MokoConsulting/MokoCLI
Public Access
1
0
Fork 0
Code Issues 3 Pull Requests Packages Releases 8 Wiki Activity

Compare commits

merge into: MokoConsulting/MokoCLI:feature/321-version-bump-scripts-perpetuate-duplicat
Branches Tags
MokoConsulting/MokoCLI:main MokoConsulting/MokoCLI:dev MokoConsulting/MokoCLI:version/09.41.00 MokoConsulting/MokoCLI:version/09.40.00 MokoConsulting/MokoCLI:version/09.39.00 MokoConsulting/MokoCLI:feature/321-version-bump-scripts-perpetuate-duplicat MokoConsulting/MokoCLI:feature/304-release-publish MokoConsulting/MokoCLI:version/09.38.00 MokoConsulting/MokoCLI:fix/namespace-cleanup MokoConsulting/MokoCLI:rc
MokoConsulting/MokoCLI:stable MokoConsulting/MokoCLI:v09.41.00 MokoConsulting/MokoCLI:v09.40.00 MokoConsulting/MokoCLI:v09.39.00 MokoConsulting/MokoCLI:v09.38.00 MokoConsulting/MokoCLI:development MokoConsulting/MokoCLI:release-candidate MokoConsulting/MokoCLI:beta MokoConsulting/MokoCLI:alpha MokoConsulting/MokoCLI:v09 MokoConsulting/MokoCLI:v08 MokoConsulting/MokoCLI:v07
...
pull from: MokoConsulting/MokoCLI:dev
Branches Tags
MokoConsulting/MokoCLI:main MokoConsulting/MokoCLI:dev MokoConsulting/MokoCLI:version/09.41.00 MokoConsulting/MokoCLI:version/09.40.00 MokoConsulting/MokoCLI:version/09.39.00 MokoConsulting/MokoCLI:feature/321-version-bump-scripts-perpetuate-duplicat MokoConsulting/MokoCLI:feature/304-release-publish MokoConsulting/MokoCLI:version/09.38.00 MokoConsulting/MokoCLI:fix/namespace-cleanup MokoConsulting/MokoCLI:rc
MokoConsulting/MokoCLI:stable MokoConsulting/MokoCLI:v09.41.00 MokoConsulting/MokoCLI:v09.40.00 MokoConsulting/MokoCLI:v09.39.00 MokoConsulting/MokoCLI:v09.38.00 MokoConsulting/MokoCLI:development MokoConsulting/MokoCLI:release-candidate MokoConsulting/MokoCLI:beta MokoConsulting/MokoCLI:alpha MokoConsulting/MokoCLI:v09 MokoConsulting/MokoCLI:v08 MokoConsulting/MokoCLI:v07

3 Commits
feature/321-version-bump-scripts-perpetuate-duplicat ... dev

Author SHA1 Message Date
jmiller 282a56258c Merge pull request 'fix(security): prevent script injection in rc-revert workflow' (#324) from feature/harden-rc-revert-injection into dev
Universal: Auto Version Bump / Version Bump (push) Has been skipped
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 13s
Details
Platform: mokocli CI / Gate 1: Code Quality (push) Failing after 55s
Details
Platform: mokocli CI / Gate 2: Unit Tests (8.1) (push) Has been cancelled
Details
Platform: mokocli CI / Gate 2: Unit Tests (8.2) (push) Has been cancelled
Details
Platform: mokocli CI / Gate 2: Unit Tests (8.3) (push) Has been cancelled
Details
Platform: mokocli CI / Gate 3: Self-Health Check (push) Has been cancelled
Details
Platform: mokocli CI / Gate 4: Governance (push) Has been cancelled
Details
Platform: mokocli CI / Gate 5: Template Integrity (push) Has been cancelled
Details
Platform: mokocli CI / CI Summary (push) Has been cancelled
Details
2026-06-27 02:32:26 +00:00
gitea-actions[bot] 3972b91169 chore(version): auto-bump patch 09.38.05-dev [skip ci]
RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped
Details
Branch Cleanup / Delete merged branch (pull_request) Successful in 2s
Details
2026-06-27 02:30:54 +00:00
jmiller 5885797728 fix(security): prevent shell/PHP script injection in rc-revert workflow
Universal: Auto Version Bump / Version Bump (push) Successful in 8s
Details 
The PR head branch ref is attacker-controlled and was substituted via
${{ }} directly into the shell run block (and interpolated into php -r),
allowing command injection with secrets.MOKOGITEA_TOKEN in scope.

