Merge branch 'master' into win-installer

electron-userland · Nov 5, 2024 · d1e4a41 · d1e4a41
2 parents 8d7dc91 + 88cc0b0
commit d1e4a41
Show file tree

Hide file tree

Showing 38 changed files with 283 additions and 59 deletions.
diff --git a/.changeset/mighty-forks-pump.md b/.changeset/mighty-forks-pump.md
@@ -0,0 +1,5 @@
+---
+"app-builder-lib": minor
+---
+
+feat: add support for AppArmor with template profile and configuration property
diff --git a/.changeset/tame-buckets-drum.md b/.changeset/tame-buckets-drum.md
@@ -0,0 +1,5 @@
+---
+
+---
+
+chore: minor semver update to node in docker images
diff --git a/.github/workflows/docker-deploy.yml → .github/workflows/deploy-docker.yml b/.github/workflows/docker-deploy.yml → .github/workflows/deploy-docker.yml
diff --git a/.github/workflows/deploy-netlify.yml b/.github/workflows/deploy-netlify.yml
@@ -0,0 +1,49 @@
+name: 'Netlify Deploy - Release'
+
+on:
+  release:
+    types: ['published']
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  statuses: write
+
+jobs:
+  deploy:
+    name: 'Deploy Release'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+
+      - name: Install deps and audit
+        uses: ./.github/actions/pnpm
+
+      - name: Build typdoc site
+        run: pnpm docs:all
+
+      - uses: jsmrcaga/[email protected]
+        with:
+          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+          NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
+          NETLIFY_DEPLOY_MESSAGE: "Prod deploy v${{ github.ref }}"
+          NETLIFY_DEPLOY_TO_PROD: true
+          install_command: "echo Skipping installing the dependencies"
+          build_command: "echo Skipping building the web files"
+          debug: true
+          build_directory: "site"
+          monorepo_package: "electron-builder"
+
+      # Creates a status check with link to preview
+      - name: Set Status check on commit
+        uses: guibranco/[email protected]
+        with:
+          authToken: ${{ secrets.GITHUB_TOKEN }}
+          state: success
+          context: Netlify Documentation Site preview
+          description: Production - Click "details"
+          target_url: ${{ env.NETLIFY_PREVIEW_URL }}
+          sha: ${{github.event.pull_request.head.sha || github.sha}}
diff --git a/.github/workflows/pr-netlify.yml b/.github/workflows/pr-netlify.yml
@@ -0,0 +1,50 @@
+name: 'Netlify Deploy - PR'
+
+on:
+  pull_request:
+    types: ['opened', 'edited', 'synchronize']
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  statuses: write
+
+jobs:
+  deploy:
+    name: 'Deploy PR'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+
+      - name: Install deps and audit
+        uses: ./.github/actions/pnpm
+
+      - name: Build typdoc site
+        run: pnpm docs:all
+
+      # Sets the branch name as environment variable
+      - uses: nelonoel/[email protected]
+      - uses: jsmrcaga/[email protected]
+        with:
+          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+          NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
+          deploy_alias: ${{ env.BRANCH_NAME }}
+          install_command: "echo Skipping installing the dependencies"
+          build_command: "echo Skipping building the web files"
+          debug: true
+          build_directory: "site"
+          monorepo_package: "electron-builder"
+
+      # Creates a status check with link to preview
+      - name: Set Status check on commit
+        uses: guibranco/[email protected]
+        with:
+          authToken: ${{ secrets.GITHUB_TOKEN }}
+          state: success
+          context: Netlify Documentation Site preview
+          description: Development - Click "details"
+          target_url: ${{ env.NETLIFY_PREVIEW_URL }}
+          sha: ${{github.event.pull_request.head.sha || github.sha}}
diff --git a/.github/workflows/semantic-pr.yml → .github/workflows/pr-semantic.yml b/.github/workflows/semantic-pr.yml → .github/workflows/pr-semantic.yml
diff --git a/README.md b/README.md
@@ -193,7 +193,7 @@ builder.build({
 * [electron-boilerplate](https://github.com/szwacz/electron-boilerplate) A minimalistic yet comprehensive boilerplate application.
 * [Vue CLI 3 plugin for Electron](https://nklayman.github.io/vue-cli-plugin-electron-builder) A Vue CLI 3 plugin for Electron with no required configuration.
 * [electron-vue-vite](https://github.com/caoxiemeihao/electron-vue-vite) A real simple Electron + Vue3 + Vite5 boilerplate.
-* [vite-electron-builder](https://github.com/cawa-93/vite-electron-builder) Secure boilerplate for Electron app based on Vite. TypeScript + Vue/React/Angular/Svelte/Vanilla
+* [vite-electron-builder](https://github.com/cawa-93/vite-electron-builder) Secure boilerplate for Electron app based on Vite. Supports multiple frameworks.
 
