Merge pull request #1175 from PrivateBin/slsa-release

release workflow for SLSA & changelog
This commit is contained in:
El RIDO 2023-09-22 05:24:04 +02:00 committed by GitHub
commit 7518ea74c5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 377 additions and 293 deletions

50
.github/workflows/release.yml vendored Normal file
View File

@ -0,0 +1,50 @@
name: Draft Release
on:
push:
tags: '[0-9]+.[0-9]?[0-9]?[0-9]?.?[0-9]+'
jobs:
draft:
runs-on: ubuntu-latest
steps:
- name: Fetch changelog from tag
uses: actions/checkout@v3
with:
sparse-checkout: CHANGELOG.md
sparse-checkout-cone-mode: false
- name: Extract latest changelog entry and attach it to draft
uses: taiki-e/create-gh-release-action@v1
with:
changelog: CHANGELOG.md
draft: true
token: ${{ secrets.GITHUB_TOKEN }}
release:
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
runs-on: ubuntu-latest
steps:
- name: Collect artifacts
run: |
wget -q https://github.com/PrivateBin/PrivateBin/archive/refs/tags/${GITHUB_REF_NAME}.tar.gz
wget -q https://github.com/PrivateBin/PrivateBin/archive/refs/tags/${GITHUB_REF_NAME}.zip
- name: Generate hashes
shell: bash
id: hash
run: echo "hashes=$(sha256sum ${GITHUB_REF_NAME} | base64 -w0)" >> "$GITHUB_OUTPUT"
provenance:
needs:
- release
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
with:
base64-subjects: "${{ needs.release.outputs.hashes }}"
draft-release: true
upload-assets: true

View File

@ -1,23 +1,27 @@
# PrivateBin version history
* **1.6.1 (not yet released)**
## 1.6.1 (not yet released)
* ADDED: Right-To-Left (RTL) support for Arabic & Hebrew (#1174)
* **1.6.0 (2023-09-11)**
## 1.6.0 (2023-09-11)
* ADDED: Translations for Japanese & Arabic
* ADDED: Configuration option to disable Email button (#1164)
* CHANGED: Minimum required PHP version is 7.3, due to upgrading PHPunit (#707)
* CHANGED: Removed PHP 5 polyfill for random_bytes()
* **1.5.2 (2023-07-09)**
## 1.5.2 (2023-07-09)
* ADDED: Allow AWS SDK to use default credential provider chain for S3Storage (#1070)
* CHANGED: Upgrading libraries to: DOMpurify 3.0.4 & jQuery 3.7.0
* FIXED: Addressed PHP 8.2 deprecation warnings (#1092)
* FIXED: Expose types JSON-LD incl. configured expiration dates (#1045)
* **1.5.1 (2022-12-24)**
## 1.5.1 (2022-12-24)
* ADDED: script for administrative tasks: deleting pastes (#274), removing empty directories (#277), purging expired pastes (#276) & statistics (#319)
* FIXED: Revert Filesystem purge to limited and randomized lookup (#1030)
* FIXED: Catch JSON decode errors when invalid data gets sent to the API (#1030)
* FIXED: Support sorting v1 format in mixed version comments in Filesystem backend (#1030)
* **1.5 (2022-12-11)**
## 1.5 (2022-12-11)
* ADDED: script for data storage backend migrations (#1012)
* ADDED: Translations for Turkish, Slovak, Greek and Thai
* ADDED: S3 Storage backend (#994)
@ -27,7 +31,8 @@
* FIXED: Revert to CREATE INDEX without IF NOT EXISTS clauses, to support MySQL (#943)
* FIXED: Apply table prefix to indexes as well, to support multiple instances sharing a single database (#943)
* FIXED: YOURLS integration via new proxy, storing signature in configuration (#725)
* **1.4 (2022-04-09)**
## 1.4 (2022-04-09)
* ADDED: Translations for Corsican, Estonian, Finnish and Lojban
* ADDED: new HTTP headers improving security (#765)
* ADDED: Download button for paste text (#774)
@ -45,7 +50,8 @@
* CHANGED: Server salt, traffic and purge limiter now stored in the storage backend (#419)
* CHANGED: Drop support for attachment download in IE
* FIXED: Error when attachments are disabled, but paste with attachment gets displayed
* **1.3.5 (2021-04-05)**
## 1.3.5 (2021-04-05)
* ADDED: Translations for Hebrew, Lithuanian, Indonesian and Catalan
* ADDED: Make the project info configurable (#681)
* CHANGED: Upgrading libraries to: DOMpurify 2.2.7, kjua 0.9.0 & random_compat 2.0.18
@ -64,32 +70,38 @@
* FIXED: Improve OpenGraph attributes (#651)
* FIXED: Reset to configured burn-after-reading, discussion and expiration settings (#682)
* FIXED: Italic segment of project information (#756)
