diff --git a/.github/workflows/pr-v2.yml b/.github/workflows/pr-v2.yml
index 8adc29a56..572260b8b 100644
--- a/.github/workflows/pr-v2.yml
+++ b/.github/workflows/pr-v2.yml
@@ -17,7 +17,7 @@ jobs:
- uses: actions/checkout@v3
- name: Verify Changed files
- uses: tj-actions/verify-changed-files@v17
+ uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1
id: verify-changed-files
with:
files: |
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index 453e4cb85..7533a3a04 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -5,6 +5,7 @@ on:
branches:
- main
- master
+ - v3-alpha
paths:
- .github/workflows/semgrep.yml
schedule:
diff --git a/.github/workflows/upload-source-documents.yml b/.github/workflows/upload-source-documents.yml
index df15246fc..69d6c3e48 100644
--- a/.github/workflows/upload-source-documents.yml
+++ b/.github/workflows/upload-source-documents.yml
@@ -15,7 +15,7 @@ jobs:
- name: Verify Changed files
id: changed-files
- uses: tj-actions/changed-files@v41
+ uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1
with:
files: |
website/**/*.mdx
diff --git a/v2/cmd/wails/build.go b/v2/cmd/wails/build.go
index 7364df8ba..05f235078 100644
--- a/v2/cmd/wails/build.go
+++ b/v2/cmd/wails/build.go
@@ -85,6 +85,7 @@ func buildApplication(f *flags.Build) error {
GarbleArgs: f.GarbleArgs,
SkipBindings: f.SkipBindings,
ProjectData: projectOptions,
+ SkipEmbedCreate: f.SkipEmbedCreate,
}
tableData := pterm.TableData{
diff --git a/v2/cmd/wails/flags/buildcommon.go b/v2/cmd/wails/flags/buildcommon.go
index 4bbc4c62c..a22f7a502 100644
--- a/v2/cmd/wails/flags/buildcommon.go
+++ b/v2/cmd/wails/flags/buildcommon.go
@@ -1,15 +1,16 @@
package flags
type BuildCommon struct {
- LdFlags string `description:"Additional ldflags to pass to the compiler"`
- Compiler string `description:"Use a different go compiler to build, eg go1.15beta1"`
- SkipBindings bool `description:"Skips generation of bindings"`
- RaceDetector bool `name:"race" description:"Build with Go's race detector"`
- SkipFrontend bool `name:"s" description:"Skips building the frontend"`
- Verbosity int `name:"v" description:"Verbosity level (0 = quiet, 1 = normal, 2 = verbose)"`
- Tags string `description:"Build tags to pass to Go compiler. Must be quoted. Space or comma (but not both) separated"`
- NoSyncGoMod bool `description:"Don't sync go.mod"`
- SkipModTidy bool `name:"m" description:"Skip mod tidy before compile"`
+ LdFlags string `description:"Additional ldflags to pass to the compiler"`
+ Compiler string `description:"Use a different go compiler to build, eg go1.15beta1"`
+ SkipBindings bool `description:"Skips generation of bindings"`
+ RaceDetector bool `name:"race" description:"Build with Go's race detector"`
+ SkipFrontend bool `name:"s" description:"Skips building the frontend"`
+ Verbosity int `name:"v" description:"Verbosity level (0 = quiet, 1 = normal, 2 = verbose)"`
+ Tags string `description:"Build tags to pass to Go compiler. Must be quoted. Space or comma (but not both) separated"`
+ NoSyncGoMod bool `description:"Don't sync go.mod"`
+ SkipModTidy bool `name:"m" description:"Skip mod tidy before compile"`
+ SkipEmbedCreate bool `description:"Skips creation of embed files"`
}
func (c BuildCommon) Default() BuildCommon {
diff --git a/v2/cmd/wails/flags/dev.go b/v2/cmd/wails/flags/dev.go
index 501450a98..b2ae1c04f 100644
--- a/v2/cmd/wails/flags/dev.go
+++ b/v2/cmd/wails/flags/dev.go
@@ -117,21 +117,22 @@ func (d *Dev) loadAndMergeProjectConfig() error {
// GenerateBuildOptions creates a build.Options using the flags
func (d *Dev) GenerateBuildOptions() *build.Options {
result := &build.Options{
- OutputType: "dev",
- Mode: build.Dev,
- Devtools: true,
- Arch: runtime.GOARCH,
- Pack: true,
- Platform: runtime.GOOS,
- LDFlags: d.LdFlags,
- Compiler: d.Compiler,
- ForceBuild: d.ForceBuild,
- IgnoreFrontend: d.SkipFrontend,
- SkipBindings: d.SkipBindings,
- Verbosity: d.Verbosity,
- WailsJSDir: d.WailsJSDir,
- RaceDetector: d.RaceDetector,
- ProjectData: d.projectConfig,
+ OutputType: "dev",
+ Mode: build.Dev,
+ Devtools: true,
+ Arch: runtime.GOARCH,
+ Pack: true,
+ Platform: runtime.GOOS,
+ LDFlags: d.LdFlags,
+ Compiler: d.Compiler,
+ ForceBuild: d.ForceBuild,
+ IgnoreFrontend: d.SkipFrontend,
+ SkipBindings: d.SkipBindings,
+ Verbosity: d.Verbosity,
+ WailsJSDir: d.WailsJSDir,
+ RaceDetector: d.RaceDetector,
+ ProjectData: d.projectConfig,
+ SkipEmbedCreate: d.SkipEmbedCreate,
}
return result
diff --git a/v2/pkg/commands/build/build.go b/v2/pkg/commands/build/build.go
index f247f2db1..b4e83dd69 100644
--- a/v2/pkg/commands/build/build.go
+++ b/v2/pkg/commands/build/build.go
@@ -69,6 +69,7 @@ type Options struct {
Obfuscated bool // Indicates that bound methods should be obfuscated
GarbleArgs string // The arguments for Garble
SkipBindings bool // Skip binding generation
+ SkipEmbedCreate bool // Skip creation of embed files
}
// Build the project!