 ## Debug
 

diff --git a/docker/build.sh b/docker/build.sh
@@ -9,14 +9,16 @@ docker build -t electronuserland/builder:base -t "electronuserland/builder:base-
 ## NOTE: Order the latest to oldest versions. The most recent node LTS should be tagged as the latest image
 
 # Node 20
-docker build --build-arg NODE_VERSION=20.15.1 --build-arg IMAGE_VERSION=base-$DATE -t electronuserland/builder:20 -t "electronuserland/builder:20-$DATE" -t electronuserland/builder:latest docker/node
+docker build --build-arg NODE_VERSION=20.18.0 --build-arg IMAGE_VERSION=base-$DATE -t electronuserland/builder:20 -t "electronuserland/builder:20-$DATE" -t electronuserland/builder:latest docker/node
 
 docker build --build-arg IMAGE_VERSION=20-$DATE -t electronuserland/builder:20-wine -t "electronuserland/builder:20-wine-$DATE" -t electronuserland/builder:wine docker/wine
 docker build --build-arg IMAGE_VERSION=20-wine-$DATE -t electronuserland/builder:20-wine-mono -t "electronuserland/builder:20-wine-mono-$DATE" -t electronuserland/builder:wine-mono docker/wine-mono
 docker build --build-arg IMAGE_VERSION=20-wine-$DATE -t electronuserland/builder:20-wine-chrome -t "electronuserland/builder:20-wine-chrome-$DATE" -t electronuserland/builder:wine-chrome docker/wine-chrome
 
 # Node 18
-docker build --build-arg NODE_VERSION=18.18.2 --build-arg IMAGE_VERSION=18-$DATE -t electronuserland/builder:18-wine -t "electronuserland/builder:18-wine-$DATE" docker/wine
+docker build --build-arg NODE_VERSION=18.20.4 --build-arg IMAGE_VERSION=base-$DATE -t electronuserland/builder:18 -t "electronuserland/builder:18-$DATE" docker/node
+
+docker build --build-arg IMAGE_VERSION=18-$DATE -t electronuserland/builder:18-wine -t "electronuserland/builder:18-wine-$DATE" docker/wine
 docker build --build-arg IMAGE_VERSION=18-wine-$DATE -t electronuserland/builder:18-wine-mono -t "electronuserland/builder:18-wine-mono-$DATE" docker/wine-mono
 docker build --build-arg IMAGE_VERSION=18-wine-$DATE -t electronuserland/builder:18-wine-chrome -t "electronuserland/builder:18-wine-chrome-$DATE" docker/wine-chrome
 

diff --git a/mkdocs-dockerfile b/mkdocs-dockerfile
@@ -1,5 +1,2 @@
-FROM squidfunk/mkdocs-material
-RUN pip install mkdocs-include-markdown-plugin
-RUN pip install pymdown-extensions
-RUN pip install pygments
-RUN pip install markdown-include
+FROM squidfunk/mkdocs-material:9.5
+RUN pip install mkdocs-include-markdown-plugin pymdown-extensions pygments markdown-include
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -68,9 +68,12 @@ markdown_extensions:
   - pymdownx.tilde
   - toc:
       permalink: true
+      toc_depth: 5
   - markdown_include.include:
       base_path      : './docs/'
       encoding       : 'utf-8'
+      # headingOffset  : 2
+      inheritHeadingDepth : true
 
 plugins:
   - search

diff --git a/packages/app-builder-lib/scheme.json b/packages/app-builder-lib/scheme.json
@@ -519,12 +519,21 @@
       "additionalProperties": false,
       "properties": {
         "afterInstall": {
+          "description": "File path to script to be passed to FPM for `--after-install` arg.",
           "type": [
             "null",
             "string"
           ]
         },
         "afterRemove": {
+          "description": "File path to script to be passed to FPM for `--after-remove` arg.",
+          "type": [
+            "null",
+            "string"
+          ]
+        },
+        "appArmorProfile": {
+          "description": "File path to custom AppArmor profile (Ubuntu 24+)",
           "type": [
             "null",
             "string"
@@ -2050,12 +2059,21 @@
       "additionalProperties": false,
       "properties": {
         "afterInstall": {
+          "description": "File path to script to be passed to FPM for `--after-install` arg.",
           "type": [
             "null",
             "string"
           ]
         },
         "afterRemove": {
+          "description": "File path to script to be passed to FPM for `--after-remove` arg.",
+          "type": [
+            "null",
+            "string"
+          ]
+        },
+        "appArmorProfile": {
+          "description": "File path to custom AppArmor profile (Ubuntu 24+)",
           "type": [
             "null",
             "string"

diff --git a/packages/app-builder-lib/src/options/linuxOptions.ts b/packages/app-builder-lib/src/options/linuxOptions.ts
@@ -122,8 +122,18 @@ export interface LinuxTargetSpecificOptions extends CommonLinuxOptions, TargetSp
   readonly vendor?: string | null
   readonly maintainer?: string | null
 
