Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .dumirc.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,6 @@ export default defineConfig({
base: basePath,
publicPath,
alias: {
'rc-util/es': path.resolve(__dirname, 'src'),
'@rc-component/util/es': path.resolve(__dirname, 'src'),
},
});
2 changes: 2 additions & 0 deletions .github/FUNDING.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
github: ant-design
open_collective: ant-design
42 changes: 42 additions & 0 deletions .github/workflows/cloudflare-pages-preview.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Cloudflare Pages Preview

on:
pull_request:

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
cancel-in-progress: true

permissions:
contents: read
deployments: write

jobs:
preview:
runs-on: ubuntu-latest
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
CLOUDFLARE_PAGES_PROJECT: ${{ vars.CLOUDFLARE_PAGES_PROJECT }}
PREVIEW: true
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
with:
persist-credentials: false
- name: Skip Cloudflare Pages preview
if: ${{ env.CLOUDFLARE_API_TOKEN == '' || env.CLOUDFLARE_ACCOUNT_ID == '' || env.CLOUDFLARE_PAGES_PROJECT == '' }}
run: echo "Cloudflare Pages preview is not configured; skip deployment."
- name: Install dependencies
if: ${{ env.CLOUDFLARE_API_TOKEN != '' && env.CLOUDFLARE_ACCOUNT_ID != '' && env.CLOUDFLARE_PAGES_PROJECT != '' }}
run: npm install
- name: Build site
if: ${{ env.CLOUDFLARE_API_TOKEN != '' && env.CLOUDFLARE_ACCOUNT_ID != '' && env.CLOUDFLARE_PAGES_PROJECT != '' }}
run: npm run build
- name: Deploy preview
if: ${{ env.CLOUDFLARE_API_TOKEN != '' && env.CLOUDFLARE_ACCOUNT_ID != '' && env.CLOUDFLARE_PAGES_PROJECT != '' }}
uses: cloudflare/wrangler-action@ebbaa1584979971c8614a24965b4405ff95890e0
with:
apiToken: ${{ env.CLOUDFLARE_API_TOKEN }}
accountId: ${{ env.CLOUDFLARE_ACCOUNT_ID }}
command: pages deploy .doc --project-name=${{ env.CLOUDFLARE_PAGES_PROJECT }} --branch=${{ github.head_ref }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

避免将 github.head_ref 直接插值到 command 中(模板注入隐患)。

command 会被 wrangler-action 作为 shell 命令执行,而 github.head_ref 是用户可控的分支名。Git 引用名允许包含 $、反引号、; 等 shell 元字符,攻击者可构造特制分支名注入命令。虽然此处密钥仅对同仓库 PR 可用(fork PR 因密钥为空被跳过)从而限制了暴露面,但仍建议通过环境变量间接引用,避免在表达式中直接拼接。

🛡️ 建议改为通过 env 传递分支名
       - name: Deploy preview
         if: ${{ env.CLOUDFLARE_API_TOKEN != '' && env.CLOUDFLARE_ACCOUNT_ID != '' && env.CLOUDFLARE_PAGES_PROJECT != '' }}
         uses: cloudflare/wrangler-action@ebbaa1584979971c8614a24965b4405ff95890e0
+        env:
+          HEAD_REF: ${{ github.head_ref }}
         with:
           apiToken: ${{ env.CLOUDFLARE_API_TOKEN }}
           accountId: ${{ env.CLOUDFLARE_ACCOUNT_ID }}
-          command: pages deploy .doc --project-name=${{ env.CLOUDFLARE_PAGES_PROJECT }} --branch=${{ github.head_ref }}
+          command: pages deploy .doc --project-name=${{ env.CLOUDFLARE_PAGES_PROJECT }} --branch="$HEAD_REF"
           gitHubToken: ${{ secrets.GITHUB_TOKEN }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
command: pages deploy .doc --project-name=${{ env.CLOUDFLARE_PAGES_PROJECT }} --branch=${{ github.head_ref }}
- name: Deploy preview
if: ${{ env.CLOUDFLARE_API_TOKEN != '' && env.CLOUDFLARE_ACCOUNT_ID != '' && env.CLOUDFLARE_PAGES_PROJECT != '' }}
uses: cloudflare/wrangler-action@ebbaa1584979971c8614a24965b4405ff95890e0
env:
HEAD_REF: ${{ github.head_ref }}
with:
apiToken: ${{ env.CLOUDFLARE_API_TOKEN }}
accountId: ${{ env.CLOUDFLARE_ACCOUNT_ID }}
command: pages deploy .doc --project-name=${{ env.CLOUDFLARE_PAGES_PROJECT }} --branch="$HEAD_REF"
gitHubToken: ${{ secrets.GITHUB_TOKEN }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cloudflare-pages-preview.yml at line 41, The Cloudflare
Pages deploy command is directly interpolating github.head_ref into
wrangler-action’s command string, which creates a shell-injection risk from
user-controlled branch names. Update the workflow to stop concatenating the
branch name in the command and instead pass it through an environment variable
or equivalent safe input, then reference that variable from the deploy step so
the branch value is not parsed as shell syntax. Use the existing deploy step in
cloudflare-pages-preview and the command field as the location to apply the fix.

