From e2bd0f691c7e2da122129fb3294a85613c3c1a45 Mon Sep 17 00:00:00 2001 From: imnotnoahhh <105060587+imnotnoahhh@users.noreply.github.com> Date: Mon, 20 Apr 2026 02:04:23 +0000 Subject: [PATCH] chore: update Mole CLI to 1.35.0 --- .mole-cli-version | 2 +- MoleUI.xcodeproj/project.pbxproj | 4 +- MoleUI/.mole-cli-version | 2 +- Resources/mole/.githooks/pre-commit | 96 +++ Resources/mole/.github/CODEOWNERS | 1 + .../mole/.github/ISSUE_TEMPLATE/bug_report.md | 2 + .../mole/.github/ISSUE_TEMPLATE/config.yml | 3 + Resources/mole/.github/dependabot.yml | 10 + .../mole/.github/pull_request_template.md | 18 + Resources/mole/.github/workflows/check.yml | 14 +- Resources/mole/.github/workflows/codeql.yml | 52 ++ Resources/mole/.github/workflows/release.yml | 92 ++- Resources/mole/.github/workflows/test.yml | 21 +- Resources/mole/.gitignore | 2 + Resources/mole/CONTRIBUTING.md | 3 + Resources/mole/CONTRIBUTORS.svg | 437 +++++++--- Resources/mole/README.md | 100 ++- Resources/mole/SECURITY.md | 76 ++ Resources/mole/SECURITY_AUDIT.md | 328 +++++--- Resources/mole/bin/analyze-go | Bin 6839442 -> 6989746 bytes Resources/mole/bin/check.sh | 12 +- Resources/mole/bin/clean.sh | 333 +++++--- Resources/mole/bin/completion.sh | 101 ++- Resources/mole/bin/installer.sh | 14 +- Resources/mole/bin/optimize.sh | 158 ++-- Resources/mole/bin/purge.sh | 68 +- Resources/mole/bin/status-go | Bin 7729314 -> 8028530 bytes Resources/mole/bin/touchid.sh | 4 +- Resources/mole/bin/uninstall.sh | 407 +++++++++- Resources/mole/cmd/analyze/analyze_test.go | 517 +++++++++++- Resources/mole/cmd/analyze/cache.go | 48 +- Resources/mole/cmd/analyze/cleanable.go | 2 + Resources/mole/cmd/analyze/constants.go | 16 +- Resources/mole/cmd/analyze/delete.go | 32 + Resources/mole/cmd/analyze/delete_test.go | 95 +++ Resources/mole/cmd/analyze/format.go | 2 + Resources/mole/cmd/analyze/format_test.go | 4 +- Resources/mole/cmd/analyze/heap.go | 2 + Resources/mole/cmd/analyze/heap_test.go | 2 + Resources/mole/cmd/analyze/insights.go | 177 +++++ Resources/mole/cmd/analyze/insights_test.go | 109 +++ Resources/mole/cmd/analyze/json.go | 146 +++- Resources/mole/cmd/analyze/json_test.go | 101 +++ Resources/mole/cmd/analyze/main.go | 267 ++++--- Resources/mole/cmd/analyze/main_stub.go | 13 + Resources/mole/cmd/analyze/scanner.go | 143 +++- Resources/mole/cmd/analyze/scanner_test.go | 2 + .../mole/cmd/analyze/test_helpers_test.go | 2 + Resources/mole/cmd/analyze/view.go | 35 +- Resources/mole/cmd/status/main.go | 87 +- Resources/mole/cmd/status/main_test.go | 48 ++ Resources/mole/cmd/status/metrics.go | 99 ++- Resources/mole/cmd/status/metrics_battery.go | 144 ++-- .../mole/cmd/status/metrics_battery_test.go | 45 ++ Resources/mole/cmd/status/metrics_disk.go | 278 ++++++- .../mole/cmd/status/metrics_disk_test.go | 150 ++++ Resources/mole/cmd/status/metrics_health.go | 58 +- .../mole/cmd/status/metrics_health_test.go | 75 +- Resources/mole/cmd/status/metrics_process.go | 85 +- Resources/mole/cmd/status/process_watch.go | 150 ++++ .../mole/cmd/status/process_watch_test.go | 182 +++++ Resources/mole/cmd/status/view.go | 102 ++- Resources/mole/cmd/status/view_test.go | 175 +++- Resources/mole/go.mod | 8 +- Resources/mole/go.sum | 8 +- Resources/mole/install.sh | 3 + Resources/mole/lib/check/all.sh | 285 +++++-- Resources/mole/lib/check/dev_environment.sh | 142 ++++ Resources/mole/lib/check/health_json.sh | 15 +- Resources/mole/lib/clean/app_caches.sh | 171 +++- Resources/mole/lib/clean/apps.sh | 304 +++---- Resources/mole/lib/clean/brew.sh | 2 +- Resources/mole/lib/clean/caches.sh | 319 +++++++- Resources/mole/lib/clean/dev.sh | 302 ++++++- Resources/mole/lib/clean/hints.sh | 128 +++ Resources/mole/lib/clean/project.sh | 412 ++++++++-- Resources/mole/lib/clean/purge_shared.sh | 16 + Resources/mole/lib/clean/system.sh | 28 +- Resources/mole/lib/clean/user.sh | 752 +++++++++++++++--- Resources/mole/lib/core/app_protection.sh | 104 ++- Resources/mole/lib/core/base.sh | 103 ++- Resources/mole/lib/core/bundle_resolver.sh | 80 ++ Resources/mole/lib/core/common.sh | 41 + Resources/mole/lib/core/file_ops.sh | 206 ++++- Resources/mole/lib/core/help.sh | 19 +- Resources/mole/lib/core/log.sh | 83 +- Resources/mole/lib/core/sudo.sh | 68 +- Resources/mole/lib/core/timeout.sh | 12 +- Resources/mole/lib/core/ui.sh | 8 +- Resources/mole/lib/manage/purge_paths.sh | 12 +- Resources/mole/lib/manage/whitelist.sh | 8 +- Resources/mole/lib/optimize/tasks.sh | 442 +++++++++- Resources/mole/lib/ui/app_selector.sh | 19 +- Resources/mole/lib/ui/menu_paginated.sh | 6 +- Resources/mole/lib/uninstall/batch.sh | 233 ++++-- Resources/mole/lib/uninstall/brew.sh | 22 +- Resources/mole/mole | 154 ++-- Resources/mole/scripts/test.sh | 185 +++-- .../scripts/update_homebrew_tap_formula.sh | 120 +++ Resources/mole/tests/brew_uninstall.bats | 185 ++++- Resources/mole/tests/bundle_resolver.bats | 142 ++++ Resources/mole/tests/check_system.bats | 142 ++++ Resources/mole/tests/clean_app_caches.bats | 162 +++- Resources/mole/tests/clean_apps.bats | 268 ++++--- .../mole/tests/clean_browser_versions.bats | 4 + .../tests/clean_cached_device_firmware.bats | 254 ++++++ Resources/mole/tests/clean_core.bats | 60 +- Resources/mole/tests/clean_dev_caches.bats | 259 +++++- Resources/mole/tests/clean_hints.bats | 68 ++ Resources/mole/tests/clean_misc.bats | 4 + Resources/mole/tests/clean_system_caches.bats | 215 ++++- .../mole/tests/clean_system_maintenance.bats | 125 ++- Resources/mole/tests/clean_user_core.bats | 240 +++++- .../mole/tests/clean_xcode_derived_data.bats | 151 ++++ Resources/mole/tests/cli.bats | 210 ++++- Resources/mole/tests/completion.bats | 8 +- Resources/mole/tests/core_common.bats | 113 ++- Resources/mole/tests/core_performance.bats | 10 +- Resources/mole/tests/core_safe_functions.bats | 28 + Resources/mole/tests/dev_environment.bats | 229 ++++++ Resources/mole/tests/dev_extended.bats | 110 +++ .../mole/tests/file_ops_mole_delete.bats | 212 +++++ Resources/mole/tests/manage_sudo.bats | 58 ++ Resources/mole/tests/manage_whitelist.bats | 129 +++ Resources/mole/tests/optimize.bats | 391 +++++++++ Resources/mole/tests/purge.bats | 191 ++++- Resources/mole/tests/purge_config_paths.bats | 48 +- Resources/mole/tests/regression.bats | 66 ++ Resources/mole/tests/scripts.bats | 69 ++ .../mole/tests/test_match_apps_helper.sh | 27 + Resources/mole/tests/uninstall.bats | 716 ++++++++++++++++- .../mole/tests/uninstall_naming_variants.bats | 18 + Resources/mole/tests/update.bats | 4 +- Resources/mole/tests/user_file_ops.bats | 55 ++ 134 files changed, 13584 insertions(+), 1960 deletions(-) create mode 100755 Resources/mole/.githooks/pre-commit create mode 100644 Resources/mole/.github/CODEOWNERS create mode 100644 Resources/mole/.github/pull_request_template.md create mode 100644 Resources/mole/.github/workflows/codeql.yml create mode 100644 Resources/mole/SECURITY.md create mode 100644 Resources/mole/cmd/analyze/insights.go create mode 100644 Resources/mole/cmd/analyze/insights_test.go create mode 100644 Resources/mole/cmd/analyze/json_test.go create mode 100644 