+  /**
+   * File path to script to be passed to FPM for `--after-install` arg.
+   */
   readonly afterInstall?: string | null
+  /**
+   * File path to script to be passed to FPM for `--after-remove` arg.
+   */
   readonly afterRemove?: string | null
+  /**
+   * File path to custom AppArmor profile (Ubuntu 24+)
+   */
+  readonly appArmorProfile?: string | null
 
   /**
    * *Advanced only* The [fpm](https://fpm.readthedocs.io/en/latest/cli-reference.html) options.

diff --git a/packages/app-builder-lib/src/targets/FpmTarget.ts b/packages/app-builder-lib/src/targets/FpmTarget.ts
@@ -1,6 +1,6 @@
 import { Arch, executeAppBuilder, getArchSuffix, log, TmpDir, toLinuxArchString, use, serializeToYaml, asArray } from "builder-util"
 import { unlinkIfExists } from "builder-util"
-import { outputFile, stat } from "fs-extra"
+import { copyFile, outputFile, stat } from "fs-extra"
 import { mkdir, readFile } from "fs/promises"
 import * as path from "path"
 import { smarten } from "../appInfo"
@@ -26,10 +26,16 @@ interface FpmOptions {
   url: string
 }
 
+interface ScriptFiles {
+  afterRemove: string
+  afterInstall: string
+  appArmor: string
+}
+
 export default class FpmTarget extends Target {
   readonly options: LinuxTargetSpecificOptions = { ...this.packager.platformSpecificBuildOptions, ...(this.packager.config as any)[this.name] }
 
-  private readonly scriptFiles: Promise<Array<string>>
+  private readonly scriptFiles: Promise<ScriptFiles>
 
   constructor(
     name: string,
@@ -42,7 +48,7 @@ export default class FpmTarget extends Target {
     this.scriptFiles = this.createScripts()
   }
 
-  private async createScripts(): Promise<Array<string>> {
+  private async createScripts(): Promise<ScriptFiles> {
     const defaultTemplatesDir = getTemplatePath("linux")
 
     const packager = this.packager
@@ -61,10 +67,11 @@ export default class FpmTarget extends Target {
       return path.resolve(packager.projectDir, value)
     }
 
-    return await Promise.all<string>([
-      writeConfigFile(packager.info.tempDirManager, getResource(this.options.afterInstall, "after-install.tpl"), templateOptions),
-      writeConfigFile(packager.info.tempDirManager, getResource(this.options.afterRemove, "after-remove.tpl"), templateOptions),
-    ])
+    return {
+      afterInstall: await writeConfigFile(packager.info.tempDirManager, getResource(this.options.afterInstall, "after-install.tpl"), templateOptions),
+      afterRemove: await writeConfigFile(packager.info.tempDirManager, getResource(this.options.afterRemove, "after-remove.tpl"), templateOptions),
+      appArmor: await writeConfigFile(packager.info.tempDirManager, getResource(this.options.appArmorProfile, "apparmor-profile.tpl"), templateOptions),
+    }
   }
 
   checkOptions(): Promise<any> {
@@ -130,30 +137,35 @@ export default class FpmTarget extends Target {
     if (packager.packagerOptions.prepackaged != null) {
       await mkdir(this.outDir, { recursive: true })
     }
+    const linuxDistType = packager.packagerOptions.prepackaged || path.join(this.outDir, `linux${getArchSuffix(arch)}-unpacked`)
+    const resourceDir = packager.getResourcesDir(linuxDistType)
 
     const publishConfig = this.supportsAutoUpdate(target)
       ? await getAppUpdatePublishConfiguration(packager, arch, false /* in any case validation will be done on publish */)
       : null
     if (publishConfig != null) {
-      const linuxDistType = this.packager.packagerOptions.prepackaged || path.join(this.outDir, `linux${getArchSuffix(arch)}-unpacked`)
-      const resourceDir = packager.getResourcesDir(linuxDistType)
       log.info({ resourceDir: log.filePath(resourceDir) }, `adding autoupdate files for: ${target}. (Beta feature)`)
       await outputFile(path.join(resourceDir, "app-update.yml"), serializeToYaml(publishConfig))
       // Extra file needed for auto-updater to detect installation method
       await outputFile(path.join(resourceDir, "package-type"), target)
     }
 