* **1.3.4 (2020-03-22)**
## 1.3.4 (2020-03-22)
* CHANGED: Minimum required PHP version is 5.6, due to a change in the identicon library and to use php's native hash_equals()
* CHANGED: Upgrading libraries to: identicon 2.0.0
* FIXED: Support custom expiration options in email function (#586)
* FIXED: Regression with encoding of HTML entities (#588)
* FIXED: Unable to paste password on paste with attachment (#565 & #595)
* **1.3.3 (2020-02-16)**
## 1.3.3 (2020-02-16)
* CHANGED: Upgrading libraries to: DOMpurify 2.0.8
* CHANGED: Several translations got updated with missing messages
* CHANGED: Introduce HTML entity encoding on server side (#581)
* FIXED: HTML entity double encoding issues introduced in 1.3.2 (#560)
* **1.2.3 (2020-02-16)**
## 1.2.3 (2020-02-16)
* CHANGED: Upgrading libraries to: DOMpurify 2.0.8
* CHANGED: Introduce HTML entity encoding on server side (#581)
* FIXED: HTML entity double encoding issues introduced in 1.3.2 (#560)
* **1.3.2 (2020-01-11)**
## 1.3.2 (2020-01-11)
* ADDED: Translation for Ukrainian (#533)
* ADDED: Option to send a mail with the link, when creating a paste (#398)
* ADDED: Add support for CONFIG_PATH environment variable (#552)
* CHANGED: Upgrading libraries to: base-x 3.0.7, DOMpurify 2.0.7 & Showdown 1.9.1
* FIXED: HTML injection via unescaped attachment filename (#554)
* FIXED: Password disabling option (#527)
* **1.2.2 (2020-01-11)**
## 1.2.2 (2020-01-11)
* CHANGED: Upgrading libraries to: bootstrap 3.4.1 (CSS), DOMpurify 2.0.7, jQuery 3.4.1, kjua 0.6.0, Showdown 1.9.1 & SJCL 1.0.8
* FIXED: HTML injection via unescaped attachment filename (#554)
* **1.3.1 (2019-09-22)**
## 1.3.1 (2019-09-22)
* ADDED: Translation for Bulgarian (#455)
* CHANGED: Improved mobile UI - obscured send button and hard to click shortener button (#477)
* CHANGED: Enhanced URL shortener integration (#479)
@ -105,7 +117,8 @@
* FIXED: Showdown.js error when posting svg qrcode (#485)
* FIXED: Failed to handle the case where user cancelled attachment selection properly (#487)
* FIXED: Displaying the appropriate errors in older browsers (#508)
* **1.3 (2019-07-09)**
## 1.3 (2019-07-09)
* ADDED: Translation for Czech (#424)
* ADDED: Threat modeled the application (#177)
* ADDED: Made compression configurable (#38)
@ -124,14 +137,16 @@
* FIXED: Properly escaped HTML in raw text mode (#358)
* FIXED: Made download links better readable in the dark bootstrap theme (#364)
* FIXED: Allow Letsencrypt bot to access on apache servers (#413)
* **1.2.1 (2018-08-11)**
## 1.2.1 (2018-08-11)
* ADDED: Add support for mega.nz links in pastes and comments (#331)
* CHANGED: Added some missing Russian translations (#348)
* CHANGED: Minor PHP refactoring: Rename PrivateBin class to Controller, improved logic of some persistence classes (#342)
* CHANGED: Upgrading DOMpurify library to 1.0.7
* FIXED: Ensure legacy browsers without webcrypto support can't create paste keys with insufficient entropy (#346)
* FIXED: Re-add support for old browsers (Firefox<21, Chrome<31, Safari<7, IE<11), broken in 1.2, will be removed again in 1.3
* **1.2 (2018-07-22)**
## 1.2 (2018-07-22)
* ADDED: Translations for Spanish, Occitan, Norwegian, Portuguese, Dutch and Hungarian
* ADDED: Option in configuration to change the default "PrivateBin" title of the site
* ADDED: Added display of video, audio & PDF, drag & drop, preview of attachments (#182)
@ -145,9 +160,11 @@
* CHANGED: Upgrading libraries to: SJCL 1.0.7, jQuery 3.3.1, Base64 2.4.5, Showdown 1.8.6, DOMpurify 1.0.5 & Prettify 453bd5f
* CHANGED: Refactored JavaScript code, making it modular with private and public functions, making it much easier to maintain (#178)
* FIXED: To counteract regressions introduced by the refactoring, we finally introduced property based unit testing for the JavaScript code, this caught several regressions, but also some very old bugs not found so far (#32)
* **1.1.1 (2017-10-06)**
## 1.1.1 (2017-10-06)
* CHANGED: Switched to `.php` file extension for configuration file, to avoid leaking configuration data in unprotected installation.
