kgod/sub2api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 8 Wiki Activity

fix: add binary release assets to CI and update download allowlist

Browse Source 
- Build linux_amd64 binary in CI and upload to Gitea release assets
- Add checksums.txt for integrity verification
- Update allowed download hosts to Gitea domain/IP
This commit is contained in:
kone
2026-06-09 01:13:48 +08:00
parent 0984773711
commit d702f74582
2 changed files with 33 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/release-image.yml
+30 -2
View File
@@ -81,6 +81,18 @@ jobs:
docker push "$IMAGE_NAME:$VERSION" docker push "$IMAGE_NAME:$VERSION"
docker push "$IMAGE_NAME:latest" docker push "$IMAGE_NAME:latest"
- name: Build binary
run: |
set -eu
cd backend
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
-ldflags "-s -w -X main.Version=${VERSION} -X main.Commit=${COMMIT} -X main.BuildDate=${BUILD_DATE}" \
-o /tmp/sub2api \
./cmd/server
cd /tmp
tar -czf "sub2api_linux_amd64.tar.gz" sub2api
sha256sum "sub2api_linux_amd64.tar.gz" > checksums.txt
- name: Create Gitea release - name: Create Gitea release
env: env:
RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }} RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
@@ -88,9 +100,25 @@ jobs:
set -eu set -eu
BODY="Docker image: ${IMAGE_NAME}:${VERSION}" BODY="Docker image: ${IMAGE_NAME}:${VERSION}"
PAYLOAD=$(printf '{"tag_name":"%s","target_commitish":"%s","name":"Sub2API %s","body":"%s","draft":false,"prerelease":false}' "$TAG" "$(git rev-parse HEAD)" "$VERSION" "$BODY") PAYLOAD=$(printf '{"tag_name":"%s","target_commitish":"%s","name":"Sub2API %s","body":"%s","draft":false,"prerelease":false}' "$TAG" "$(git rev-parse HEAD)" "$VERSION" "$BODY")
curl -fsS \ RELEASE_ID=$(curl -fsS \
-X POST \ -X POST \
-H "Authorization: token ${RELEASE_TOKEN}" \ -H "Authorization: token ${RELEASE_TOKEN}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d "$PAYLOAD" \ -d "$PAYLOAD" \
"$GITEA_API_URL/repos/$GITEA_OWNER/$GITEA_REPO/releases" || true "$GITEA_API_URL/repos/$GITEA_OWNER/$GITEA_REPO/releases" | grep -o '"id":[0-9]*' | head -1 | grep -o '[0-9]*')
# Upload binary archive
curl -fsS \
-X POST \
-H "Authorization: token ${RELEASE_TOKEN}" \
-H "Content-Type: application/octet-stream" \
--data-binary @/tmp/sub2api_linux_amd64.tar.gz \
"$GITEA_API_URL/repos/$GITEA_OWNER/$GITEA_REPO/releases/${RELEASE_ID}/assets?name=sub2api_linux_amd64.tar.gz"
# Upload checksums
curl -fsS \
-X POST \
-H "Authorization: token ${RELEASE_TOKEN}" \
-H "Content-Type: text/plain" \
--data-binary @/tmp/checksums.txt \
"$GITEA_API_URL/repos/$GITEA_OWNER/$GITEA_REPO/releases/${RELEASE_ID}/assets?name=checksums.txt"
backend/internal/service/update_service.go
+3 -3
View File
@@ -22,11 +22,11 @@ import (
const ( const (
updateCacheKey = "update_check_cache" updateCacheKey = "update_check_cache"
updateCacheTTL = 1200 // 20 minutes updateCacheTTL = 1200 // 20 minutes
defaultGitHubRepo = "man209111-cpu/sub2api" defaultGitHubRepo = "kgod/sub2api"
// Security: allowed download domains for updates // Security: allowed download domains for updates
allowedDownloadHost = "github.com" allowedDownloadHost = "git.jianshixingqiu.com"
allowedAssetHost = "objects.githubusercontent.com" allowedAssetHost = "8.138.12.104"
// Security: max download size (500MB) // Security: max download size (500MB)
maxDownloadSize = 500 * 1024 * 1024 maxDownloadSize = 500 * 1024 * 1024