feat(plugin-security): 增加安全插件

Author: cklwblove

.github/workflows/release.yml

@@ -1,43 +1,128 @@
-# This action will publish the package to npm and create a GitHub release.
 name: Release
 
 on:
-  # Run `npm run bump` to bump the version and create a git tag.
   push:
     tags:
-      - "v*"
-
+      - 'v*'
   workflow_dispatch:
-
-permissions:
-  contents: write
-  id-token: write
+    inputs:
+      version:
+        description: '发布版本 (例如: 1.0.0)'
+        required: true
+        type: string
 
 jobs:
-  publish:
+  release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+
     steps:
-      - name: Checkout
+      - name: 检出代码
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
-      - name: Install Pnpm
-        run: corepack enable
-
-      - name: Setup Node.js
+      - name: 设置 Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 22
-          cache: "pnpm"
+          node-version: '18'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: 安装 pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
 
-      - name: Install Dependencies
-        run: pnpm install
+      - name: 获取 pnpm store 目录
+        shell: bash
+        run: |
+          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
 
-      - name: Publish
-        uses: JS-DevTools/npm-publish@v3
+      - name: 设置 pnpm 缓存
+        uses: actions/cache@v4
         with:
-          token: ${{ secrets.NPM_TOKEN }}
+          path: ${{ env.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: 安装依赖
+        run: |
+          # 尝试使用 frozen lockfile，如果失败则更新 lockfile
+          pnpm install --frozen-lockfile || {
+            echo "⚠️ Lockfile 不匹配，正在更新..."
+            pnpm install --no-frozen-lockfile
+          }
 
-      - name: Create GitHub Release
-        uses: ncipollo/release-action@v1
+      - name: 格式检查
+        run: pnpm run lint
+
+      - name: 构建项目
+        run: pnpm run build
+
+      - name: 获取版本号
+        id: get_version
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "version=${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT
+            echo "tag_name=v${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT
+          else
+            echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
+            echo "tag_name=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: 更新版本号 (手动触发时)
+        if: github.event_name == 'workflow_dispatch'
+        run: |
+          npm version ${{ steps.get_version.outputs.version }} --no-git-tag-version
+          git config --local user.email "action@github.com"
+          git config --local user.name "GitHub Action"
+          git add package.json
+          git commit -m "chore: bump version to ${{ steps.get_version.outputs.version }}"
+          git tag ${{ steps.get_version.outputs.tag_name }}
+          git push origin HEAD:${{ github.ref_name }}
+          git push origin ${{ steps.get_version.outputs.tag_name }}
+
+      - name: 生成变更日志
+        id: changelog
+        run: |
+          # 获取上一个标签
+          PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
+          
+          if [ -z "$PREV_TAG" ]; then
+            # 如果没有上一个标签，获取所有提交
+            CHANGELOG=$(git log --pretty=format:"- %s (%h)" --no-merges)
+          else
+            # 获取两个标签之间的提交
+            CHANGELOG=$(git log ${PREV_TAG}..HEAD --pretty=format:"- %s (%h)" --no-merges)
+          fi
+          
+          # 保存到文件以避免特殊字符问题
+          echo "$CHANGELOG" > changelog.txt
+          echo "changelog_file=changelog.txt" >> $GITHUB_OUTPUT
+
+      - name: 发布到 npm
+        run: pnpm publish --no-git-checks
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: 创建 GitHub Release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          generateReleaseNotes: "true"
+          tag_name: ${{ steps.get_version.outputs.tag_name }}
+          release_name: Release ${{ steps.get_version.outputs.tag_name }}
+          body_path: ${{ steps.changelog.outputs.changelog_file }}
+          draft: false
+          prerelease: false
+
+      - name: 通知发布成功
+        run: |
+          echo "🎉 发布成功!"
+          echo "📦 版本: ${{ steps.get_version.outputs.version }}"
+          echo "🏷️ 标签: ${{ steps.get_version.outputs.tag_name }}"
+          echo "📝 npm: https://www.npmjs.com/package/@winner-fed/plugin-check-syntax"

.github/workflows/test.yml

@@ -1,54 +1,90 @@
-# winjs-plugin-example
+# winjs-plugin-security
 
-Example plugin for WinJS.
+一个为 WinJS 项目提供安全增强功能的插件，主要用于生成 SRI（Subresource Integrity）属性。
 
-<p>
-  <a href="https://npmjs.com/package/winjs-plugin-example">
-   <img src="https://img.shields.io/npm/v/winjs-plugin-example?style=flat-square&colorA=564341&colorB=EDED91" alt="npm version" />
-  </a>
-  <img src="https://img.shields.io/badge/License-MIT-blue.svg?style=flat-square&colorA=564341&colorB=EDED91" alt="license" />
-  <a href="https://npmcharts.com/compare/winjs-plugin-example?minimal=true"><img src="https://img.shields.io/npm/dm/winjs-plugin-example.svg?style=flat-square&colorA=564341&colorB=EDED91" alt="downloads" /></a>
-</p>
+## 功能特性
 
