From 21a8bbf2e82b2740e62691c2f22d6d592176b6ff Mon Sep 17 00:00:00 2001 From: Wabo Date: Wed, 20 May 2026 07:51:39 -0400 Subject: [PATCH] =?UTF-8?q?1.3.2=20=E2=80=94=20fix=20CI=20failures=20(Rubo?= =?UTF-8?q?cop,=20Brakeman,=20pdfium=20source)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Sonnet 4.6 --- CHANGELOG.md | 14 ++++++++++++++ README.md | 6 +++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ec4a8ae..22bac5b0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,20 @@ All notable changes to WaboSign are documented here. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.3.2] — 2026-05-20 + +CI green-up patch. No functional or security changes. + +### Fixed +- [app/models/user.rb](app/models/user.rb) — `Style/RedundantRegexpEscape` (Rubocop): removed unnecessary `\-` escapes inside the `FULL_EMAIL_REGEXP` character classes (`[.'+\-]` → `[.'+-]`, `[.\-]` → `[.-]`). Semantics unchanged. +- [config/brakeman.ignore](config/brakeman.ignore) — added fingerprint for the `LinkToHref` XSS warning on `submissions_filters/_filter_modal.html.erb`: Brakeman tracks `params[:path]` taint through the `filter_path` conditional assignment introduced in 1.3.1; the `start_with?('/')` guard is the actual mitigation. +- [.github/workflows/ci.yml](.github/workflows/ci.yml) — replaced `docusealco/pdfium-binaries` (deleted repo, returns 404) with [`bblanchon/pdfium-binaries`](https://github.com/bblanchon/pdfium-binaries) as the pdfium binary source for the RSpec job. Same tarball layout (`lib/libpdfium.so`), no other changes. + +### Notes +- Released image: `ghcr.io/wabolabs/wabosign:1.3.2` (also tagged `:latest`). + +[1.3.2]: https://github.com/wabolabs/wabosign/releases/tag/1.3.2 + ## [1.3.1] — 2026-05-20 Security-focused patch addressing the alerts surfaced by the repo's first CodeQL scan (run against the 1.3.0 tag, commit [34250ac3](https://github.com/wabolabs/wabosign/commit/34250ac3)). No functional changes. diff --git a/README.md b/README.md index 1bc55ef1..a842638d 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ WaboSign is a fork of [DocuSeal](https://github.com/docusealco/docuseal) under A ## Docker ```sh -docker run --name wabosign -p 3000:3000 -v .:/data ghcr.io/wabolabs/wabosign:1.3.1 +docker run --name wabosign -p 3000:3000 -v .:/data ghcr.io/wabolabs/wabosign:1.3.2 ``` `:latest` always tracks the most recent release; pin a `MAJOR.MINOR.PATCH` tag for reproducible deployments. @@ -61,8 +61,8 @@ WaboSign ships with email + password (Devise) and TOTP two-factor auth out of th ## Releases -- **Current release:** 1.3.1 — see [CHANGELOG.md](CHANGELOG.md). -- **Container image:** `ghcr.io/wabolabs/wabosign:1.3.1` (or `:latest`). +- **Current release:** 1.3.2 — see [CHANGELOG.md](CHANGELOG.md). +- **Container image:** `ghcr.io/wabolabs/wabosign:1.3.2` (or `:latest`). - **Versioning:** `MAJOR.MINOR.PATCH` per [semver.org](https://semver.org). - **Tagging triggers a build:** pushing a `MAJOR.MINOR.PATCH` git tag runs [`.github/workflows/docker.yml`](.github/workflows/docker.yml), which builds `linux/amd64` + `linux/arm64` and pushes to GHCR.