mirror of
https://github.com/prompt-security/clawsec.git
synced 2026-06-16 06:51:21 +03:00
davida-ps
4a4b547b92
* ci(skills): pin clawhub CLI by hash via committed lockfile Scorecard flags the skill-release workflow's npm install of the clawhub CLI (code-scanning alerts #25/#26): version pinning alone carries no integrity guarantee. Install it with npm ci from a committed package-lock.json instead, so every package (clawhub + 35 transitive deps) is verified against its sha512 hash at install time. The publish-payload patch step now resolves the module from the local node_modules instead of npm root -g. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * fix(skill-release): authenticate pinned clawhub install --------- Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
36 lines
1.1 KiB
JavaScript
36 lines
1.1 KiB
JavaScript
import fs from "node:fs";
|
|
import path from "node:path";
|
|
|
|
const workspace = process.env.GITHUB_WORKSPACE || process.cwd();
|
|
const npmRoot = path.join(workspace, ".github", "clawhub-cli", "node_modules");
|
|
const publishScriptPath = path.join(
|
|
npmRoot,
|
|
"clawhub",
|
|
"dist",
|
|
"cli",
|
|
"commands",
|
|
"publish.js",
|
|
);
|
|
|
|
if (!fs.existsSync(publishScriptPath)) {
|
|
throw new Error(`clawhub publish script not found: ${publishScriptPath}`);
|
|
}
|
|
|
|
const original = fs.readFileSync(publishScriptPath, "utf8");
|
|
if (original.includes("acceptLicenseTerms: true")) {
|
|
console.log(`[patch-clawhub] Already patched: ${publishScriptPath}`);
|
|
process.exit(0);
|
|
}
|
|
|
|
const payloadPattern = /changelog,\r?\n(\s*)tags,/;
|
|
if (!payloadPattern.test(original)) {
|
|
throw new Error(`[patch-clawhub] Could not find expected publish payload pattern in ${publishScriptPath}`);
|
|
}
|
|
|
|
const patched = original.replace(
|
|
payloadPattern,
|
|
(_, indent) => `changelog,\n${indent}acceptLicenseTerms: true,\n${indent}tags,`,
|
|
);
|
|
fs.writeFileSync(publishScriptPath, patched, "utf8");
|
|
console.log(`[patch-clawhub] Patched: ${publishScriptPath}`);
|