From 0d893efeebd37e7455f15bd137ff304f3849953e Mon Sep 17 00:00:00 2001 From: irubido Date: Mon, 3 Nov 2025 15:01:47 +0100 Subject: [PATCH] check allowed origins CI --- .../workflows/check-snap-allowed-origins.yml | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/check-snap-allowed-origins.yml diff --git a/.github/workflows/check-snap-allowed-origins.yml b/.github/workflows/check-snap-allowed-origins.yml new file mode 100644 index 0000000..226cdc1 --- /dev/null +++ b/.github/workflows/check-snap-allowed-origins.yml @@ -0,0 +1,53 @@ +name: Enforce Snap allowedOrigins + +on: + pull_request: + branches: [ main ] + paths: + - 'packages/snap/snap.manifest.json' + - '.github/workflows/check-snap-allowed-origins.yml' + push: + branches: [ main ] + paths: + - 'packages/snap/snap.manifest.json' + +jobs: + check-allowed-origins: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Verify allowedOrigins in snap.manifest.json + shell: bash + run: | + set -euo pipefail + FILE="packages/snap/snap.manifest.json" + + if [ ! -f "$FILE" ]; then + echo "::error title=Missing file::$FILE not found" + exit 1 + fi + + if ! command -v jq >/dev/null 2>&1; then + echo "Installing jq..." + sudo apt-get update -y + sudo apt-get install -y jq + fi + + expected='["https://webzjs.chainsafe.dev"]' + actual=$(jq -c '.initialPermissions["endowment:rpc"].allowedOrigins' "$FILE") + + echo "allowedOrigins in manifest: $actual" + + if [ "$actual" != "$expected" ]; then + echo "::error title=Invalid allowedOrigins::For merges to main, allowedOrigins must be $expected. Found: $actual" + if echo "$actual" | grep -qi "localhost"; then + echo "::error title=localhost detected::Remove any localhost origins from allowedOrigins." + fi + exit 1 + fi + + echo "allowedOrigins are valid." + +