Skip to content

Fixed: [SECURITY] (CVE-2024-36104) Path traversal leading to RCE (OFB… #815

Fixed: [SECURITY] (CVE-2024-36104) Path traversal leading to RCE (OFB…

Fixed: [SECURITY] (CVE-2024-36104) Path traversal leading to RCE (OFB… #815

Workflow file for this run

# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#############################################################################
# Local testing of this workflow can be carried out using
# act (https://github.com/nektos/act).
#
# Act will set an environment variable, ACT, to indicate that it is running the workflow.
# This environment variable is used to skip some build steps, such as logging in to
# a container registry and pushing container images.
#
# On first run, act will prompt you to select a micro, medium or large runner image. This
# workflow can be run using the medium image.
#
# Some actions, such as docker/metadata-action, require a GITHUB_TOKEN. To meet this
# requirement when using act you will need to create a Personal Access Token on GitHub.
# You can then run act using a command similar to:
# act --job docker_build --secret GITHUB_TOKEN
# Act will then prompt you to enter your token.
#############################################################################
# Docker push will only occur if configuration variable DO_DOCKER_PUSH is set to 'true'.
# This ensures that repository forks do not attempt push to the ghcr.io/apache/ofbiz container registry.
# See https://docs.github.com/en/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows
# for more information on configuring variables for a repository.
name: Build and push docker images
on:
push:
branches: [ trunk ]
tags:
- '**'
permissions:
contents: read
packages: write
jobs:
docker_build:
name: Build and push OFBiz docker container images
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Check out OFBiz sources
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Log in to the Container registry
if: ${{ !env.ACT && vars.DO_DOCKER_PUSH == 'true' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
############################################################################
# Build and push a container image of the OFBiz Framework without any data loaded.
- name: Determine metadata (tags, labels) for Docker runtime build
id: runtimemeta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ghcr.io/apache/ofbiz
tags: |
# Extract container tag from git tag.
type=match,pattern=release(.*),group=1
# Build container tag based on branch name and string '-snapshot'
type=ref,event=branch,suffix=-snapshot,priority=650
- name: Update VERSION file
run: |
# Populate the VERSION file based on the outputs of the metadata-action above.
# The same VERSION file will be used for all container images built in this workflow.
# Set the version label for this build.
echo "${{fromJSON(steps.runtimemeta.outputs.json).labels['org.opencontainers.image.version']}}. " > VERSION
# Append the git commit SHA.
echo '${uiLabelMap.CommonRevision}:' "${{fromJSON(steps.runtimemeta.outputs.json).labels['org.opencontainers.image.revision']}}. " >> VERSION
# Append the timestamp.
echo '${uiLabelMap.CommonBuiltOn}:' "${{fromJSON(steps.runtimemeta.outputs.json).labels['org.opencontainers.image.created']}}. " >> VERSION
echo "Version file contents:"
cat VERSION
- name: Build and push runtime docker image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
target: runtime
push: ${{ !env.ACT && vars.DO_DOCKER_PUSH == 'true' }}
tags: ${{ steps.runtimemeta.outputs.tags }}
labels: ${{ steps.runtimemeta.outputs.labels }}
############################################################################
# Build and push a container image of the OFBiz Framework preloaded with demo data
- name: Determine metadata (tags, labels) for Docker demo-preload build
id: demometa
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ghcr.io/apache/ofbiz
tags: |
type=match,pattern=release(.*),group=1,suffix=-preloaddemo
type=ref,event=branch,suffix=-preloaddemo-snapshot,priority=650
- name: Build and push demo docker image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
target: demo
push: ${{ !env.ACT && vars.DO_DOCKER_PUSH == 'true' }}
tags: ${{ steps.demometa.outputs.tags }}
labels: ${{ steps.demometa.outputs.labels }}
############################################################################
# Build and push a container image of the OFBiz Framework plus Plugins,
# without any data loaded.
- name: Grant execute permission for pullAllPluginsSource.sh
run: chmod +x pullAllPluginsSource.sh
- name: Load all plugins
run: ./pullAllPluginsSource.sh
- name: Determine metadata (tags, labels) for Docker framework with plugins build
id: pluginsmeta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ghcr.io/apache/ofbiz
tags: |
type=match,pattern=release(.*),group=1,suffix=-plugins
type=ref,event=branch,suffix=-plugins-snapshot,priority=650
- name: Build and push framework with plugins docker image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
target: runtime
push: ${{ !env.ACT && vars.DO_DOCKER_PUSH == 'true' }}
tags: ${{ steps.pluginsmeta.outputs.tags }}
labels: ${{ steps.pluginsmeta.outputs.labels }}