@@ -120,8 +121,10 @@ func Build(options *Options) (string, error) {
}
// Create embed directories if they don't exist
- if err := CreateEmbedDirectories(cwd, options); err != nil {
- return "", err
+ if !options.SkipEmbedCreate {
+ if err := CreateEmbedDirectories(cwd, options); err != nil {
+ return "", err
+ }
}
// Generate bindings
diff --git a/website/blog/2025-03-16-security-incident-response.mdx b/website/blog/2025-03-16-security-incident-response.mdx
new file mode 100644
index 000000000..e9903c570
--- /dev/null
+++ b/website/blog/2025-03-16-security-incident-response.mdx
@@ -0,0 +1,89 @@
+---
+slug: security-incident-response-march-2025
+title: Proactive Security Response - GitHub Actions Supply Chain Attack
+authors: [leaanthony]
+tags: [wails, security]
+---
+
+
+
![Security Shield]({require("@site/static/img/blog/shield.png").default})
+
+
+:::note TL;DR
+**Good news! Wails was NOT affected by this security incident.** Our thorough investigation confirmed that no secrets were leaked, and the Wails codebase and releases remain completely secure. We've already taken proactive measures to further strengthen our security posture.
+:::
+
+## Introduction
+
+On 15th March 2025 (AEST), the Wails team was alerted to a security incident involving the `tj-actions/changed-files` GitHub Action. This widely-used action (with over 23,000 repositories depending on it) was compromised in a supply chain attack. While this action was used in some of our CI/CD workflows, we're pleased to confirm that Wails remained fully protected throughout.
+
+This post shares the details of the incident, our response, and the additional safeguards we've implemented to ensure the continued security of the Wails project.
+
+## Incident Details
+
+The security company StepSecurity [reported](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised) that the `tj-actions/changed-files` GitHub Action was compromised beginning around 9:00 AM March 14th, 2025 Pacific Time (4:00 PM UTC).
+
+In this attack, malicious code was injected into the action that attempted to dump CI/CD secrets from GitHub Actions runner processes into public logs. The attackers modified the action's code and retroactively updated multiple version tags to reference the malicious commit.
+
+## Our Proactive Assessment
+
+Upon learning this, we immediately launched a comprehensive assessment of our systems:
+
+1. We identified the following Wails workflows that were using the action:
+ - For Wails v2: `pr-v2.yml` and `upload-source-documents.yml`
+ - For Wails v3: `pr-v3.yml`, `publish-npm.yml`, and `upload-source-documents.yml`
+
+2. Our security team conducted a thorough review of all workflow logs for the affected actions during the time period of the compromise.
+
+3. We're happy to confirm that **no secrets were leaked** in any of our workflow logs, and the Wails codebase remained completely secure.
+
+## Action Taken
+
+We took immediate steps to address this situation:
+
+1. We swiftly replaced all instances of the affected `tj-actions/changed-files` action with the secure alternative `step-security/changed-files` provided by StepSecurity.
+
+2. As an extra precautionary measure, we temporarily removed all secrets from our GitHub Actions workflows.
+
+## What This Means for You
+
+We want to reassure our community that:
+
+1. The Wails codebase was never compromised in any way.
+2. No malicious code was introduced into any Wails releases.
+3. This situation only potentially affected our CI/CD pipeline, not the actual Wails source code or releases.
+4. No sensitive information or secrets were exposed during this time.
+
+**In short: All Wails releases remain secure and trustworthy, and no action is required on your part.**
+
+## Strengthening Our Security Posture
+
+To minimise exposure to similar potential incidents in the future, we're enhancing our security practices by:
+
+1. Implementing stricter version pinning for all third-party actions used in our workflows, preferably pinning to specific commit hashes rather than version tags.
+
+2. Establishing a regular security review process for our CI/CD pipelines and dependencies.