- Pass untrusted values through env (BRANCH/REPO/GITEA_URL/TOKEN), not
  ${{ }} template substitution into shell source
- Strict allowlist ^rc/[A-Za-z0-9._/-]+$ before any use
- PHP reads BRANCH via getenv() instead of string interpolation
 2026-06-27 02:30:43 +00:00
39 changed files with 57 additions and 52 deletions
Expand all files Collapse all files
.mokogitea/workflows/issue-branch.yml
+1 -1
View File
@@ -5,7 +5,7 @@
# FILE INFORMATION
# DEFGROUP: Gitea.Workflow
# INGROUP: mokocli.Automation
# VERSION: 09.38.04
# VERSION: 09.38.05
# BRIEF: Auto-create feature branch when an issue is opened
name: "Universal: Issue Branch"
.mokogitea/workflows/rc-revert.yml
+18 -13
View File
@@ -29,12 +29,20 @@ jobs:
steps:
- name: Rename branch
env:
BRANCH: ${{ github.event.pull_request.head.ref }}
REPO: ${{ github.repository }}
GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
run: |
BRANCH="${{ github.event.pull_request.head.ref }}"
set -euo pipefail
# BRANCH is attacker-controlled (PR head ref). Strict allowlist before ANY use.
if ! printf '%s' "$BRANCH" | grep -Eq '^rc/[A-Za-z0-9._/-]+$'; then
echo "::error::Refusing unsafe branch name: $BRANCH"; exit 1
fi
SUFFIX="${BRANCH#rc/}"
DEV_BRANCH="dev/${SUFFIX}"
API="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}/api/v1/repos/${{ github.repository }}/branches"
TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
API="${GITEA_URL}/api/v1/repos/${REPO}/branches"
# Create dev/ branch from rc/ branch
STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X POST \
@@ -42,25 +50,22 @@ jobs:
-H "Content-Type: application/json" \
-d "{\"new_branch_name\": \"${DEV_BRANCH}\", \"old_branch_name\": \"${BRANCH}\"}" \
"${API}" 2>/dev/null || true)
if [ "$STATUS" = "201" ]; then
echo "Created branch: ${DEV_BRANCH}" >> $GITHUB_STEP_SUMMARY
echo "Created branch: ${DEV_BRANCH}" >> "$GITHUB_STEP_SUMMARY"
else
echo "::error::Failed to create ${DEV_BRANCH} from ${BRANCH} (HTTP ${STATUS})"
exit 1
echo "::error::Failed to create ${DEV_BRANCH} from ${BRANCH} (HTTP ${STATUS})"; exit 1
fi
# Delete rc/ branch
ENCODED=$(php -r "echo rawurlencode('${BRANCH}');")
# Read BRANCH from the environment inside PHP (getenv, no string interpolation -> no PHP injection)
ENCODED=$(php -r 'echo rawurlencode(getenv("BRANCH"));')
STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X DELETE \
-H "Authorization: token ${TOKEN}" \
"${API}/${ENCODED}" 2>/dev/null || true)
if [ "$STATUS" = "204" ]; then
echo "Deleted branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
echo "Deleted branch: ${BRANCH}" >> "$GITHUB_STEP_SUMMARY"
else
echo "::warning::Failed to delete ${BRANCH} (HTTP ${STATUS})"
fi
echo "### RC Reverted" >> $GITHUB_STEP_SUMMARY
echo "${BRANCH} → ${DEV_BRANCH}" >> $GITHUB_STEP_SUMMARY
echo "### RC Reverted" >> "$GITHUB_STEP_SUMMARY"
echo "${BRANCH} → ${DEV_BRANCH}" >> "$GITHUB_STEP_SUMMARY"
README.md
+1 -1
View File
@@ -6,7 +6,7 @@ DEFGROUP: MokoPlatform.Root
INGROUP: MokoPlatform
REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
PATH: /README.md
VERSION: 09.38.04
VERSION: 09.38.05
BRIEF: Project overview and documentation
-->
automation/update_dependencies.php
+1 -1
View File
@@ -13,7 +13,7 @@
* INGROUP: MokoPlatform.Scripts
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /automation/update_dependencies.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Cross-repo dependency update automation — scan, update, PR, auto-merge
*/
cli/branch_rename.php
+1 -1
View File
@@ -10,7 +10,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/branch_rename.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Rename a git branch via Gitea API (create new, update PR, delete old)
*/
cli/bulk_workflow_push.php
+1 -1
View File
@@ -12,7 +12,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/bulk_workflow_push.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Push a workflow file to all governed repos via the Gitea Contents API
*/
cli/bulk_workflow_trigger.php
+1 -1
View File
@@ -12,7 +12,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/bulk_workflow_trigger.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Trigger a workflow across multiple repos at once
*/
cli/client_dashboard.php
+1 -1
View File
@@ -12,7 +12,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/client_dashboard.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Generate unified client dashboard HTML