gitHubToken: ${{ secrets.GITHUB_TOKEN }}
22 changes: 12 additions & 10 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
name: "CodeQL"
name: 'CodeQL'

on:
push:
branches: [ "master" ]
branches: ['master']
pull_request:
branches: [ "master" ]
branches: ['master']
schedule:
- cron: "4 6 * * 0"
- cron: '4 6 * * 0'

jobs:
analyze:
Expand All @@ -20,22 +20,24 @@ jobs:
strategy:
fail-fast: false
matrix:
language: [ javascript ]
language: [javascript]

steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
with:
persist-credentials: false

- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@411bbbe57033eedfc1a82d68c01345aa96c737d7
with:
languages: ${{ matrix.language }}
queries: +security-and-quality

- name: Autobuild
uses: github/codeql-action/autobuild@v2
uses: github/codeql-action/autobuild@411bbbe57033eedfc1a82d68c01345aa96c737d7

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@411bbbe57033eedfc1a82d68c01345aa96c737d7
with:
category: "/language:${{ matrix.language }}"
category: '/language:${{ matrix.language }}'
2 changes: 1 addition & 1 deletion .github/workflows/react-component-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@ name: ✅ test
on: [push, pull_request]
jobs:
test:
uses: react-component/rc-test/.github/workflows/test-npm.yml@main
uses: react-component/rc-test/.github/workflows/test-utoo.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# 验证目标可复用工作流是否存在及其声明的 inputs/secrets
gh api repos/react-component/rc-test/contents/.github/workflows/test-utoo.yml \
  --jq '.content' 2>/dev/null | base64 -d || \
  echo "未能获取 test-utoo.yml,请确认该工作流在 react-component/rc-test 的 main 分支存在"

Repository: react-component/util

Length of output: 690


确认 test-utoo.yml 存在,建议固定引用版本以增强安全性。

已验证 react-component/rc-test 仓库的 main 分支包含 test-utoo.yml 工作流,其通过 workflow_call 触发且无需自定义输入,依赖 secrets.CODECOV_TOKEN。当前 secrets: inherit 的配置在逻辑上合规,但存在以下风险:

  1. 未锁定版本:引用 @main 使 CI 易受上游非预期变更影响。建议固定为具体 Commit SHA。
  2. 密钥传递secrets: inherit 会无条件传递所有继承密钥。若上游仓库不完全可信,建议仅显式传递 CODECOV_TOKEN
# 建议修改示例
uses: react-component/rc-test/.github/workflows/test-utoo.yml@<commit-sha>
secrets:
  CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
🧰 Tools
🪛 zizmor (1.26.1)

[error] 5-5: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 5-5: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/react-component-ci.yml at line 5, The reusable workflow
reference in react-component-ci.yml is too loosely pinned and the current secret
forwarding is broader than necessary. Update the workflow invocation that uses
test-utoo.yml to reference a specific commit SHA instead of `@main`, and replace
secrets: inherit with an explicit CODECOV_TOKEN mapping so only the required
secret is passed through.

Source: Linters/SAST tools

secrets: inherit
27 changes: 27 additions & 0 deletions .github/workflows/react-doctor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: React Doctor

on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
push:
branches: [master]

permissions:
contents: read
pull-requests: write
issues: write
statuses: write

concurrency:
group: react-doctor-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true

jobs:
react-doctor:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
with:
fetch-depth: 0
persist-credentials: false
- uses: millionco/react-doctor@0b4f4f4bd248a154e64eb508a48347f71154b3f3
8 changes: 5 additions & 3 deletions .github/workflows/site-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
with:
persist-credentials: false

- name: setup node
uses: actions/setup-node@v1
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
with:
node-version: 20

Expand All @@ -30,7 +32,7 @@ jobs:
run: npm run build

- name: Deploy to GitHub Pages
uses: peaceiris/actions-gh-pages@v3
uses: peaceiris/actions-gh-pages@329bcc8f12caed2cefe5a5b80781499a6f3b361b
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./.doc
Expand Down
39 changes: 39 additions & 0 deletions .github/workflows/surge-preview.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: Surge Preview

on:
pull_request:

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
cancel-in-progress: true

permissions:
contents: read
pull-requests: write
checks: write
statuses: write

jobs:
preview:
runs-on: ubuntu-latest
env:
SURGE_TOKEN: ${{ secrets.SURGE_TOKEN }}
PREVIEW: true
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
with:
persist-credentials: false
- uses: afc163/surge-preview@bf90a5a86111f6311ca42f0a5a0f80fb0fb03cec
if: ${{ env.SURGE_TOKEN != '' }}
with:
surge_token: ${{ env.SURGE_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
dist: .doc
failOnError: true
setCommitStatus: true
build: |
npm install
npm run build
- name: Skip Surge preview
if: ${{ env.SURGE_TOKEN == '' }}
run: echo "SURGE_TOKEN is not configured; skip Surge preview."
Loading
Loading