     const scripts = await this.scriptFiles
+
+    // Install AppArmor support for ubuntu 24+
+    // https://github.com/electron-userland/electron-builder/issues/8635
+    await copyFile(scripts.appArmor, path.join(resourceDir, "apparmor-profile"))
+
     const appInfo = packager.appInfo
     const options = this.options
     const synopsis = options.synopsis
     const args = [
       "--architecture",
       toLinuxArchString(arch, target),
       "--after-install",
-      scripts[0],
+      scripts.afterInstall,
       "--after-remove",
-      scripts[1],
+      scripts.afterRemove,
       "--description",
       smarten(target === "rpm" ? this.helper.getDescription(options) : `${synopsis || ""}\n ${this.helper.getDescription(options)}`),
       "--version",

diff --git a/packages/app-builder-lib/templates/linux/after-install.tpl b/packages/app-builder-lib/templates/linux/after-install.tpl
@@ -25,3 +25,30 @@ fi
 if hash update-desktop-database 2>/dev/null; then
     update-desktop-database /usr/share/applications || true
 fi
+
+# Install apparmor profile. (Ubuntu 24+)
+# First check if the version of AppArmor running on the device supports our profile.
+# This is in order to keep backwards compatibility with Ubuntu 22.04 which does not support abi/4.0.
+# In that case, we just skip installing the profile since the app runs fine without it on 22.04.
+#
+# Those apparmor_parser flags are akin to performing a dry run of loading a profile.
+# https://wiki.debian.org/AppArmor/HowToUse#Dumping_profiles
+#
+# Unfortunately, at the moment AppArmor doesn't have a good story for backwards compatibility.
+# https://askubuntu.com/questions/1517272/writing-a-backwards-compatible-apparmor-profile
+APPARMOR_PROFILE_SOURCE='/opt/${sanitizedProductName}/resources/apparmor-profile'
+APPARMOR_PROFILE_TARGET='/etc/apparmor.d/${executable}'
+if test -d "/etc/apparmor.d"; then
+  if apparmor_parser --skip-kernel-load --debug "$APPARMOR_PROFILE_SOURCE" > /dev/null 2>&1; then
+    cp -f "$APPARMOR_PROFILE_SOURCE" "$APPARMOR_PROFILE_TARGET"
+
+    if hash apparmor_parser 2>/dev/null; then
+      # Extra flags taken from dh_apparmor:
+      # > By using '-W -T' we ensure that any abstraction updates are also pulled in.
+      # https://wiki.debian.org/AppArmor/Contribute/FirstTimeProfileImport
+      apparmor_parser --replace --write-cache --skip-read-cache "$APPARMOR_PROFILE_TARGET"
+    fi
+  else
+    echo "Skipping the installation of the AppArmor profile as this version of AppArmor does not seem to support the bundled profile"
+  fi
+fi
diff --git a/packages/app-builder-lib/templates/linux/after-remove.tpl b/packages/app-builder-lib/templates/linux/after-remove.tpl
@@ -6,3 +6,10 @@ if type update-alternatives >/dev/null 2>&1; then
 else
     rm -f '/usr/bin/${executable}'
 fi
+
+APPARMOR_PROFILE_DEST='/etc/apparmor.d/${executable}'
+
+# Remove apparmor profile.
+if [ -f "$APPARMOR_PROFILE_DEST" ]; then
+  rm -f "$APPARMOR_PROFILE_DEST"
+fi
diff --git a/packages/app-builder-lib/templates/linux/apparmor-profile.tpl b/packages/app-builder-lib/templates/linux/apparmor-profile.tpl
@@ -0,0 +1,9 @@
+abi <abi/4.0>,
+include <tunables/global>
+
+profile ${executable} "/opt/${sanitizedProductName}/${executable}" flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/${executable}>
+}
diff --git a/pages/appimage.md b/pages/appimage.md
@@ -5,4 +5,4 @@ The top-level [appImage](configuration.md#appImage) key contains set of options
 
 ## Configuration
 
-{!./app-builder-lib.Interface.AppImageOptions.md!}
+  {!./app-builder-lib.Interface.AppImageOptions.md!}
diff --git a/pages/appx.md b/pages/appx.md
@@ -52,4 +52,4 @@ If you use self-signed certificate, you need to add it to "Trusted People". See
 
 ## Configuration
 
-{!./app-builder-lib.Interface.AppXOptions.md!}
+  {!./app-builder-lib.Interface.AppXOptions.md!}
diff --git a/pages/auto-update.md b/pages/auto-update.md
@@ -213,4 +213,4 @@ Emitted on progress.
 
 ## UpdateInfo
 
-{!./electron-updater.Interface.UpdateInfo.md!}
+  {!./electron-updater.Interface.UpdateInfo.md!}