-## Usage
+- 自动为 HTML 文件中的 `<script>` 和 `<link>` 标签生成 SRI 属性
+- 支持 SHA-512 哈希算法
+- 自动添加 `crossorigin="anonymous"` 属性以确保 SRI 正常工作
+- 仅在生产环境下生效，开发环境自动跳过
 
-Install:
+## 安装
 
 ```bash
-npm add winjs-plugin-example -D
+pnpm add @winner-fed/winjs-plugin-security
 ```
 
-Add plugin to your `.winrc.ts`:
+## 使用方法
 
-```ts
-// .winrc.ts
-export default {
-  plugins: ['winjs-plugin-example'],
-  // 开启配置
-  example: {}
-};
+在你的 `.winrc.ts` 配置文件中添加插件配置：
+
+```typescript
+import { defineConfig } from '@winner-fed/winjs';
+
+export default defineConfig({
+  plugins: ['@winner-fed/winjs-plugin-security'],
+  security: {
+    sri: true // 启用 SRI 功能
+  },
+});
 ```
 
-## Options
+## 配置选项
+
+### `sri`
+
+- **类型**: `boolean`
+- **默认值**: 需要手动设置
+- **描述**: 是否启用 SRI（子资源完整性）功能
+
+当设置为 `true` 时，插件会：
+
+1. 扫描构建后的 HTML 文件
+2. 为所有带有 `src` 属性的 `<script>` 标签添加 `integrity` 属性
+3. 为所有带有 `href` 属性的 `<link>` 标签添加 `integrity` 属性
+4. 自动添加 `crossorigin="anonymous"` 属性（如果不存在）
 
-### foo
+## 示例
 
-Some description.
+### 输入 HTML
 
-- Type: `string`
-- Default: `undefined`
-- Example:
+```html
+<!DOCTYPE html>
+<html>
+<head>
+  <link rel="stylesheet" href="/assets/app.css">
+</head>
+<body>
+  <script src="/assets/app.js"></script>
+</body>
+</html>
+```
+
+### 输出 HTML（启用 SRI 后）
 
-```js
-export default {
-  plugins: ['winjs-plugin-example'],
-  // 开启配置
-  example: {
-    foo: 'bar'
-  }
-};
+```html
+<!DOCTYPE html>
+<html>
+<head>
+  <link rel="stylesheet" href="/assets/app.css" integrity="sha512-ABC123..." crossorigin="anonymous">
+</head>
+<body>
+  <script src="/assets/app.js" integrity="sha512-XYZ789..." crossorigin="anonymous"></script>
+</body>
+</html>
 ```
 
-## License
+## 安全说明
+
+SRI（子资源完整性）是一种安全特性，允许浏览器验证获取的资源（例如从 CDN 获取的资源）没有被恶意修改。当浏览器加载资源时，会计算资源的哈希值并与 `integrity` 属性中指定的哈希值进行比较。如果哈希值不匹配，浏览器将拒绝加载该资源。
+
+## 注意事项
+
+1. 此插件仅在生产构建时生效，开发环境会自动跳过
+2. 需要确保资源文件在构建输出目录中可访问
+3. `integrity` 属性必须与 `crossorigin` 属性配合使用才能正常工作
+
+## 许可证
 
-[MIT](./LICENSE).
+MIT

README.md

@@ -25,7 +25,10 @@
   "linter": {
     "enabled": true,
     "rules": {
-      "recommended": true
+      "recommended": true,
+      "suspicious": {
+        "noExplicitAny": "off"
+      }
     }
   }
 }

biome.json

@@ -1,7 +1,7 @@
 {
-  "name": "winjs-plugin-example",
+  "name": "@winner-fed/winjs-plugin-security",
   "version": "0.0.0",
-  "repository": "https://github.com/winjs-dev/winjs-plugin-template",
+  "repository": "https://github.com/winjs-dev/winjs-plugin-security",
   "license": "MIT",
   "type": "module",
   "exports": {
@@ -30,8 +30,8 @@
   "devDependencies": {
     "@biomejs/biome": "^1.9.4",
     "@playwright/test": "^1.49.0",
-    "@winner-fed/winjs": "^0.11.21",
-    "@winner-fed/utils": "^0.11.21",
+    "@winner-fed/winjs": "^0.15.0",
+    "@winner-fed/utils": "^0.15.0",
     "@rslib/core": "^0.1.1",
     "@types/node": "^22.10.1",
     "playwright": "^1.49.0",
@@ -40,8 +40,8 @@
   },
   "peerDependencies": {
     "@rsbuild/core": "1.x",
-    "@winner-fed/winjs": "^0.11.21",
-    "@winner-fed/utils": "^0.11.21"
+    "@winner-fed/winjs": "^0.15.0",
+    "@winner-fed/utils": "^0.15.0"
   },
   "peerDependenciesMeta": {
     "@rsbuild/core": {
@@ -51,7 +51,6 @@
       "optional": true
     }
   },
-  "packageManager": "pnpm@9.14.4",
   "publishConfig": {
     "access": "public",
     "registry": "https://registry.npmjs.org/"

package.json

@@ -2,7 +2,7 @@ import { defineConfig } from 'win';
 
 export default defineConfig({
   plugins: ['../src'],
-  example: {
-    foo: 'bar',
+  security: {
+    sri: true,
   },
 });