From dce40fc0dcbba8a580d2d56a2c2f1bbf349e15d7 Mon Sep 17 00:00:00 2001 From: John Stevenson Date: Tue, 2 Jun 2026 14:12:10 +0100 Subject: [PATCH 1/3] Update signing and fix inno code change --- .github/workflows/builds.yml | 4 ++-- .github/workflows/tests.yml | 6 +++--- src/build.iss | 3 +-- src/composer.iss | 6 +++--- src/release.example.iss | 10 +++------- src/userdata.iss | 7 ++----- 6 files changed, 14 insertions(+), 22 deletions(-) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 5d28298..cfe0cf3 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -22,7 +22,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0. with: fetch-depth: 1 @@ -45,7 +45,7 @@ jobs: run: choco upgrade -y composer --source .\chocolatey\local --params '"/Dev:C:\composer"' --ia '"/LOG=C:\install.txt"' - name: Upload install log - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: install-${{ matrix.install }}-log path: C:\install.txt diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 6faaa50..97ed0f6 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -28,12 +28,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0. with: fetch-depth: 1 - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1 with: php-version: ${{ matrix.php-versions }} extensions: none @@ -63,7 +63,7 @@ jobs: run: ${{ env.SETUP_CMD }} /LOG=${{ env.LOG_DIR }}/wrong-extdir.txt - name: Upload install logs - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: ${{ always() }} with: name: install-${{ matrix.php-versions }}-log diff --git a/src/build.iss b/src/build.iss index 42f919c..362efea 100644 --- a/src/build.iss +++ b/src/build.iss @@ -12,5 +12,4 @@ [Setup] OutputDir={#OutputDir} OutputBaseFilename={#OutputBaseFilename} -SignTool={#SignTool} {#SignExe} {#SignSha1} $f -SignTool={#SignTool} {#SignExe} {#SignSha2} $f +SignTool={#SignTool} {#SignExe} {#SignSha256} $f diff --git a/src/composer.iss b/src/composer.iss index 8444ef5..6b7e94b 100644 --- a/src/composer.iss +++ b/src/composer.iss @@ -4610,7 +4610,7 @@ begin if not IniFileUpdate(ModIni, Config, Params) then Exit; - Result := FileCopy(GTmpFile.Ini, ModIni.IniFile, False); + Result := CopyFile(GTmpFile.Ini, ModIni.IniFile, False); IniDebugFileAction(Result, True, ModIni); if Result then @@ -4798,7 +4798,7 @@ begin Success := not FileExists(IniFile); end else - Success := FileCopy(GTmpFile.IniBackup, IniFile, False); + Success := CopyFile(GTmpFile.IniBackup, IniFile, False); IniDebugFileAction(Success, False, GModIniRec); @@ -4871,7 +4871,7 @@ begin begin {Make a backup for the user in the php directory, in case something goes wrong} - Result := FileCopy(ModIni.IniFile, ModIni.UserBackup, False); + Result := CopyFile(ModIni.IniFile, ModIni.UserBackup, False); if not Result then Debug(Format('Error: Failed to backup existing ini: %s', [ModIni.IniFile])); diff --git a/src/release.example.iss b/src/release.example.iss index f07764e..8d3a460 100644 --- a/src/release.example.iss +++ b/src/release.example.iss @@ -13,12 +13,8 @@ ; Developer Command Prompt and typing 'where signtool'. #define SignExe '"path\to\signtool.exe"' -; SignSha1 and SignSha2 defines are used by the [Setup]: SignTool directives in build.iss. - -; Use a sha1 timestamping service -#define SignSha1 "sign /a /fd sha1 /t http://timestamp.comodoca.com/authenticode" - -; Append sha256 signature -#define SignSha2 "sign /a /fd sha256 /tr http://time.certum.pl/ /td sha256 /as" +; SignSha256 define is used by the [Setup]: SignTool directives in build.iss. +; Use sha256 signature +#define SignSha256 "sign /a /fd sha256 /tr http://time.certum.pl/ /td sha256 /as" #include "composer.iss" diff --git a/src/userdata.iss b/src/userdata.iss index 6a88387..6741516 100644 --- a/src/userdata.iss +++ b/src/userdata.iss @@ -431,13 +431,10 @@ var begin - Form.Main := CreateCustomForm(); + Form.Main := CreateCustomForm(ScaleX(380), ScaleY(255), False, False); Form.Main.Font.Size := 9; - - Form.Main.ClientWidth := ScaleX(380); - Form.Main.ClientHeight := ScaleY(255); Form.Main.Caption := 'Delete User Data'; - Form.Main.FlipSizeAndCenterIfNeeded(True, UninstallProgressForm, False); + Form.Main.FlipAndCenterIfNeeded(True, UninstallProgressForm, False); Left := ScaleX(20); Width := Form.Main.ClientWidth - (Left * 2); From be359f9813935e86bae71e1c5694c139a9860331 