milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #276 from AikidoSec/cleanup-nvm-in-install-script-beta

Browse source
This commit is contained in:
bitterpanda 2026-01-06 13:06:40 +01:00 committed by GitHub
commit 5ebbf5c6b2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 184 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

89
.github/workflows/build-and-release.yml vendored
View file

@ -11,23 +11,38 @@ permissions:
jobs: jobs:
set-version: set-version:
name: Set version number
runs-on: ubuntu-latest runs-on: ubuntu-latest
outputs: outputs:
version: ${{ steps.get_version.outputs.tag }} version: ${{ steps.get_version.outputs.tag }}
is_prerelease: ${{ steps.check_prerelease.outputs.is_prerelease }}
steps: steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set version number - name: Set version number
id: get_version id: get_version
run: | run: |
version="${{ github.ref_name }}" version="${{ github.ref_name }}"
echo "tag=$version" >> $GITHUB_OUTPUT echo "tag=$version" >> $GITHUB_OUTPUT
- name: Check if pre-release
id: check_prerelease
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
IS_PRERELEASE=$(gh release view ${{ steps.get_version.outputs.tag }} --json isPrerelease --jq '.isPrerelease')
echo "is_prerelease=$IS_PRERELEASE" >> $GITHUB_OUTPUT
echo "Release ${{ steps.get_version.outputs.tag }} is pre-release: $IS_PRERELEASE"
create-binaries: create-binaries:
needs: set-version needs: set-version
uses: ./.github/workflows/create-artifact.yml uses: ./.github/workflows/create-artifact.yml
with: with:
version: ${{ needs.set-version.outputs.version }} version: ${{ needs.set-version.outputs.version }}
build: publish-binaries:
name: Publish to GitHub release
needs: [set-version, create-binaries] needs: [set-version, create-binaries]
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -35,37 +50,6 @@ jobs:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v3 uses: actions/checkout@v3
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: "lts/*"
registry-url: "https://registry.npmjs.org/"
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
- name: Setup safe-chain
run: curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
- name: Set the version in safe-chain package
run: npm --no-git-tag-version version ${{ needs.set-version.outputs.version }} --workspace=packages/safe-chain
- name: Install dependencies
run: npm ci
- name: Run tests
run: npm run test
- name: Copy documentation files to package
run: |
cp README.md packages/safe-chain/
cp LICENSE packages/safe-chain/
cp -r docs packages/safe-chain/
- name: Publish to npm
run: |
echo "Publishing version ${{ needs.set-version.outputs.version }} to NPM"
npm publish --workspace=packages/safe-chain --access public --provenance
- name: Download all binary artifacts - name: Download all binary artifacts
uses: actions/download-artifact@v4 uses: actions/download-artifact@v4
with: with:
@ -107,3 +91,44 @@ jobs:
release-artifacts/install-safe-chain.ps1 \ release-artifacts/install-safe-chain.ps1 \
release-artifacts/uninstall-safe-chain.sh \ release-artifacts/uninstall-safe-chain.sh \
release-artifacts/uninstall-safe-chain.ps1 release-artifacts/uninstall-safe-chain.ps1
publish-npm:
name: Publish to npm
needs: [set-version, create-binaries]
if: needs.set-version.outputs.is_prerelease != 'true'
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: "lts/*"
registry-url: "https://registry.npmjs.org/"
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
- name: Setup safe-chain
run: curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
- name: Set the version in safe-chain package
run: npm --no-git-tag-version version ${{ needs.set-version.outputs.version }} --workspace=packages/safe-chain
- name: Install dependencies
run: npm ci
- name: Run tests
run: npm run test
- name: Copy documentation files to package
run: |
cp README.md packages/safe-chain/
cp LICENSE packages/safe-chain/
cp -r docs packages/safe-chain/
- name: Publish to npm
run: |
echo "Publishing version ${{ needs.set-version.outputs.version }} to NPM"
npm publish --workspace=packages/safe-chain --access public --provenance

4
README.md
View file

@ -33,8 +33,6 @@ Aikido Safe Chain supports the following package managers:
Installing the Aikido Safe Chain is easy with our one-line installer. Installing the Aikido Safe Chain is easy with our one-line installer.
> ⚠️ **Already installed via npm?** See the [migration guide](https://github.com/AikidoSec/safe-chain/blob/main/docs/npm-to-binary-migration.md) to switch to the binary version.
### Unix/Linux/macOS ### Unix/Linux/macOS
```shell ```shell
@ -206,6 +204,7 @@ You can set the minimum package age through multiple sources (in order of priori
Configure Safe Chain to scan packages from custom or private registries. Configure Safe Chain to scan packages from custom or private registries.
Supported ecosystems: Supported ecosystems:
- Node.js - Node.js
- Python - Python
@ -348,5 +347,4 @@ pipeline {
} }
``` ```
After setup, all subsequent package manager commands in your CI pipeline will automatically be protected by Aikido Safe Chain's malware detection. After setup, all subsequent package manager commands in your CI pipeline will automatically be protected by Aikido Safe Chain's malware detection.