* **1.1 (2016-12-26)**
## 1.1 (2016-12-26)
* ADDED: Translations for Italian and Russian
* ADDED: Loading message displayed until decryption succeeded for slower (in terms of CPU or network) systems
* ADDED: Dockerfile for docker container creation
@ -156,7 +173,8 @@
* CHANGED: Updated random_compat and jQuery libraries
* FIXED: XSS using JavaScript stored as markdown formatted paste, after clicking on Raw paste button (#137)
* FIXED: Automatic purging deleting non-expiring pastes, when using database store (#149)
* **1.0 (2016-08-25)**
## 1.0 (2016-08-25)
* ADDED: Translations for Slowene and Chinese
* ADDED: re-introduced (optional) URL shortener support, which was removed back in version 0.16 for privacy concerns
* ADDED: Preview tab, helpful for writing markdown code or check the source code rendering
@ -184,7 +202,8 @@
* FIXED: Raw text now displays original markdown instead of rendered HTML
* FIXED: Removed unused code detected with the help of various code review tools
* FIXED: Table format for PostgreSQL, making it possible to use PostgreSQL as backend in addition to MySQL, SQLite and flat files
* **0.22 (2015-11-09)**:
## 0.22 (2015-11-09):
* ADDED: Tab character input support
* ADDED: Dark bootstrap theme
* ADDED: Option to hide clone button on expiring pastes
@ -199,12 +218,14 @@
* CHANGED: Switching to JSON-based REST-API
* CHANGED: Database structure to store attachments, allowing larger attachments to be stored (depending on maximum BLOB size of database backend)
* CHANGED: Refactored data model, traffic limiting & request handling
* **0.21.1 (2015-09-21)**:
## 0.21.1 (2015-09-21):
* FIXING: lost meta data when using DB model instead of flat files
* FIXING: mobile navbar getting triggered on load
* CHANGED: database table "paste" gets automatically extended with a "meta" column
* CHANGED: navbar of "bootstrap" template now spans full width of view port on large screens
* **0.21 (2015-09-19)**:
## 0.21 (2015-09-19):
* ADDED: Translations for German, French and Polish, language selection menu (optional)
* ADDED: File upload and image display support (optional)
* ADDED: Markdown format support
@ -221,7 +242,8 @@ encryption), i18n (translation, counterpart of i18n.php) and helper (stateless u
* [Directory of public PrivateBin servers](https://github.com/PrivateBin/PrivateBin/wiki/PrivateBin-Directory)
* [Translation](https://github.com/PrivateBin/PrivateBin/wiki/Translation)
* [Templates](https://github.com/PrivateBin/PrivateBin/wiki/Templates)
* **0.20 (2015-09-03)**:
## 0.20 (2015-09-03):
* ADDED: Password protected pastes (optional)
* ADDED: configuration options for highlighting, password, discussions, expiration times, rate limiting
* ADDED: JSON-only retrieval of paste incl. discussion, used to be able to refresh paste when posting a comment
@ -231,10 +253,12 @@ encryption), i18n (translation, counterpart of i18n.php) and helper (stateless u
* FIXING: Behaviour of several conflicting configuration options. As a general measure unit tests for 9 of the options and all their possible configurations were added via a unit test generator.
* updated JS libraries: jquery to 1.11.3, sjcl to 1.0.2, base64.js to 2.1.9, deflate to 0.5, inflate to 0.3 and prettify to latest
* generally improved documentation, both inline phpdoc / JSdoc source code documentation, as well as Wiki pages on installation, configuration, development and JSON-API
* **Alpha 0.19 (2013-07-05)**:
## Alpha 0.19 (2013-07-05):
* Corrected XSS security flaw which affected IE<10. Other browsers were not affected.