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Fri, 29 May 2026 09:14:22 +0200 Subject: [PATCH 2/3] Add zizmor GitHub Actions security analysis + dependabot --- .github/dependabot.yml | 8 ++++++++ .github/workflows/zizmor.yml | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..177b067 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,8 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" + cooldown: + default-days: 7 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..a589d51 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,35 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - main + paths: + - '.github/**.yml' + pull_request: + paths: + - '.github/**.yml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false + annotations: true + persona: 'pedantic' From 6518099d5ef4deab94e4289be2a02d9f52b3eed0 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Fri, 29 May 2026 09:14:22 +0200 Subject: [PATCH 3/3] Harden workflows to pass zizmor (pedantic) - Pin actions to commit SHAs at latest releases (checkout, setup-php, upload-artifact) - Add explicit contents: read permissions and concurrency limits - persist-credentials: false on checkouts - tests.yml: reference workflow env vars via cmd %VAR% syntax instead of ${{ }} to avoid template injection - builds.yml: switch the iscc/installer/composer steps from shell: cmd to pwsh --- .github/workflows/builds.yml | 16 ++++++++++++---- .github/workflows/tests.yml | 30 +++++++++++++++++++++++------- 2 files changed, 35 insertions(+), 11 deletions(-) diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index cfe0cf3..d9654e8 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -7,6 +7,13 @@ on: paths-ignore: - '**.md' +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: build-and-deploy: name: Build & deploy @@ -22,13 +29,14 @@ jobs: steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0. + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + persist-credentials: false fetch-depth: 1 - name: Compile Composer-Setup run: iscc src\composer.iss - shell: cmd + shell: pwsh - name: Build Chocolatey package if: matrix.install == 'choco' @@ -37,7 +45,7 @@ jobs: - name: Install Composer-Setup.exe if: matrix.install == 'exe' run: builds\output\Composer-Setup.dev.exe /VERYSILENT /SUPPRESSMSGBOXES /DEV=C:\composer /LOG=C:\install.txt - shell: cmd + shell: pwsh - name: Install Chocolatey package if: matrix.install == 'choco' @@ -62,7 +70,7 @@ jobs: - name: Run run: composer --version - shell: cmd + shell: pwsh - name: Run in bash run: composer --version diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 97ed0f6..4210b10 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -7,6 +7,13 @@ on: paths-ignore: - '**.md' +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: ini-tests: name: Ini Tests @@ -19,17 +26,17 @@ jobs: php-versions: ['5.5', '8.1'] env: - SETUP_CMD: builds\output\Composer-Setup.dev.exe /VERYSILENT /SUPPRESSMSGBOXES LOG_DIR: C:\install-logs defaults: run: - shell: cmd + shell: pwsh steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0. + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + persist-credentials: false fetch-depth: 1 - name: Setup PHP @@ -42,25 +49,34 @@ jobs: run: iscc src\composer.iss - name: Create log directory - run: mkdir ${{ env.LOG_DIR }} + run: mkdir ${env:LOG_DIR} - name: Setup no-extensions run: php .github\workflows\ini-util.php --no-extensions - name: Test no-extensions - run: ${{ env.SETUP_CMD }} /LOG=${{ env.LOG_DIR }}/no-extensions.txt + run: | + builds\output\Composer-Setup.dev.exe ` + /VERYSILENT /SUPPRESSMSGBOXES ` + /LOG="${env:LOG_DIR}/no-extensions.txt" - name: Setup no-ini run: php .github\workflows\ini-util.php --no-ini - name: Test no-ini - run: ${{ env.SETUP_CMD }} /LOG=${{ env.LOG_DIR }}/no-ini.txt + run: | + builds\output\Composer-Setup.dev.exe ` + /VERYSILENT /SUPPRESSMSGBOXES ` + /LOG="${env:LOG_DIR}/no-ini.txt" - name: Setup wrong-extdir run: php .github\workflows\ini-util.php --wrong-extdir - name: Test wrong-extdir - run: ${{ env.SETUP_CMD }} /LOG=${{ env.LOG_DIR }}/wrong-extdir.txt + run: | + builds\output\Composer-Setup.dev.exe ` + /VERYSILENT /SUPPRESSMSGBOXES ` + /LOG="${env:LOG_DIR}/wrong-extdir.txt" - name: Upload install logs uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1