Update for CVE-2024-45321 (App::cpanminus) #207
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# brian's standard GitHub Actions macOS config for Perl 5 modules | |
# version 20240824.001 | |
# https://github.com/briandfoy/github_workflows | |
# https://github.com/features/actions | |
# This file is licensed under the Artistic License 2.0 | |
# | |
# This uses the AUTOMATED_TESTING environment that you can set up | |
# in your repo settings. Or not. It still works if it isn't defined. | |
# In that environment, add whatever environment variables or secrets | |
# that you want. | |
--- | |
name: macos | |
# https://github.com/actions/checkout/issues/1590 | |
env: | |
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true | |
# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/using-concurrency | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }} | |
cancel-in-progress: true | |
on: | |
push: | |
branches: | |
- '**' | |
- '!**appveyor**' | |
- '!**circleci**' | |
- '!**linux**' | |
- '!**notest**' | |
- '!**release**' | |
- '!**windows**' | |
tags-ignore: | |
# I tag release pushes but those should have already been tested | |
- 'release-*' | |
paths-ignore: | |
# list all the files which are irrelevant to the tests | |
# non-code, support files, docs, etc | |
- '.appveyor.yml' | |
- '.circleci' | |
- '.gitattributes' | |
- '.github/workflows/linux.yml' | |
- '.github/workflows/release.yml' | |
- '.github/workflows/windows.yml' | |
- '.gitignore' | |
- '.releaserc' | |
- 'Changes' | |
- 'LICENSE' | |
- 'README.pod' | |
pull_request: | |
jobs: | |
perl: | |
environment: automated_testing | |
runs-on: macOS-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Platform check | |
run: uname -a | |
- name: Set up Perl | |
run: | | |
brew install perl | |
ls -d /opt/homebrew/Cellar/perl/*/bin | head -1 >> $GITHUB_PATH | |
perl -v | perl -0777 -ne 'm/(v5\.\d+)/ && print "PERL_VERSION=$1"' >> $GITHUB_ENV | |
- name: Perl version check | |
run: perl -V | |
# cpan can operate with https, but we need IO::SSL::Socket, which | |
# does not come with Perl. | |
# | |
# When using cpan, use -M to specify the CDN-backed www.cpan.org | |
# mirror. I've noticed that letting CPAN.pm auto-choose mirrors | |
# sometimes selects things that the action can't reach. | |
# | |
# Also, use the -T option to not test the dependencies. Assume these | |
# mainline modules are good and save lots of CI minutes. | |
- name: Prepare cpan | |
run: | | |
openssl version | |
cpan -M http://www.cpan.org -T IO::Socket::SSL HTTP::Tiny | |
cpan -M https://www.cpan.org -T ExtUtils::MakeMaker Test::Manifest | |
# Install the dependencies, again not testing them. This installs the | |
# module in the current directory, so we end up installing the module, | |
# but that's not a big deal. | |
- name: Install dependencies | |
run: | | |
cpan -M https://www.cpan.org -T . | |
- name: Run tests | |
run: | | |
perl Makefile.PL | |
make test | |
# Run author tests, but only if there's an xt/ directory | |
- name: Author tests | |
if: hashFiles('xt') != '' | |
run: | | |
cpan -M https://www.cpan.org -T Test::CPAN::Changes | |
prove -r -b xt | |
# Running tests in parallel should be faster, but it's also more | |
# tricky in cases where different tests share a feature, such as a | |
# file they want to write to. Parallel tests can stomp on each other. | |
# Test in parallel to catch that, because other people will test your | |
# stuff in parallel. | |
- name: Run tests in parallel | |
run: | | |
perl Makefile.PL | |
HARNESS_OPTIONS=j10 make test | |
# The disttest target creates the distribution, unwraps it, changes | |
# into the dist dir, then runs the tests there. That checks that | |
# everything that should be in the dist is in the dist. If you forget | |
# to update MANIFEST with new modules, data files, and so on, you | |
# should notice the error. | |
- name: Run distribution tests | |
run: | | |
perl Makefile.PL | |
make disttest | |
make clean | |
# And, coverage reports, but only under 5.10 and later since modern | |
# Devel::Cover instances don't work with 5.8 | |
- name: Run coverage tests | |
if: env.PERL_VERSION != 'v5.8' | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
cpan -M https://www.cpan.org -T Devel::Cover Devel::Cover::Report::Coveralls | |
perl Makefile.PL | |
cover -test -report coveralls |