5,6 +5,7 @@ on:
|
||||
branches:
|
||||
- main
|
||||
- master
|
||||
- v3-alpha
|
||||
paths:
|
||||
- .github/workflows/semgrep.yml
|
||||
schedule:
|
||||
|
||||
@ -15,7 +15,7 @@ jobs:
|
||||
|
||||
- name: Verify Changed files
|
||||
id: changed-files
|
||||
uses: tj-actions/changed-files@v41
|
||||
uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1
|
||||
with:
|
||||
files: |
|
||||
website/**/*.mdx
|
||||
|
||||
@ -85,6 +85,7 @@ func buildApplication(f *flags.Build) error {
|
||||
GarbleArgs: f.GarbleArgs,
|
||||
SkipBindings: f.SkipBindings,
|
||||
ProjectData: projectOptions,
|
||||
SkipEmbedCreate: f.SkipEmbedCreate,
|
||||
}
|
||||
|
||||
tableData := pterm.TableData{
|
||||
|
||||
@ -1,15 +1,16 @@
|
||||
package flags
|
||||
|
||||
type BuildCommon struct {
|
||||
LdFlags string `description:"Additional ldflags to pass to the compiler"`
|
||||
Compiler string `description:"Use a different go compiler to build, eg go1.15beta1"`
|
||||
SkipBindings bool `description:"Skips generation of bindings"`
|
||||
RaceDetector bool `name:"race" description:"Build with Go's race detector"`
|
||||
SkipFrontend bool `name:"s" description:"Skips building the frontend"`
|
||||
Verbosity int `name:"v" description:"Verbosity level (0 = quiet, 1 = normal, 2 = verbose)"`
|
||||
Tags string `description:"Build tags to pass to Go compiler. Must be quoted. Space or comma (but not both) separated"`
|
||||
NoSyncGoMod bool `description:"Don't sync go.mod"`
|
||||
SkipModTidy bool `name:"m" description:"Skip mod tidy before compile"`
|
||||
LdFlags string `description:"Additional ldflags to pass to the compiler"`
|
||||
Compiler string `description:"Use a different go compiler to build, eg go1.15beta1"`
|
||||
SkipBindings bool `description:"Skips generation of bindings"`
|
||||
RaceDetector bool `name:"race" description:"Build with Go's race detector"`
|
||||
SkipFrontend bool `name:"s" description:"Skips building the frontend"`
|
||||
Verbosity int `name:"v" description:"Verbosity level (0 = quiet, 1 = normal, 2 = verbose)"`
|
||||
Tags string `description:"Build tags to pass to Go compiler. Must be quoted. Space or comma (but not both) separated"`
|
||||
NoSyncGoMod bool `description:"Don't sync go.mod"`
|
||||
SkipModTidy bool `name:"m" description:"Skip mod tidy before compile"`
|
||||
SkipEmbedCreate bool `description:"Skips creation of embed files"`
|
||||
}
|
||||
|
||||
func (c BuildCommon) Default() BuildCommon {
|
||||
|
||||
@ -117,21 +117,22 @@ func (d *Dev) loadAndMergeProjectConfig() error {
|
||||
// GenerateBuildOptions creates a build.Options using the flags
|
||||
func (d *Dev) GenerateBuildOptions() *build.Options {
|
||||
result := &build.Options{
|
||||
OutputType: "dev",
|
||||
Mode: build.Dev,
|
||||
Devtools: true,
|
||||
Arch: runtime.GOARCH,
|
||||
Pack: true,
|
||||
Platform: runtime.GOOS,
|
||||
LDFlags: d.LdFlags,
|
||||
Compiler: d.Compiler,
|
||||
ForceBuild: d.ForceBuild,
|
||||
IgnoreFrontend: d.SkipFrontend,
|
||||
SkipBindings: d.SkipBindings,
|
||||
Verbosity: d.Verbosity,
|
||||
WailsJSDir: d.WailsJSDir,
|
||||
RaceDetector: d.RaceDetector,
|
||||
ProjectData: d.projectConfig,
|
||||
OutputType: "dev",
|
||||
Mode: build.Dev,
|
||||
Devtools: true,
|
||||
Arch: runtime.GOARCH,
|
||||
Pack: true,
|
||||
Platform: runtime.GOOS,
|
||||
LDFlags: d.LdFlags,
|
||||
Compiler: d.Compiler,
|
||||
ForceBuild: d.ForceBuild,
|
||||
IgnoreFrontend: d.SkipFrontend,
|
||||
SkipBindings: d.SkipBindings,
|
||||
Verbosity: d.Verbosity,
|
||||
WailsJSDir: d.WailsJSDir,
|
||||
RaceDetector: d.RaceDetector,
|
||||
ProjectData: d.projectConfig,
|
||||
SkipEmbedCreate: d.SkipEmbedCreate,
|
||||
}
|
||||
|
||||
return result
|
||||
|
||||
@ -69,6 +69,7 @@ type Options struct {
|
||||
Obfuscated bool // Indicates that bound methods should be obfuscated
|
||||
GarbleArgs string // The arguments for Garble
|
||||
SkipBindings bool // Skip binding generation
|
||||
SkipEmbedCreate bool // Skip creation of embed files
|
||||
}
|
||||
|
||||
// Build the project!