*/
cli/client_inventory.php
+1 -1
View File
@@ -12,7 +12,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/client_inventory.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Discover and list all client-waas repos with their server configuration status
*/
cli/client_provision.php
+1 -1
View File
@@ -12,7 +12,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/client_provision.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Provision a new client environment end-to-end
*/
cli/grafana_dashboard.php
+1 -1
View File
@@ -12,7 +12,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/grafana_dashboard.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Manage Grafana dashboards via API
*/
cli/joomla_build.php
+1 -1
View File
@@ -10,7 +10,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/joomla_build.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Build a Joomla extension ZIP from manifest — all types supported
* NOTE: Called by pre-release and auto-release workflows.
*/
cli/joomla_metadata_validate.php
+1 -1
View File
@@ -10,7 +10,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/joomla_metadata_validate.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Validate MokoGitea repo metadata against Joomla extension manifest XML
*/
cli/manifest_detect.php
+1 -1
View File
@@ -10,7 +10,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/manifest_detect.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Auto-detect manifest fields from source files and optionally push to API
*/
cli/manifest_integrity.php
+1 -1
View File
@@ -10,7 +10,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/manifest_integrity.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Cross-check manifest API fields against repo contents across the org
*/
cli/manifest_licensing.php
+1 -1
View File
@@ -10,7 +10,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/manifest_licensing.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Ensure licensing tags (updateservers, dlid) in Joomla extension manifests
*/
cli/manifest_read.php
+1 -1
View File
@@ -10,7 +10,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/manifest_read.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Read repo metadata from Gitea manifest API, auto-detect the rest
*/
cli/platform_detect.php
+1 -1
View File
@@ -10,7 +10,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/platform_detect.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Auto-detect repository platform type and optionally update manifest
*/
cli/release_cascade.php
+1 -1
View File
@@ -10,7 +10,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/release_cascade.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Cascade release zip to all lower stability channels
*/
cli/release_publish.php
+1 -1
View File
@@ -10,7 +10,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/release_publish.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Publish a release and create copies for all lesser stability streams.
*/
cli/scaffold_client.php
+1 -1
View File
@@ -12,7 +12,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/scaffold_client.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Scaffold a new client-waas repo from Template-Client-WaaS with pre-configured settings
*/
cli/updates_xml_sync.php
+1 -1
View File
@@ -10,7 +10,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/updates_xml_sync.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Sync updates.xml to target branches via Gitea API
* NOTE: Called by pre-release and auto-release workflows after updates.xml
* is modified on the current branch. Pushes the file to other branches
cli/version_auto_bump.php
+1 -1
View File
@@ -10,7 +10,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/version_auto_bump.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Auto patch-bump, set stability suffix, and commit — single CLI replacing inline workflow bash
*/
cli/version_bump.php
+1 -1
View File
@@ -368,7 +368,7 @@ class VersionBumpCli extends CliFramework
/**
* Scan git release tags for the highest version across all channels.
*
* Checks release names like "MokoSuiteClient (VERSION: 09.38.04)" in
* Checks release names like "MokoSuiteClient (VERSION: 09.38.05)" in
* git tags (stable, release-candidate, development, etc.) to find the
* highest version that has been released on any channel.
