updated requirements to fix libwebp security vulnerability

rtmigo · Oct 6, 2023 · b337e50 · b337e50
1 parent 081702a
commit b337e50
Show file tree

Hide file tree

Showing 3 changed files with 226 additions and 1 deletion.
diff --git a/.github/workflows/ci.yml.bak b/.github/workflows/ci.yml.bak
@@ -0,0 +1,185 @@
+name: test-and-deploy
+
+on:
+  push:
+    branches: [ dev ]
+    paths-ignore:
+      - '**.md'
+      - '**.txt'
+
+concurrency:
+  # subsequently queued workflow run will interrupt previous runs
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
+jobs:
+
+  release-flag:
+    if: contains(github.event.head_commit.message, '!!release')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+
+  pypi-flag:
+    if: contains(github.event.head_commit.message, '!!pypi')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+
+
+  master-flag:
+    if: contains(github.event.head_commit.message, '!!master')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+
+  test:
+    timeout-minutes: 15
+
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+        python-version: [ 3.7, '3.11.0-rc.2' ]
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v2
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install --upgrade setuptools distlib
+          pip install -e .
+          pip install -r requirements.txt
+      - name: Lint
+        run: |
+          python3 ./do.py lint
+      - name: Run unit tests
+        run: |
+          python3 ./do.py test
+      - name: Run pkg tests
+        # важно, чтобы в случае Windows это был действительно python, а
+        # не python3. Иначе вызовы самого-себя в качестве дочернего процесса
+        # приведут к ошибкам с "ненайденными файлами". Ненайденный - вероятно
+        # сам пайтоне внутри venv
+        run: |
+          python ./do.py test-pkg
+
+  to-staging:
+    needs: [test, build-exe]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Merge current -> staging
+        uses: devmasx/[email protected]
+        with:
+          type: now
+          target_branch: staging
+          github_token: ${{ github.token }}
+
+  build-exe:
+    #needs: [ to-staging ]
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.8.10'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install --upgrade setuptools distlib
+          pip install -e .
+          pip install -r requirements.txt
+      - name: Build
+        run: python ./do.py build
+      - name: Run exe (test A)
+        run: dist/img2texture --version
+      - name: Run exe (test B)
+        run: dist/img2texture docs/1_orion_src.jpg texture.tmp.jpg
+      - name: Store Exe as artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: binary_from_${{ matrix.os }}
+          path: dist/*
+          retention-days: 3
+
+  to-master:
+    # if the commit message was "publish", copy the tested code
+    # to "master" branch and create GitHub release
+
+    needs: [ to-staging, master-flag ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      # UPDATE MASTER BRANCH
+      - name: Merge to master branch
+        uses: devmasx/[email protected]
+        with:
+          type: now
+          target_branch: master
+          github_token: ${{ github.token }}
+
+  to-pypi:
+    needs: [ to-master, pypi-flag ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      # ADD PYPI RELEASE
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install setuptools wheel twine
+      - name: Build and publish
+        env:
+          TWINE_USERNAME: ${{ secrets.PYPI_USR }}
+          TWINE_PASSWORD: ${{ secrets.PYPI_PWD }}
+        run: |
+          python setup.py sdist bdist_wheel
+          twine upload dist/*
+
+
+  to-github-release:
+    needs: [ build-exe, to-staging, release-flag ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Get previously built artifacts
+        uses: actions/download-artifact@v3
+        with:
+          path: downloaded_artifacts
+
+      - name: Create distributable archives
+        run: |
+          wget -c https://github.com/rtmigo/exe2dist/releases/latest/download/exe2dist_linux_amd64.tgz -O - | tar -xz
+          ./exe2dist img2texture 'downloaded_artifacts/*/*' dist
+
+      - name: Get the project version
+        run: |
+          echo "::set-output name=VER::$(python setup.py --version)"
+        id: version
+
+      - name: Publish GitHub release
+        id: publish_github_release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ steps.version.outputs.VER }}
+          files: ./dist/*
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/linux_build.yml.bak b/.github/workflows/linux_build.yml.bak
@@ -0,0 +1,40 @@
+name: build-dev
+
+on:
+  push:
+    branches: [ dev ]
+    paths-ignore:
+      - '**.md'
+      - '**.txt'
+
+concurrency:
+  # subsequently queued workflow run will interrupt previous runs
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
+jobs:
+
+
+  build-exe:
+    #needs: [ to-staging ]
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.8'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e .
+          pip install -r requirements.txt
+      - name: Pip list
+        run: pip list | tail -n +3 | awk '{print $1}' | xargs pip show | grep -E 'Location:|Name:' | cut -d ' ' -f 2 | paste -d ' ' - - | awk '{print $2 "/" tolower($1)}' | xargs du -sh 2> /dev/null | sort -hr
+      - name: Build
+        run: python ./do.py build
+      - name: Run exe (test A)
+        run: dist/img2texture --version
+      - name: Run exe (test B)
+        run: dist/img2texture docs/1_orion_src.jpg texture.tmp.jpg
diff --git a/setup.py b/setup.py
@@ -31,7 +31,7 @@ def load_module_dict(filename: str) -> dict:
     package_data={name: ["py.typed"]},
 
     python_requires='>=3.7, <4',
-    install_requires=["pillow>=9.2, <10"],
+    install_requires=["pillow>=10.0.1"],  # fixing libwebp CVE-2023-4863
 
     description="Command line utility for converting images to seamless tiles.",
     long_description=readme,