|
||||
@ -120,8 +121,10 @@ func Build(options *Options) (string, error) {
|
||||
}
|
||||
|
||||
// Create embed directories if they don't exist
|
||||
if err := CreateEmbedDirectories(cwd, options); err != nil {
|
||||
return "", err
|
||||
if !options.SkipEmbedCreate {
|
||||
if err := CreateEmbedDirectories(cwd, options); err != nil {
|
||||
return "", err
|
||||
}
|
||||
}
|
||||
|
||||
// Generate bindings
|
||||
|
||||
89
website/blog/2025-03-16-security-incident-response.mdx
Normal file
89
website/blog/2025-03-16-security-incident-response.mdx
Normal file
@ -0,0 +1,89 @@
|
||||
---
|
||||
slug: security-incident-response-march-2025
|
||||
title: Proactive Security Response - GitHub Actions Supply Chain Attack
|
||||
authors: [leaanthony]
|
||||
tags: [wails, security]
|
||||
---
|
||||
|
||||
<div class="text--center">
|
||||
<img
|
||||
src={require("@site/static/img/blog/shield.png").default}
|
||||
width="150"
|
||||
alt="Security Shield"
|
||||
/>
|
||||
</div>
|
||||
<br />
|
||||
|
||||
:::note TL;DR
|
||||
**Good news! Wails was NOT affected by this security incident.** Our thorough investigation confirmed that no secrets were leaked, and the Wails codebase and releases remain completely secure. We've already taken proactive measures to further strengthen our security posture.
|
||||
:::
|
||||
|
||||
## Introduction
|
||||
|
||||
On 15th March 2025 (AEST), the Wails team was alerted to a security incident involving the `tj-actions/changed-files` GitHub Action. This widely-used action (with over 23,000 repositories depending on it) was compromised in a supply chain attack. While this action was used in some of our CI/CD workflows, we're pleased to confirm that Wails remained fully protected throughout.
|
||||
|
||||
This post shares the details of the incident, our response, and the additional safeguards we've implemented to ensure the continued security of the Wails project.
|
||||
|
||||
## Incident Details
|
||||
|
||||
The security company StepSecurity [reported](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised) that the `tj-actions/changed-files` GitHub Action was compromised beginning around 9:00 AM March 14th, 2025 Pacific Time (4:00 PM UTC).
|
||||
|
||||
In this attack, malicious code was injected into the action that attempted to dump CI/CD secrets from GitHub Actions runner processes into public logs. The attackers modified the action's code and retroactively updated multiple version tags to reference the malicious commit.
|
||||
|
||||
## Our Proactive Assessment
|
||||
|
||||
Upon learning this, we immediately launched a comprehensive assessment of our systems:
|
||||
|
||||
1. We identified the following Wails workflows that were using the action:
|
||||
- For Wails v2: `pr-v2.yml` and `upload-source-documents.yml`
|
||||
- For Wails v3: `pr-v3.yml`, `publish-npm.yml`, and `upload-source-documents.yml`
|
||||
|
||||
2. Our security team conducted a thorough review of all workflow logs for the affected actions during the time period of the compromise.
|
||||
|
||||
3. We're happy to confirm that **no secrets were leaked** in any of our workflow logs, and the Wails codebase remained completely secure.
|
||||
|
||||
## Action Taken
|
||||
|
||||
We took immediate steps to address this situation:
|
||||
|
||||
1. We swiftly replaced all instances of the affected `tj-actions/changed-files` action with the secure alternative `step-security/changed-files` provided by StepSecurity.
|
||||
|
||||
2. As an extra precautionary measure, we temporarily removed all secrets from our GitHub Actions workflows.
|
||||
|
||||
## What This Means for You
|
||||
|
||||
We want to reassure our community that:
|
||||
|
||||
1. The Wails codebase was never compromised in any way.
|
||||
2. No malicious code was introduced into any Wails releases.
|
||||
3. This situation only potentially affected our CI/CD pipeline, not the actual Wails source code or releases.
|
||||
4. No sensitive information or secrets were exposed during this time.
|
||||
|
||||
**In short: All Wails releases remain secure and trustworthy, and no action is required on your part.**
|
||||
|
||||
## Strengthening Our Security Posture
|
||||
|
||||
To minimise exposure to similar potential incidents in the future, we're enhancing our security practices by:
|
||||
|
||||
1. Implementing stricter version pinning for all third-party actions used in our workflows, preferably pinning to specific commit hashes rather than version tags.
