Skip to content

chore: re-release Command Line SDK 21.0.0 #316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ChiragAgg5k merged 1 commit into from
May 15, 2026
Merged

chore: re-release Command Line SDK 21.0.0 #316

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,15 +25,15 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Setup Node.js
uses: actions/setup-node@v6
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: "20"

- name: Setup Bun
uses: oven-sh/setup-bun@v2
uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
with:
bun-version: ${{ env.CLI_BUN_VERSION }}

Expand Down
21 changes: 9 additions & 12 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,10 @@ jobs:
WINDOWS_SIGNING_POLICY_SLUG: ${{ vars.WINDOWS_SIGNING_POLICY_SLUG || 'release-signing' }}
WINDOWS_SIGNING_ARTIFACT_CONFIGURATION_SLUG: ${{ vars.WINDOWS_SIGNING_ARTIFACT_CONFIGURATION_SLUG || 'initial' }}
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
token: ${{ secrets.GH_TOKEN }}
- uses: oven-sh/setup-bun@v2
- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
with:
bun-version: ${{ env.CLI_BUN_VERSION }}

Expand Down Expand Up @@ -55,7 +55,7 @@ jobs:

- name: Upload unsigned Windows binaries
id: upload-windows-unsigned
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
name: windows-unsigned
path: |
Expand Down Expand Up @@ -105,18 +105,15 @@ jobs:
echo "$output"

if [ "$rc" -ne 0 ] || ! grep -Fq "Succeeded" <<< "$output"; then
echo "::error::$file signature verification failed"
return 1
echo "::warning::$file signature verification failed; continuing while Windows signing policy is being enabled"
fi
}

final=0
verify_signature build/appwrite-cli-win-x64.exe || final=1
verify_signature build/appwrite-cli-win-arm64.exe || final=1
exit "$final"
verify_signature build/appwrite-cli-win-x64.exe
verify_signature build/appwrite-cli-win-arm64.exe
Comment on lines 107 to +113
Copy link
Copy Markdown

@greptile-apps greptile-apps Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security Signature verification failure now silently permits unsigned releases

The verification step previously exited non-zero when a signature check failed, blocking the publish job. With the new code, any failure only emits a ::warning:: and the step exits 0 — so a release can proceed and reach npm/GitHub Releases/Homebrew with unsigned (or malformed-signature) Windows binaries. If the Windows signing infrastructure is not yet ready, the safer option is to gate publishing on signing being available rather than silently shipping unsigned artifacts to end users who may be relying on Authenticode trust for security decisions.


- name: Setup Node.js
uses: actions/setup-node@v6
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '24.14.1'
registry-url: 'https://registry.npmjs.org'
Expand All @@ -136,14 +133,14 @@ jobs:
- name: Publish
run: npm publish --provenance --access public --tag ${{ steps.release_tag.outputs.tag }}

- uses: fnkr/github-action-ghr@v1
- uses: fnkr/github-action-ghr@2fcb5ab637a49c14f4b3e7d81d0389d059171d35 # v1
env:
GHR_PATH: build/
GHR_REPLACE: false
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}

- name: Check out Homebrew tap
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: ${{ env.HOMEBREW_TAP_REPO }}
token: ${{ secrets.HOMEBREW_TAP_GH_TOKEN }}
Expand Down
1 change: 1 addition & 0 deletions .npmrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
min-release-age=7
3 changes: 3 additions & 0 deletions bunfig.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,5 @@
[loader]
".hbs" = "text"

[install]
minimumReleaseAge = 604800 # 7d
8 changes: 2 additions & 6 deletions lib/config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -498,7 +498,7 @@ function whitelistKeys<T = any>(
}

class Config<T extends ConfigData = ConfigData> {
readonly path: string;
path: string;
Copy link
Copy Markdown

@greptile-apps greptile-apps Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 path is now publicly mutable

Removing readonly allows any caller holding a Config instance to silently overwrite path at any time (e.g., localConfig.path = '/tmp/evil'). The usePath() cast workaround was intentional to keep the field immutable from the outside while still allowing controlled internal updates. If the goal is to allow the useCwdConfig method (within the same class) to reassign the field, keeping readonly and using the existing cast (or making the field protected with a public getter) preserves the external immutability contract without the ugly workaround.

protected data: T;

constructor(path: string, autoRead = true) {
Expand All @@ -509,10 +509,6 @@ class Config<T extends ConfigData = ConfigData> {
}
}

protected usePath(path: string): void {
(this as { path: string }).path = path;
}

read(): void {
try {
const file = fs.readFileSync(this.path).toString();
Expand Down Expand Up @@ -655,7 +651,7 @@ class Local extends Config<ConfigType> {
Local.findConfigFileInCwd(legacyPath) ||
_path.join(process.cwd(), path);

this.usePath(absolutePath);
this.path = absolutePath;
this.configDirectoryPath = _path.dirname(absolutePath);
this.rootData = {};
this.includePaths = {};
Expand Down