*/
cli/version_check.php
+1 -1
View File
@@ -10,7 +10,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/version_check.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Validate version consistency across README, manifests, and sub-packages
*/
cli/wiki_sync.php
+1 -1
View File
@@ -10,7 +10,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/wiki_sync.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Sync select wiki pages from mokocli to all template repos
*/
cli/workflow_sync.php
+1 -1
View File
@@ -10,7 +10,7 @@
* INGROUP: mokocli
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /cli/workflow_sync.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Sync workflows from Generic → platform templates → live repos based on manifest.platform
*/
deploy/backup-before-deploy.php
+1 -1
View File
@@ -12,7 +12,7 @@
* INGROUP: MokoPlatform
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /deploy/backup-before-deploy.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Snapshot Joomla directories before deployment for rollback capability
*/
deploy/deploy-dolibarr.php
+1 -1
View File
@@ -12,7 +12,7 @@
* INGROUP: MokoPlatform
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /deploy/deploy-dolibarr.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Deploy Dolibarr module files to a remote server via SFTP/rsync
*/
deploy/health-check.php
+1 -1
View File
@@ -12,7 +12,7 @@
* INGROUP: MokoPlatform
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /deploy/health-check.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Post-deploy health check — verify a Joomla site is responding correctly
*/
deploy/rollback-joomla.php
+1 -1
View File
@@ -12,7 +12,7 @@
* INGROUP: MokoPlatform
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /deploy/rollback-joomla.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Rollback a Joomla deployment by restoring from a pre-deploy snapshot
*/
deploy/sync-joomla.php
+1 -1
View File
@@ -12,7 +12,7 @@
* INGROUP: MokoPlatform
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /deploy/sync-joomla.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Sync Joomla site directories between two servers via rsync over SSH
*/
mcp/servers/mokocrm_api/CONTRIBUTING.md
+1 -1
View File
@@ -14,7 +14,7 @@
DEFGROUP: dolibarr-api-mcp.Documentation
INGROUP: dolibarr-api-mcp
REPO: https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp
VERSION: 09.38.04
VERSION: 09.38.05
PATH: ./CONTRIBUTING.md
BRIEF: Contribution guidelines for the project
-->
mcp/servers/mokocrm_api/SECURITY.md
+1 -1
View File
@@ -10,7 +10,7 @@ DEFGROUP: dolibarr-api-mcp.Documentation
INGROUP: dolibarr-api-mcp
REPO: https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp
PATH: /SECURITY.md
VERSION: 09.38.04
VERSION: 09.38.05
BRIEF: Security vulnerability reporting and handling policy
-->
mcp/servers/mokosuite_api/CONTRIBUTING.md
+1 -1
View File
@@ -14,7 +14,7 @@
DEFGROUP:
INGROUP: Project.Documentation
REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoCli-Template-Generic
VERSION: 09.38.04
VERSION: 09.38.05
PATH: ./CONTRIBUTING.md
BRIEF: Contribution guidelines for the project
-->
mcp/servers/mokosuite_api/SECURITY.md
+1 -1
View File
@@ -23,7 +23,7 @@ DEFGROUP: [PROJECT_NAME]
INGROUP: [PROJECT_NAME].Documentation
REPO: [REPOSITORY_URL]
PATH: /SECURITY.md
VERSION: 09.38.04
VERSION: 09.38.05
BRIEF: Security vulnerability reporting and handling policy
-->
tests/Unit/VersionBumpTest.php
+1 -1
View File
@@ -63,7 +63,7 @@ class VersionBumpTest extends TestCase
{
file_put_contents(
"{$this->tmpDir}/README.md",
"<!-- VERSION: 09.38.04 -->\nSome content\n"
"<!-- VERSION: 09.38.05 -->\nSome content\n"
);
$this->execute();
tests/Unit/VersionReadTest.php
+2 -2
View File
@@ -34,7 +34,7 @@ class VersionReadTest extends TestCase
{
file_put_contents(
"{$this->tmpDir}/README.md",
"# Test\n<!-- VERSION: 09.38.04 -->\n"
"# Test\n<!-- VERSION: 09.38.05 -->\n"
);
$this->assertSame('02.03.04', trim($this->runScript()));
@@ -68,7 +68,7 @@ class VersionReadTest extends TestCase
{
file_put_contents(
"{$this->tmpDir}/README.md",
"<!-- VERSION: 09.38.04 -->\n"
"<!-- VERSION: 09.38.05 -->\n"
);
mkdir("{$this->tmpDir}/src", 0755, true);
file_put_contents(
validate/check_file_integrity.php
+1 -1
View File
@@ -12,7 +12,7 @@
* INGROUP: MokoPlatform
* REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
* PATH: /validate/check_file_integrity.php
* VERSION: 09.38.04
* VERSION: 09.38.05
* BRIEF: Compare deployed files on a remote server against the local repository to detect drift
*/