milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #276 from AikidoSec/cleanup-nvm-in-install-script-beta

Browse source
This commit is contained in:
bitterpanda 2026-01-06 13:06:40 +01:00 committed by GitHub
commit 5ebbf5c6b2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 184 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

89
.github/workflows/build-and-release.yml vendored
View file

@ -11,23 +11,38 @@ permissions:
jobs:
set-version:
name: Set version number
runs-on: ubuntu-latest
outputs:
version: ${{ steps.get_version.outputs.tag }}
is_prerelease: ${{ steps.check_prerelease.outputs.is_prerelease }}
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set version number
id: get_version
run: |
version="${{ github.ref_name }}"
echo "tag=$version" >> $GITHUB_OUTPUT
- name: Check if pre-release
id: check_prerelease
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
IS_PRERELEASE=$(gh release view ${{ steps.get_version.outputs.tag }} --json isPrerelease --jq '.isPrerelease')
echo "is_prerelease=$IS_PRERELEASE" >> $GITHUB_OUTPUT
echo "Release ${{ steps.get_version.outputs.tag }} is pre-release: $IS_PRERELEASE"
create-binaries:
needs: set-version
uses: ./.github/workflows/create-artifact.yml
with:
version: ${{ needs.set-version.outputs.version }}
build:
publish-binaries:
name: Publish to GitHub release
needs: [set-version, create-binaries]
runs-on: ubuntu-latest
@ -35,37 +50,6 @@ jobs:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: "lts/*"
registry-url: "https://registry.npmjs.org/"
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
- name: Setup safe-chain
run: curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
- name: Set the version in safe-chain package
run: npm --no-git-tag-version version ${{ needs.set-version.outputs.version }} --workspace=packages/safe-chain
- name: Install dependencies
run: npm ci
- name: Run tests
run: npm run test
- name: Copy documentation files to package
run: |
cp README.md packages/safe-chain/
cp LICENSE packages/safe-chain/
cp -r docs packages/safe-chain/
- name: Publish to npm
run: |
echo "Publishing version ${{ needs.set-version.outputs.version }} to NPM"
npm publish --workspace=packages/safe-chain --access public --provenance
- name: Download all binary artifacts
uses: actions/download-artifact@v4
with:
@ -107,3 +91,44 @@ jobs:
release-artifacts/install-safe-chain.ps1 \
release-artifacts/uninstall-safe-chain.sh \
release-artifacts/uninstall-safe-chain.ps1
publish-npm:
name: Publish to npm
needs: [set-version, create-binaries]
if: needs.set-version.outputs.is_prerelease != 'true'
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: "lts/*"
registry-url: "https://registry.npmjs.org/"
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
- name: Setup safe-chain
run: curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
- name: Set the version in safe-chain package
run: npm --no-git-tag-version version ${{ needs.set-version.outputs.version }} --workspace=packages/safe-chain
- name: Install dependencies
run: npm ci
- name: Run tests
run: npm run test
- name: Copy documentation files to package
run: |
cp README.md packages/safe-chain/
cp LICENSE packages/safe-chain/
cp -r docs packages/safe-chain/
- name: Publish to npm
run: |
echo "Publishing version ${{ needs.set-version.outputs.version }} to NPM"
npm publish --workspace=packages/safe-chain --access public --provenance

4
README.md
View file

@ -33,8 +33,6 @@ Aikido Safe Chain supports the following package managers:
Installing the Aikido Safe Chain is easy with our one-line installer.
> ⚠️ **Already installed via npm?** See the [migration guide](https://github.com/AikidoSec/safe-chain/blob/main/docs/npm-to-binary-migration.md) to switch to the binary version.
### Unix/Linux/macOS
```shell
@ -206,6 +204,7 @@ You can set the minimum package age through multiple sources (in order of priori
Configure Safe Chain to scan packages from custom or private registries.
Supported ecosystems:
- Node.js
- Python
@ -348,5 +347,4 @@ pipeline {
}
```
After setup, all subsequent package manager commands in your CI pipeline will automatically be protected by Aikido Safe Chain's malware detection.