63
install-scripts/install-safe-chain.sh
View file

@ -159,6 +159,66 @@ remove_volta_installation() {
fi fi
} }
# Check and uninstall nvm-managed package if present across all Node versions
remove_nvm_installation() {
# This script is run in sh shell for greatest compatibility.
# Because nvm is usually setup in bash/zsh/fish startup scripts, we need to source it.
# Otherwise it won't be available in sh.
if [ -s "$HOME/.nvm/nvm.sh" ]; then
# Source nvm to make it available in this script
. "$HOME/.nvm/nvm.sh" >/dev/null 2>&1
elif [ -s "$NVM_DIR/nvm.sh" ]; then
. "$NVM_DIR/nvm.sh" >/dev/null 2>&1
fi
# Check if nvm is now available
if ! command_exists nvm; then
return
fi
nvm_versions=$(nvm list 2>/dev/null | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' || echo "")
if [ -z "$nvm_versions" ]; then
return
fi
# Track if we found any installations
found_installation=false
uninstall_failed=false
current_version=$(nvm current 2>/dev/null || echo "")
# Check each version for safe-chain installation
for version in $nvm_versions; do
# Check if this version has safe-chain installed
# Use nvm exec to run npm list in the context of that Node version
if nvm exec "$version" npm list -g @aikidosec/safe-chain >/dev/null 2>&1; then
if [ "$found_installation" = false ]; then
info "Detected nvm installation(s) of @aikidosec/safe-chain"
info "Uninstalling from all Node versions..."
found_installation=true
fi
info " Removing from Node $version..."
if nvm exec "$version" npm uninstall -g @aikidosec/safe-chain >/dev/null 2>&1; then
info " Successfully uninstalled from Node $version"
else
warn " Failed to uninstall from Node $version"
uninstall_failed=true
fi
fi
done
# Restore original Node version if it was set
if [ -n "$current_version" ] && [ "$current_version" != "none" ] && [ "$current_version" != "system" ]; then
nvm use "$current_version" >/dev/null 2>&1 || true
fi
# If any uninstall failed, error out instead of continuing
if [ "$uninstall_failed" = true ]; then
error "Failed to uninstall @aikidosec/safe-chain from all nvm Node versions. Please uninstall manually and try again."
fi
}
# Parse command-line arguments # Parse command-line arguments
parse_arguments() { parse_arguments() {
for arg in "$@"; do for arg in "$@"; do
@ -204,9 +264,10 @@ main() {
info "$INSTALL_MSG" info "$INSTALL_MSG"
# Check for existing safe-chain installation through npm or volta # Check for existing safe-chain installation through nvm, volta, or npm
remove_npm_installation remove_npm_installation
remove_volta_installation remove_volta_installation
remove_nvm_installation
# Detect platform # Detect platform
OS=$(detect_os) OS=$(detect_os)

64
install-scripts/uninstall-safe-chain.sh
View file

@ -75,6 +75,68 @@ remove_volta_installation() {
fi fi
} }
# Check and uninstall nvm-managed package if present across all Node versions
remove_nvm_installation() {
# This script is run in sh shell for greatest compatibility.
# Because nvm is usually setup in bash/zsh/fish startup scripts, we need to source it.
# Otherwise it won't be available in sh.
if [ -s "$HOME/.nvm/nvm.sh" ]; then
# Source nvm to make it available in this script
. "$HOME/.nvm/nvm.sh" >/dev/null 2>&1
elif [ -s "$NVM_DIR/nvm.sh" ]; then
. "$NVM_DIR/nvm.sh" >/dev/null 2>&1
fi
# Check if nvm is now available
if ! command_exists nvm; then
return
fi
# Get list of installed Node versions
nvm_versions=$(nvm list 2>/dev/null | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' || echo "")
if [ -z "$nvm_versions" ]; then
return
fi
# Track if we found any installations
found_installation=false
uninstall_failed=false
current_version=$(nvm current 2>/dev/null || echo "")
# Check each version for safe-chain installation
for version in $nvm_versions; do
# Check if this version has safe-chain installed
# Use nvm exec to run npm list in the context of that Node version
if nvm exec "$version" npm list -g @aikidosec/safe-chain >/dev/null 2>&1; then
if [ "$found_installation" = false ]; then
info "Detected nvm installation(s) of @aikidosec/safe-chain"
info "Uninstalling from all Node versions..."
found_installation=true
fi
info " Removing from Node $version..."
if nvm exec "$version" npm uninstall -g @aikidosec/safe-chain >/dev/null 2>&1; then
info " Successfully uninstalled from Node $version"
else
warn " Failed to uninstall from Node $version"
uninstall_failed=true
fi
fi
done
# Restore original Node version if it was set
if [ -n "$current_version" ] && [ "$current_version" != "none" ] && [ "$current_version" != "system" ]; then
nvm use "$current_version" >/dev/null 2>&1 || true
fi
# Show warning if any uninstall failed (but don't error out during uninstall)
if [ "$uninstall_failed" = true ]; then
warn "Failed to uninstall @aikidosec/safe-chain from some nvm Node versions"
warn "You may need to manually run: nvm exec <version> npm uninstall -g @aikidosec/safe-chain"
fi
}
# Main uninstallation # Main uninstallation
main() { main() {
SAFE_CHAIN_LOCATION="$INSTALL_DIR/safe-chain" SAFE_CHAIN_LOCATION="$INSTALL_DIR/safe-chain"
@ -89,8 +151,10 @@ main() {
warn "safe-chain command not found. Proceeding with uninstallation." warn "safe-chain command not found. Proceeding with uninstallation."
fi fi
# Check for existing safe-chain installation through nvm, volta, or npm
remove_npm_installation remove_npm_installation
remove_volta_installation remove_volta_installation
remove_nvm_installation
# Remove install dir recursively if it exists # Remove install dir recursively if it exists
if [ -d "$INSTALL_DIR" ]; then if [ -d "$INSTALL_DIR" ]; then