Resources/mole/cmd/analyze/main_stub.go create mode 100644 Resources/mole/cmd/status/metrics_battery_test.go create mode 100644 Resources/mole/cmd/status/metrics_disk_test.go create mode 100644 Resources/mole/cmd/status/process_watch.go create mode 100644 Resources/mole/cmd/status/process_watch_test.go create mode 100644 Resources/mole/lib/check/dev_environment.sh create mode 100644 Resources/mole/lib/core/bundle_resolver.sh create mode 100755 Resources/mole/scripts/update_homebrew_tap_formula.sh create mode 100644 Resources/mole/tests/bundle_resolver.bats create mode 100644 Resources/mole/tests/check_system.bats create mode 100644 Resources/mole/tests/clean_cached_device_firmware.bats create mode 100644 Resources/mole/tests/clean_xcode_derived_data.bats create mode 100644 Resources/mole/tests/dev_environment.bats create mode 100644 Resources/mole/tests/file_ops_mole_delete.bats create mode 100644 Resources/mole/tests/test_match_apps_helper.sh diff --git a/.mole-cli-version b/.mole-cli-version index 034552a..2aeaa11 100644 --- a/.mole-cli-version +++ b/.mole-cli-version @@ -1 +1 @@ -1.30.0 +1.35.0 diff --git a/MoleUI.xcodeproj/project.pbxproj b/MoleUI.xcodeproj/project.pbxproj index 9d05cb6..01b5de5 100644 --- a/MoleUI.xcodeproj/project.pbxproj +++ b/MoleUI.xcodeproj/project.pbxproj @@ -383,7 +383,7 @@ "@executable_path/../Frameworks", ); MACOSX_DEPLOYMENT_TARGET = 14.0; - MARKETING_VERSION = 0.1.4; + MARKETING_VERSION = 0.1.5; PRODUCT_BUNDLE_IDENTIFIER = com.qinfuyao.MoleUI; PRODUCT_NAME = "Mole UI"; SDKROOT = macosx; @@ -470,7 +470,7 @@ "@executable_path/../Frameworks", ); MACOSX_DEPLOYMENT_TARGET = 14.0; - MARKETING_VERSION = 0.1.4; + MARKETING_VERSION = 0.1.5; PRODUCT_BUNDLE_IDENTIFIER = com.qinfuyao.MoleUI; PRODUCT_NAME = "Mole UI"; SDKROOT = macosx; diff --git a/MoleUI/.mole-cli-version b/MoleUI/.mole-cli-version index 034552a..2aeaa11 100644 --- a/MoleUI/.mole-cli-version +++ b/MoleUI/.mole-cli-version @@ -1 +1 @@ -1.30.0 +1.35.0 diff --git a/Resources/mole/.githooks/pre-commit b/Resources/mole/.githooks/pre-commit new file mode 100755 index 0000000..f1a483e --- /dev/null +++ b/Resources/mole/.githooks/pre-commit @@ -0,0 +1,96 @@ +#!/usr/bin/env bash +# Pre-commit hook: mirrors GitHub CI checks locally. +# Installed via: git config core.hooksPath .githooks +# +# Runs on every `git commit`. Catches format/lint/test failures before push. + +set -euo pipefail + +REPO_ROOT="$(git rev-parse --show-toplevel)" +cd "$REPO_ROOT" + +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +NC='\033[0m' + +_ok() { echo -e "${GREEN}✓${NC} $1"; } +_fail() { echo -e "${RED}✗${NC} $1"; } +_info() { echo -e "${YELLOW}→${NC} $1"; } + +echo "" +_info "Running pre-commit checks (mirrors GitHub CI)..." +echo "" + +# Only check staged shell/Go files to keep commits fast. +STAGED=$(git diff --cached --name-only --diff-filter=ACM) +HAS_SHELL=$(echo "$STAGED" | grep -E '\.sh$|^mole$|^bin/' || true) +HAS_GO=$(echo "$STAGED" | grep -E '\.go$' || true) + +FAILED=0 + +# --- 1. Shell syntax check (fast, no tool required) --- +if [[ -n "$HAS_SHELL" ]]; then + _info "Shell syntax check..." + while IFS= read -r f; do + [[ -f "$f" ]] || continue + if ! bash -n "$f" 2>&1; then + _fail "Syntax error: $f" + FAILED=1 + fi + done <<< "$HAS_SHELL" + [[ $FAILED -eq 0 ]] && _ok "Shell syntax clean" +fi + +# --- 2. shfmt format check (if installed) --- +if [[ -n "$HAS_SHELL" ]] && command -v shfmt > /dev/null 2>&1; then + _info "shfmt format check..." + UNFORMATTED="" + while IFS= read -r f; do + [[ -f "$f" ]] || continue + if ! shfmt -i 4 -ci -sr -d "$f" > /dev/null 2>&1; then + UNFORMATTED="$UNFORMATTED $f" + fi + done <<< "$HAS_SHELL" + if [[ -n "$UNFORMATTED" ]]; then + _fail "shfmt: unformatted files:$UNFORMATTED" + _info "Fix with: ./scripts/check.sh --format" + FAILED=1 + else + _ok "shfmt format clean" + fi +fi + +# --- 3. shellcheck (if installed) --- +if [[ -n "$HAS_SHELL" ]] && command -v shellcheck > /dev/null 2>&1; then + _info "shellcheck..." + while IFS= read -r f; do + [[ -f "$f" ]] || continue + if ! shellcheck "$f" 2>&1; then + FAILED=1 + fi + done <<< "$HAS_SHELL" + [[ $FAILED -eq 0 ]] && _ok "shellcheck clean" +fi + +# --- 4. Go vet (if staged Go files) --- +if [[ -n "$HAS_GO" ]] && command -v go > /dev/null 2>&1; then + _info "go vet..." + if go vet ./cmd/... 2>&1; then + _ok "go vet clean" + else + _fail "go vet failed" + FAILED=1 + fi +fi + +echo "" +if [[ $FAILED -ne 0 ]]; then + _fail "Pre-commit checks failed. Fix the issues above before committing." + _info "Run './scripts/check.sh --format' to auto-fix formatting." + echo "" + exit 1 +fi + +_ok "All pre-commit checks passed." +echo "" diff --git a/Resources/mole/.github/CODEOWNERS b/Resources/mole/.github/CODEOWNERS new file mode 100644 index 0000000..74d9b7c --- /dev/null +++ b/Resources/mole/.github/CODEOWNERS @@ -0,0 +1 @@ +* @tw93 diff --git a/Resources/mole/.github/ISSUE_TEMPLATE/bug_report.md b/Resources/mole/.github/ISSUE_TEMPLATE/bug_report.md index 6e0779c..ca2ca4d 100644 --- a/Resources/mole/.github/ISSUE_TEMPLATE/bug_report.md +++ b/Resources/mole/.github/ISSUE_TEMPLATE/bug_report.md @@ -10,6 +10,8 @@ assignees: '' A clear and concise description of what the bug is. We suggest using English for better global understanding. +If you believe the issue may allow unsafe deletion, path validation bypass, privilege boundary bypass, or release/install integrity issues, do not file a public bug report. Report it privately using the contact details in `SECURITY.md`. + ## Steps to reproduce 1. Run command: `mo ...` diff --git a/Resources/mole/.github/ISSUE_TEMPLATE/config.yml b/Resources/mole/.github/ISSUE_TEMPLATE/config.yml index 8d9ce89..ad78d2f 100644 --- a/Resources/mole/.github/ISSUE_TEMPLATE/config.yml +++ b/Resources/mole/.github/ISSUE_TEMPLATE/config.yml @@ -1,5 +1,8 @@ blank_issues_enabled: false contact_links: + - name: Private Security Report + url: mailto:hitw93@gmail.com?subject=Mole%20security%20report + about: Report a suspected vulnerability privately instead of opening a public issue - name: Telegram Community url: https://t.me/+GclQS9ZnxyI2ODQ1 about: Join our Telegram group for questions and discussions diff --git a/Resources/mole/.github/dependabot.yml b/Resources/mole/.github/dependabot.yml index 603f653..5109cab 100644 --- a/Resources/mole/.github/dependabot.yml +++ b/Resources/mole/.github/dependabot.yml @@ -4,8 +4,18 @@ updates: directory: "/" schedule: interval: "weekly" + labels: + - "dependencies" + reviewers: + - "tw93" + open-pull-requests-limit: 10 - package-ecosystem: "gomod" directory: "/" schedule: interval: "weekly" + labels: + - "dependencies" + reviewers: + - "tw93" + open-pull-requests-limit: 10 diff --git a/Resources/mole/.github/pull_request_template.md b/Resources/mole/.github/pull_request_template.md new file mode 100644 index 0000000..b383243 --- /dev/null +++ b/Resources/mole/.github/pull_request_template.md @@ -0,0 +1,18 @@ +## Summary + +- Describe the change. + +## Safety Review + +- Does this change affect cleanup, uninstall, optimize, installer, remove, analyze delete, update, or