63
install-scripts/install-safe-chain.sh
View file

@ -159,6 +159,66 @@ remove_volta_installation() {
fi
}
# Check and uninstall nvm-managed package if present across all Node versions
remove_nvm_installation() {
# This script is run in sh shell for greatest compatibility.
# Because nvm is usually setup in bash/zsh/fish startup scripts, we need to source it.
# Otherwise it won't be available in sh.
if [ -s "$HOME/.nvm/nvm.sh" ]; then
# Source nvm to make it available in this script
. "$HOME/.nvm/nvm.sh" >/dev/null 2>&1
elif [ -s "$NVM_DIR/nvm.sh" ]; then
. "$NVM_DIR/nvm.sh" >/dev/null 2>&1
fi
# Check if nvm is now available
if ! command_exists nvm; then
return
fi
nvm_versions=$(nvm list 2>/dev/null | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' || echo "")
if [ -z "$nvm_versions" ]; then
return
fi
# Track if we found any installations
found_installation=false
uninstall_failed=false
current_version=$(nvm current 2>/dev/null || echo "")
# Check each version for safe-chain installation
for version in $nvm_versions; do
# Check if this version has safe-chain installed
# Use nvm exec to run npm list in the context of that Node version
if nvm exec "$version" npm list -g @aikidosec/safe-chain >/dev/null 2>&1; then
if [ "$found_installation" = false ]; then
info "Detected nvm installation(s) of @aikidosec/safe-chain"
info "Uninstalling from all Node versions..."
found_installation=true
fi
info " Removing from Node $version..."
if nvm exec "$version" npm uninstall -g @aikidosec/safe-chain >/dev/null 2>&1; then
info " Successfully uninstalled from Node $version"
else
warn " Failed to uninstall from Node $version"
uninstall_failed=true
fi
fi
done
# Restore original Node version if it was set
if [ -n "$current_version" ] && [ "$current_version" != "none" ] && [ "$current_version" != "system" ]; then
nvm use "$current_version" >/dev/null 2>&1 || true
fi
# If any uninstall failed, error out instead of continuing
if [ "$uninstall_failed" = true ]; then
error "Failed to uninstall @aikidosec/safe-chain from all nvm Node versions. Please uninstall manually and try again."
fi
}
# Parse command-line arguments
parse_arguments() {
for arg in "$@"; do
@ -204,9 +264,10 @@ main() {
info "$INSTALL_MSG"
# Check for existing safe-chain installation through npm or volta
# Check for existing safe-chain installation through nvm, volta, or npm
remove_npm_installation
remove_volta_installation
remove_nvm_installation
# Detect platform
OS=$(detect_os)

64
install-scripts/uninstall-safe-chain.sh
View file

@ -75,6 +75,68 @@ remove_volta_installation() {
fi
}
# Check and uninstall nvm-managed package if present across all Node versions
remove_nvm_installation() {
# This script is run in sh shell for greatest compatibility.
# Because nvm is usually setup in bash/zsh/fish startup scripts, we need to source it.
# Otherwise it won't be available in sh.
if [ -s "$HOME/.nvm/nvm.sh" ]; then
# Source nvm to make it available in this script
. "$HOME/.nvm/nvm.sh" >/dev/null 2>&1
elif [ -s "$NVM_DIR/nvm.sh" ]; then
. "$NVM_DIR/nvm.sh" >/dev/null 2>&1
fi
# Check if nvm is now available
if ! command_exists nvm; then
return
fi
# Get list of installed Node versions
nvm_versions=$(nvm list 2>/dev/null | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' || echo "")
if [ -z "$nvm_versions" ]; then
return
fi
# Track if we found any installations
found_installation=false
uninstall_failed=false
current_version=$(nvm current 2>/dev/null || echo "")
# Check each version for safe-chain installation
for version in $nvm_versions; do
# Check if this version has safe-chain installed
# Use nvm exec to run npm list in the context of that Node version
if nvm exec "$version" npm list -g @aikidosec/safe-chain >/dev/null 2>&1; then
if [ "$found_installation" = false ]; then
info "Detected nvm installation(s) of @aikidosec/safe-chain"
info "Uninstalling from all Node versions..."
found_installation=true
fi
info " Removing from Node $version..."
if nvm exec "$version" npm uninstall -g @aikidosec/safe-chain >/dev/null 2>&1; then
info " Successfully uninstalled from Node $version"
else
warn " Failed to uninstall from Node $version"
uninstall_failed=true
fi
fi
done
# Restore original Node version if it was set
if [ -n "$current_version" ] && [ "$current_version" != "none" ] && [ "$current_version" != "system" ]; then
nvm use "$current_version" >/dev/null 2>&1 || true
fi
# Show warning if any uninstall failed (but don't error out during uninstall)
if [ "$uninstall_failed" = true ]; then
warn "Failed to uninstall @aikidosec/safe-chain from some nvm Node versions"
warn "You may need to manually run: nvm exec <version> npm uninstall -g @aikidosec/safe-chain"
fi
}
# Main uninstallation
main() {
SAFE_CHAIN_LOCATION="$INSTALL_DIR/safe-chain"
@ -89,8 +151,10 @@ main() {
warn "safe-chain command not found. Proceeding with uninstallation."
fi
# Check for existing safe-chain installation through nvm, volta, or npm
remove_npm_installation
remove_volta_installation
remove_nvm_installation
# Remove install dir recursively if it exists
if [ -d "$INSTALL_DIR" ]; then