From 0367d31403bfde192ab5c2dae0ca488717dc29f4 Mon Sep 17 00:00:00 2001
From: Ewout ter Hoeven <E.M.terHoeven@student.tudelft.nl>
Date: Sun, 22 Nov 2020 07:22:53 +0100
Subject: [PATCH] CI: Fix CVE-2020-15228 in GitHub Actions (#6004)

* CI: Fix CVE-2020-15228 in GitHub Actions

Fixes the CVE-2020-15228 security issue in GitHub Actions:
> `add-path` and `set-env` Runner commands are processed via stdout
set-env was used twice, which is now replaced by  >> $GITHUB_ENV

 - Issue: https://github.com/actions/toolkit/security/advisories/GHSA-mfwh-5m23-j46w
 - Solution: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable)

* CI: Specify installing libsigc++ v2.x in GitHub Actions

Version 3 of libsigc++ was automatically installed. This commit fixates the version brew installs to 2.x.

Should fix #6002

* CI: Use v2 checkout and upload-artifact actions

Also replaces macos-10.15 with macos-latest as runner. Currently is references the same environment (macOS 10.15), but this way it will update to macOS 11.0 when it's ready and stable.
---
 .github/workflows/main.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index e483ace01..4fa09ee98 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -14,16 +14,16 @@ on:
       - created
 jobs:
   build:
-    runs-on: macos-10.15
+    runs-on: macos-latest
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
       - name: Install dependencies
         run: |
            date -u
            mkdir build
            date +%s > build/stamp
            brew uninstall --ignore-dependencies libtiff
-           brew install libtiff gtk+3 gtkmm3 gtk-mac-integration adwaita-icon-theme libsigc++ little-cms2 libiptcdata fftw lensfun expat pkgconfig libomp shared-mime-info | tee -a depslog
+           brew install libtiff gtk+3 gtkmm3 gtk-mac-integration adwaita-icon-theme libsigc++@2 little-cms2 libiptcdata fftw lensfun expat pkgconfig libomp shared-mime-info | tee -a depslog
            date -u
            echo "----====Pourage====----"
            cat depslog | grep Pouring
@@ -82,11 +82,11 @@ jobs:
           echo "=== artifact: ${ARTIFACT}"
           # defining environment variables for next step as per
           # https://github.com/actions/starter-workflows/issues/68
-          echo "::set-env name=ARTIFACT_PATH::${GITHUB_WORKSPACE}/build/${ARTIFACT}"
-          echo "::set-env name=ARTIFACT_FILE::${ARTIFACT}"
+          echo "ARTIFACT_PATH=${GITHUB_WORKSPACE}/build/${ARTIFACT}" >> $GITHUB_ENV
+          echo "ARTIFACT_FILE=${ARTIFACT}" >> $GITHUB_ENV
           zsh -c 'echo "Bundled in $(printf "%0.2f" $(($[$(date +%s)-$(cat bundlestamp)]/$((60.))))) minutes"'
           exit
-      - uses: actions/upload-artifact@v1
+      - uses: actions/upload-artifact@v2
         with:
           name: ${{env.ARTIFACT_FILE}}
           path: ${{env.ARTIFACT_PATH}}