install behavior? +- Does this change affect path validation, protected directories, symlink handling, sudo boundaries, or release/install integrity? +- If yes, describe the new boundary or risk change clearly. + +## Tests + +- List the automated tests you ran. +- List any manual checks for high-risk paths or destructive flows. + +## Safety-related changes + +- None. diff --git a/Resources/mole/.github/workflows/check.yml b/Resources/mole/.github/workflows/check.yml index 6f7b0e0..be211b4 100644 --- a/Resources/mole/.github/workflows/check.yml +++ b/Resources/mole/.github/workflows/check.yml @@ -21,7 +21,7 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} - name: Cache Homebrew - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4 with: path: | ~/Library/Caches/Homebrew @@ -36,9 +36,9 @@ jobs: run: brew install shfmt shellcheck golangci-lint - name: Set up Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5 with: - go-version: '1.24.6' + go-version-file: go.mod - name: Install goimports run: go install golang.org/x/tools/cmd/goimports@latest @@ -66,6 +66,8 @@ jobs: name: Check runs-on: macos-latest needs: format + permissions: + contents: read steps: - name: Checkout @@ -74,7 +76,7 @@ jobs: ref: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.head_ref) || github.ref }} - name: Cache Homebrew - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4 with: path: | ~/Library/Caches/Homebrew @@ -89,9 +91,9 @@ jobs: run: brew install shfmt shellcheck golangci-lint - name: Set up Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5 with: - go-version: '1.24.6' + go-version-file: go.mod - name: Run check script run: ./scripts/check.sh --no-format diff --git a/Resources/mole/.github/workflows/codeql.yml b/Resources/mole/.github/workflows/codeql.yml new file mode 100644 index 0000000..51e3d2a --- /dev/null +++ b/Resources/mole/.github/workflows/codeql.yml @@ -0,0 +1,52 @@ +name: CodeQL + +on: + push: + branches: [main, dev] + pull_request: + branches: [main, dev] + schedule: + - cron: '17 3 * * 1' + +permissions: + contents: read + security-events: write + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + include: + - language: go + build-mode: manual + - language: actions + build-mode: none + + steps: + - name: Checkout + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 + + - name: Set up Go + if: matrix.language == 'go' + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5 + with: + go-version-file: go.mod + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + queries: security-extended + + - name: Build for CodeQL + if: matrix.build-mode == 'manual' + run: make build + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{ matrix.language }}" diff --git a/Resources/mole/.github/workflows/release.yml b/Resources/mole/.github/workflows/release.yml index dc22b27..c2b93f9 100644 --- a/Resources/mole/.github/workflows/release.yml +++ b/Resources/mole/.github/workflows/release.yml @@ -6,7 +6,7 @@ on: - 'V*' permissions: - contents: write + contents: read jobs: build: @@ -26,9 +26,9 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Set up Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5 with: - go-version: "1.24.6" + go-version-file: go.mod - name: Build Binaries run: | @@ -48,7 +48,7 @@ jobs: fi - name: Upload artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ matrix.artifact_name }} path: bin/*-darwin-* @@ -58,9 +58,13 @@ jobs: name: Publish Release needs: build runs-on: ubuntu-latest + permissions: + contents: write + attestations: write + id-token: write steps: - name: Download all artifacts - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: bin pattern: binaries-* @@ -69,16 +73,32 @@ jobs: - name: Display structure of downloaded files run: ls -R bin/ + - name: Generate release checksums + run: | + cd bin + mapfile -t release_files < <(find . -maxdepth 1 -type f -printf '%P\n' | sort) + if [[ ${#release_files[@]} -eq 0 ]]; then + echo "No release assets found" + exit 1 + fi + sha256sum "${release_files[@]}" > SHA256SUMS + cat SHA256SUMS + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v4 + with: + subject-path: | + bin/analyze-darwin-* + bin/status-darwin-* + bin/binaries-darwin-*.tar.gz + bin/SHA256SUMS + - name: Create Release - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2 if: startsWith(github.ref, 'refs/tags/') with: name: ${{ github.ref_name }} files: bin/* - body: | - Release assets are ready. - - Final curated release notes should be applied with `gh release edit` after workflow verification. generate_release_notes: false draft: false prerelease: false @@ -87,6 +107,9 @@ jobs: runs-on: ubuntu-latest needs: release steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 + - name: Extract version from tag id: tag_version run: | @@ -97,21 +120,46 @@ jobs: echo "Releasing version: $VERSION (tag: $TAG)" - name: Update Homebrew formula (Personal Tap) - uses: mislav/bump-homebrew-formula-action@56a283fa15557e9abaa4bdb63b8212abc68e655c # v3.6 - with: - formula-name: mole - formula-path: Formula/mole.rb - homebrew-tap: tw93/homebrew-tap - tag-name: ${{ steps.tag_version.outputs.tag }} - commit-message: | - mole ${{ steps.tag_version.outputs.version }} - - Automated release via GitHub Actions env: - COMMITTER_TOKEN: ${{ secrets.PAT_TOKEN }} + PAT_TOKEN: ${{ secrets.PAT_TOKEN }} + TAG: ${{ steps.tag_version.outputs.tag }} + VERSION: ${{ steps.tag_version.outputs.version }} + run: | + set -euo pipefail + + curl -fsSL -o /tmp/SHA256SUMS "https://github.com/tw93/Mole/releases/download/${TAG}/SHA256SUMS" + ARM_SHA=$(awk '$2 == "binaries-darwin-arm64.tar.gz" { print $1 }' /tmp/SHA256SUMS) + AMD_SHA=$(awk '$2 == "binaries-darwin-amd64.tar.gz" { print $1 }' /tmp/SHA256SUMS) + SOURCE_SHA=$(curl -fsSL "https://github.com/tw93/Mole/archive/refs/tags/${TAG}.tar.gz" | sha256sum | awk '{print $1}') + + if [[ -z "$ARM_SHA" || -z "$AMD_SHA" || -z "$SOURCE_SHA" ]]; then + echo "Failed to resolve release checksums" + exit 1 + fi + + git clone "https://x-access-token:${PAT_TOKEN}@github.com/tw93/homebrew-tap.git" /tmp/homebrew-tap + ./scripts/update_homebrew_tap_formula.sh \ + --formula /tmp/homebrew-tap/Formula/mole.rb \ + --tag "${TAG}" \ + --source-sha "${SOURCE_SHA}" \ + --arm-sha "${ARM_SHA}" \ + --amd-sha "${AMD_SHA}" + + cd /tmp/homebrew-tap + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + + if git diff --quiet -- Formula/mole.rb; then + echo "No Homebrew formula changes to push" + exit 0 + fi + + git add Formula/mole.rb + git commit -m "mole ${VERSION}" -m "Automated release via GitHub Actions" + git push origin HEAD:main - name: Update Homebrew formula (Official Core) - uses: mislav/bump-homebrew-formula-action@56a283fa15557e9abaa4bdb63b8212abc68e655c # v3.6 + uses: mislav/bump-homebrew-formula-action@ccf2332299a883f6af50a1d2d41e5df7904dd769 # v4.1 with: formula-name: mole homebrew-tap: Homebrew/homebrew-core diff --git a/Resources/mole/.github/workflows/test.yml b/Resources/mole/.github/workflows/test.yml index 4151314..6584d32 100644 --- a/Resources/mole/.github/workflows/test.yml +++ b/Resources/mole/.github/workflows/test.