+
+3. Exploring the use of additional security tools like StepSecurity's Harden-Runner to provide enhanced protection for our GitHub Actions workflows.
+
+4. Developing a more comprehensive security incident response plan to ensure we can respond quickly and effectively to any future security concerns.
+
+It's worth noting that the Wails project already employs several security tools as part of our development process:
+
+- **Semgrep**: We use Semgrep for static code analysis to identify potential security vulnerabilities and code quality issues.
+- **Snyk**: We employ Snyk to continuously monitor our dependencies for known vulnerabilities and receive alerts when security patches are needed.
+
+These existing security measures, combined with our enhanced preventative steps, demonstrate our ongoing commitment to maintaining the security and integrity of the Wails project.
+
+## Moving Forward
+
+The security of the Wails project and the trust of our community are our highest priorities. We remain committed to transparency and will continue to promptly address any security concerns that arise.
+
+We would like to thank StepSecurity for their quick response in identifying this issue and providing a secure alternative action.
+
+If you have any questions or concerns about this, please don't hesitate to reach out to us on [GitHub](https://github.com/wailsapp/wails) or [Discord](https://discord.gg/JDdSxwjhGf). We're always here to help.
diff --git a/website/docs/reference/cli.mdx b/website/docs/reference/cli.mdx
index dc816a56b..84aba8fd8 100644
--- a/website/docs/reference/cli.mdx
+++ b/website/docs/reference/cli.mdx
@@ -73,6 +73,7 @@ If you are unsure about a template, inspect `package.json` and `wails.json` for
| -race | Build with Go's race detector | |
| -s | Skip building the frontend | |
| -skipbindings | Skip bindings generation | |
+| -skipembedcreate | Skip automatic creation of non-existent embed directories and gitkeep files | |
| -tags "extra tags" | Build tags to pass to Go compiler. Must be quoted. Space or comma (but not both) separated | |
| -trimpath | Remove all file system paths from the resulting executable. | |
| -u | Updates your project's `go.mod` to use the same version of Wails as the CLI | |
@@ -203,6 +204,7 @@ Your system is ready for Wails development!
| -s | Skip building the frontend | false |
| -save | Saves the given `assetdir`, `reloaddirs`, `wailsjsdir`, `debounce`, `devserver` and `frontenddevserverurl` flags in `wails.json` to become the defaults for subsequent invocations. | |
| -skipbindings | Skip bindings generation | |
+| -skipembedcreate | Skip automatic creation of non-existent embed directories and gitkeep files | |
| -tags "extra tags" | Build tags to pass to compiler (quoted and space separated) | |
| -v | Verbosity level (0 - silent, 1 - standard, 2 - verbose) | 1 |
| -wailsjsdir | The directory to generate the generated Wails JS modules | Value in `wails.json` |
diff --git a/website/src/pages/changelog.mdx b/website/src/pages/changelog.mdx
index e65617fde..15e61bd0d 100644
--- a/website/src/pages/changelog.mdx
+++ b/website/src/pages/changelog.mdx
@@ -19,6 +19,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added
- Added "Branding" section to `wails doctor` to correctly identify Windows 11 [#3891](https://github.com/wailsapp/wails/pull/3891) by [@ronen25](https://github.com/ronen25)
+- Added `-skipembedcreate` flag to build and dev command to improve compile and recompile speed [#4143](https://github.com/wailsapp/wails/pull/4143) by @josStorer
- Added `DisablePanicRecovery` option to allow handle panics manually [#4136](https://github.com/wailsapp/wails/pull/4136) by [@APshenkin](https://github.com/APshenkin)
## v2.10.1 - 2025-02-24
diff --git a/website/static/img/blog/shield.png b/website/static/img/blog/shield.png
new file mode 100644
index 000000000..7b715f8f4
Binary files /dev/null and b/website/static/img/blog/shield.png differ
diff --git a/website/versioned_docs/version-v2.10/howdoesitwork.mdx b/website/versioned_docs/version-v2.10/howdoesitwork.mdx
index 48243f4eb..69134ac24 100644
--- a/website/versioned_docs/version-v2.10/howdoesitwork.mdx
+++ b/website/versioned_docs/version-v2.10/howdoesitwork.mdx
@@ -33,7 +33,7 @@ import (
"github.com/wailsapp/wails/v2"
"github.com/wailsapp/wails/v2/pkg/options"
- "github.com/wailsapp/wails/v2/pkg/options/assetserver"
+ "github.com/wailsapp/wails/v2/pkg/options/assetserver"
)
//go:embed all:frontend/dist
@@ -150,7 +150,7 @@ import (
"github.com/wailsapp/wails/v2"
"github.com/wailsapp/wails/v2/pkg/options"
- "github.com/wailsapp/wails/v2/pkg/options/assetserver"
+ "github.com/wailsapp/wails/v2/pkg/options/assetserver"
)
//go:embed all:frontend/dist