* Corrected spacing display in IE<10.
* **Alpha 0.18 (2013-02-24)**:
## Alpha 0.18 (2013-02-24):
* ADDED: The resulting URL is automatically selected after pressing "Send". You just have to press CTRL+C.
* ADDED: Automatic syntax highlighting for 53 languages using highlight.js
* ADDED: "5 minutes" and "1 week" expirations.
@ -247,41 +271,51 @@ encryption), i18n (translation, counterpart of i18n.php) and helper (stateless u
* ADDED: Better json checking (including entropy).
* ADDED: Added version to js/css assets URLs in order to prevent some abusive caches to serve an obsolete version of these files when ZeroBin is upgraded.
* "Burn after reading" option has been moved out of Expiration combo to a separate checkbox. Reason is: You can prevent a read-once paste to be available ad vitam eternam on the net.
* **Alpha 0.17 (2013-02-23)**:
## Alpha 0.17 (2013-02-23):
* ADDED: Deletion URL.
* small refactoring.
* improved regex checks.
* larger server alt on installation.
* **Alpha 0.16**:
## Alpha 0.16:
* FIXED minor php warnings.
* FIXED: zerobin.js reformated and properly commented.
* FIXED: Directory structure re-organized.
* CHANGED: URL shortening button was removed. (It was bad for privacy.)
* **Alpha 0.15 (2012-04-20):**
## Alpha 0.15 (2012-04-20):
* FIXED: 2 minor corrections to avoid notices in php log.
* FIXED: Sources converted to UTF-8.
* **Alpha 0.14 (2012-04-20):**
## Alpha 0.14 (2012-04-20):
* ADDED: GD presence is checked.
* CHANGED: Traffic limiter data files moved to data/ (→easier rights management)
* ADDED: "Burn after reading" implemented. Opening the URL will display the paste and immediately destroy it on server.
* **Alpha 0.13 (2012-04-18):**
## Alpha 0.13 (2012-04-18):
* FIXED: ''imageantialias()'' call removed because it's not really usefull and can be a problem on most hosts (if GD is not compiled in php).
* FIXED: $error not properly initialized in index.php
* **Alpha 0.12 (2012-04-18):**
* **DISCUSSIONS !** Now you can enable discussions on your pastes. Of course, posted comments and nickname are also encrypted and the server cannot see them.
## Alpha 0.12 (2012-04-18):
## DISCUSSIONS ! Now you can enable discussions on your pastes. Of course, posted comments and nickname are also encrypted and the server cannot see them.
* This feature implies a change in storage format. You will have to delete all previous pastes in your ZeroBin.
* Added [[php:vizhash_gd|Vizhash]] as avatars, so you can match posters IP addresses without revealing them. (Same image = same IP). Of course the IP address cannot be deduced from the Vizhash.
* Remaining time before expiration is now displayed.
* Explicit tags were added to CSS and jQuery selectors (eg. div#aaa instead of #aaa) to speed up browser.
* Better cleaning of the URL (to make sure the key is not broken by some stupid redirection service)
* **Alpha 0.11 (2012-04-12):**
## Alpha 0.11 (2012-04-12):
* Automatically ignore parameters (such as &utm_source=...) added //after// the anchor by some stupid Web 2.0 services.
* First public release.
* **Alpha 0.10 (2012-04-12):**
* IE9 does not seem to correctly support ''pre-wrap'' either. Special handling mode activated for all version of IE<10. (Note: **ALL other browsers** correctly support this feature.)
* **Alpha 0.9 (2012-04-11):**
## Alpha 0.10 (2012-04-12):
* IE9 does not seem to correctly support ''pre-wrap'' either. Special handling mode activated for all version of IE<10. (Note: ALL other browsers correctly support this feature.)
## Alpha 0.9 (2012-04-11):
* Oh bummer... IE 8 is as shitty as IE6/7: Its does not seem to support ''white-space:pre-wrap'' correctly. I had to activate the special handling mode. I still have to test IE 9.
* **Alpha 0.8 (2012-04-11):**
## Alpha 0.8 (2012-04-11):
* Source code not published yet.
* Interface completely redesigned. Icons added.
* Now properly supports IE6/7 (ugly display, but it works. "Clone" button is disabled though.)