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [main, dev] +permissions: + contents: read + jobs: tests: name: Unit & Integration Tests @@ -14,12 +17,12 @@ jobs: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Install tools - run: brew install bats-core shellcheck + run: brew install bats-core shellcheck coreutils - name: Set up Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5 with: - go-version: "1.24.6" + go-version-file: go.mod - name: Run test script env: @@ -52,10 +55,13 @@ jobs: steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 + - name: Install tools + run: brew install bats-core coreutils + - name: Check for unsafe rm usage run: | echo "Checking for unsafe rm patterns..." - if grep -r "rm -rf" --include="*.sh" lib/ | grep -v "safe_remove\|validate_path\|# "; then + if grep -r "rm -rf" --include="*.sh" lib/ | grep -v "safe_remove\|validate_path\|# \|echo "; then echo "✗ Unsafe rm -rf usage found" exit 1 fi @@ -86,3 +92,10 @@ jobs: exit 1 fi echo "✓ No secrets found" + + - name: Run high-risk path regression tests + env: + BATS_FORMATTER: tap + LANG: en_US.UTF-8 + LC_ALL: en_US.UTF-8 + run: bats tests/core_safe_functions.bats tests/purge.bats tests/installer.bats diff --git a/Resources/mole/.gitignore b/Resources/mole/.gitignore index 451942f..6313851 100644 --- a/Resources/mole/.gitignore +++ b/Resources/mole/.gitignore @@ -51,6 +51,7 @@ GEMINI.md ANTIGRAVITY.md WARP.md AGENTS.md +journal/ .cursorrules # Go build artifacts (development) @@ -80,3 +81,4 @@ run_tests.ps1 AGENTS.md mole_guidelines.md CLAUDE.md +.claude/settings.local.json diff --git a/Resources/mole/CONTRIBUTING.md b/Resources/mole/CONTRIBUTING.md index cf7ec5f..0bdb017 100644 --- a/Resources/mole/CONTRIBUTING.md +++ b/Resources/mole/CONTRIBUTING.md @@ -8,6 +8,9 @@ brew install shfmt shellcheck bats-core golangci-lint # Install goimports for better Go formatting go install golang.org/x/tools/cmd/goimports@latest + +# Install pre-commit hook (runs format/lint checks on every commit) +git config core.hooksPath .githooks ``` ## Development diff --git a/Resources/mole/CONTRIBUTORS.svg b/Resources/mole/CONTRIBUTORS.svg index 5db214e..e730ee3 100644 --- a/Resources/mole/CONTRIBUTORS.svg +++ b/Resources/mole/CONTRIBUTORS.svg @@ -1,5 +1,5 @@ - -
-
+
+
## Support
-- If Mole helped you, star the repo or [share it](https://twitter.com/intent/tweet?url=https://github.com/tw93/Mole&text=Mole%20-%20Deep%20clean%20and%20optimize%20your%20Mac.) with friends.
-- Got ideas or bugs? Read the [Contributing Guide](CONTRIBUTING.md) and open an issue or PR.
-- Like Mole? Buy Tw93 a Coke to support the project. 🥤 Supporters are below.
+- If Mole helped you, [share it](https://twitter.com/intent/tweet?url=https://github.com/tw93/Mole&text=Mole%20-%20Deep%20clean%20and%20optimize%20your%20Mac.) with friends or give it a star.
+- Got ideas or bugs? Open an issue or PR, feel free to contribute your best AI model.
+- I have two cats, TangYuan and Coke. If you think Mole delights your life, you can feed them canned food 🥩.
-KP%z*8aGoPX_%}W4
z&>6Qkky-pz`E947Y5C0+p+@3yLR^-9W<3S$1e=9WS-v^@zC&q0F1KUz0O-m5vNve^
z=FeX}_$gQ4JWl?P`}27A*U(fVt(z -p1A?hP+Y?IRl1V
z%gYQHa)uc4wc5U4vJCl#coBx|HMaya3)`vi;yN?VUfg>4#9|4qUTgItSnwn}u~awT
z3Jad&&nO4RDYmxMEs1zhC2ZTE>4M2gcAFyZ&MU5}ZtYjx9f(^-)e-aS6?@^_yBd(dUfIW9+27N(Jm#=45d*7f2c6==P&|YrKj-B~X2S4qxgnLasw2RkTz9*LHDVD$qexPrEW`88oT589V
zcz5jG6Jkr4+To3T31r72Q(l^u8a66gv7_ne=xWiIXcP6TsppM|CwmX{m0}K~w>!gQL-JTER&X*RBa26heZCWf4X{`p`J%Ypr5%e1t
z*1+l0vh4V;xzAxseZz@p11GPT9&1ZrFkBUw`6ufU?5K!Ikvo