|
||||
|
||||
2. Establishing a regular security review process for our CI/CD pipelines and dependencies.
|
||||
|
||||
3. Exploring the use of additional security tools like StepSecurity's Harden-Runner to provide enhanced protection for our GitHub Actions workflows.
|
||||
|
||||
4. Developing a more comprehensive security incident response plan to ensure we can respond quickly and effectively to any future security concerns.
|
||||
|
||||
It's worth noting that the Wails project already employs several security tools as part of our development process:
|
||||
|
||||
- **Semgrep**: We use Semgrep for static code analysis to identify potential security vulnerabilities and code quality issues.
|
||||
- **Snyk**: We employ Snyk to continuously monitor our dependencies for known vulnerabilities and receive alerts when security patches are needed.
|
||||
|
||||
These existing security measures, combined with our enhanced preventative steps, demonstrate our ongoing commitment to maintaining the security and integrity of the Wails project.
|
||||
|
||||
## Moving Forward
|
||||
|
||||
The security of the Wails project and the trust of our community are our highest priorities. We remain committed to transparency and will continue to promptly address any security concerns that arise.
|
||||
|
||||
We would like to thank StepSecurity for their quick response in identifying this issue and providing a secure alternative action.
|
||||
|
||||
If you have any questions or concerns about this, please don't hesitate to reach out to us on [GitHub](https://github.com/wailsapp/wails) or [Discord](https://discord.gg/JDdSxwjhGf). We're always here to help.
|
||||
@ -73,6 +73,7 @@ If you are unsure about a template, inspect `package.json` and `wails.json` for
|
||||
| -race | Build with Go's race detector | |
|
||||
| -s | Skip building the frontend | |
|
||||
| -skipbindings | Skip bindings generation | |
|
||||
| -skipembedcreate | Skip automatic creation of non-existent embed directories and gitkeep files | |
|
||||
| -tags "extra tags" | Build tags to pass to Go compiler. Must be quoted. Space or comma (but not both) separated | |
|
||||
| -trimpath | Remove all file system paths from the resulting executable. | |
|
||||
| -u | Updates your project's `go.mod` to use the same version of Wails as the CLI | |
|
||||
@ -203,6 +204,7 @@ Your system is ready for Wails development!
|
||||
| -s | Skip building the frontend | false |
|
||||
| -save | Saves the given `assetdir`, `reloaddirs`, `wailsjsdir`, `debounce`, `devserver` and `frontenddevserverurl` flags in `wails.json` to become the defaults for subsequent invocations. | |
|
||||
| -skipbindings | Skip bindings generation | |
|
||||
| -skipembedcreate | Skip automatic creation of non-existent embed directories and gitkeep files | |
|
||||
| -tags "extra tags" | Build tags to pass to compiler (quoted and space separated) | |
|
||||
| -v | Verbosity level (0 - silent, 1 - standard, 2 - verbose) | 1 |
|
||||
| -wailsjsdir | The directory to generate the generated Wails JS modules | Value in `wails.json` |
|
||||
|
||||
@ -19,6 +19,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
|
||||
### Added
|
||||
- Added "Branding" section to `wails doctor` to correctly identify Windows 11 [#3891](https://github.com/wailsapp/wails/pull/3891) by [@ronen25](https://github.com/ronen25)
|
||||
- Added `-skipembedcreate` flag to build and dev command to improve compile and recompile speed [#4143](https://github.com/wailsapp/wails/pull/4143) by @josStorer
|
||||
- Added `DisablePanicRecovery` option to allow handle panics manually [#4136](https://github.com/wailsapp/wails/pull/4136) by [@APshenkin](https://github.com/APshenkin)
|
||||
|
||||
## v2.10.1 - 2025-02-24
|
||||
|
||||
BIN
website/static/img/blog/shield.png
Normal file
BIN
website/static/img/blog/shield.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 32 KiB |
@ -33,7 +33,7 @@ import (
|
||||
|
||||
"github.com/wailsapp/wails/v2"
|
||||
"github.com/wailsapp/wails/v2/pkg/options"
|
||||
"github.com/wailsapp/wails/v2/pkg/options/assetserver"
|
||||
"github.com/wailsapp/wails/v2/pkg/options/assetserver"
|
||||
)
|
||||
|
||||
//go:embed all:frontend/dist
|
||||
@ -150,7 +150,7 @@ import (
|
||||
|
||||
"github.com/wailsapp/wails/v2"
|
||||
"github.com/wailsapp/wails/v2/pkg/options"
|
||||
"github.com/wailsapp/wails/v2/pkg/options/assetserver"
|
||||
"github.com/wailsapp/wails/v2/pkg/options/assetserver"
|
||||
)
|
||||
|
||||
//go:embed all:frontend/dist
|
||||
|
||||
Loading…
Reference in New Issue
Block a user