apply Keeping your GitHub Actions and workflows secure practises

2024-04-11 19:32:59 +00:00
parent e74095be54
commit be44aa0157
2 changed files with 53 additions and 43 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -4,31 +4,38 @@ on:
  push:
    branches: [livekit, full-mesh]
 jobs:
-  build:
-    name: Build
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      - name: Yarn cache
-        uses: actions/setup-node@v4
-        with:
-          cache: "yarn"
-      - name: Install dependencies
-        run: "yarn install"
-      - name: Build
-        run: "yarn run build"
-        env:
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
-          SENTRY_URL: ${{ secrets.SENTRY_URL }}
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          VITE_APP_VERSION: ${{ github.sha }}
-          NODE_OPTIONS: "--max-old-space-size=4096"
-      - name: Upload Artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: build
-          path: dist
-          # We'll only use this in a triggered job, then we're done with it
-          retention-days: 1
+  build_element_call:
+    uses: ./.github/workflows/build_resuable.yaml
+    secrets:
+      SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+      SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
+      SENTRY_URL: ${{ secrets.SENTRY_URL }}
+      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+  # build:
+  #   name: Build
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - name: Checkout code
+  #       uses: actions/checkout@v4
+  #     - name: Yarn cache
+  #       uses: actions/setup-node@v4
+  #       with:
+  #         cache: "yarn"
+  #     - name: Install dependencies
+  #       run: "yarn install"
+  #     - name: Build
+  #       run: "yarn run build"
+  #       env:
+  #         SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+  #         SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
+  #         SENTRY_URL: ${{ secrets.SENTRY_URL }}
+  #         SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+  #         VITE_APP_VERSION: ${{ github.sha }}
+  #         NODE_OPTIONS: "--max-old-space-size=4096"
+  #     - name: Upload Artifact
+  #       uses: actions/upload-artifact@v4
+  #       with:
+  #         name: build
+  #         path: dist
+  #         # We'll only use this in a triggered job, then we're done with it
+  #         retention-days: 1
--- a/.github/workflows/netlify-pr.yaml
+++ b/.github/workflows/netlify-pr.yaml
@@ -1,26 +1,29 @@
 name: Netlify PR Preview
 on:
-  pull_request:
+  workflow_run:
+    workflows: ["Build"]
    types:
-      - synchronize
-      - opened
-      - labeled
+      - completed
+    branches-ignore:
+      - "main"
+      - "livekit"

 jobs:
-  build_element_call:
-    uses: ./.github/workflows/build_resuable.yaml
-    secrets:
-      SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-      SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
-      SENTRY_URL: ${{ secrets.SENTRY_URL }}
-      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
  deploy:
-    needs: build_element_call
+    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request' }}
+    env:
+      PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
+      PR_FULL_NAME: ${{ github.event.workflow_run.pull_requests[0].head.repo.full_name }}
+      PR_HEAD_REF: ${{ github.event.workflow_run.pull_requests[0].head.ref }}
+      PR_HEAD_SHA: ${{ github.event.workflow_run.pull_requests[0].head.sha }}
    runs-on: ubuntu-latest
    permissions:
      deployments: write
    environment: Netlify
    steps:
+      - run: ${{ tojson(github.event) }}
+        shell: cat {0}
+
      - name: 📝 Create Deployment
        uses: bobheadxi/deployments@v1
        id: deployment
@@ -28,7 +31,7 @@ jobs:
          step: start
          token: ${{ secrets.GITHUB_TOKEN }}
          env: Netlify
-          ref: ${{ github.event.pull_request.head.sha || github.ref || github.head_ref }}
+          ref: ${{ env.PR_HEAD_SHA || github.ref || github.head_ref }}
          desc: |
            Do you trust the author of this PR? Maybe this build will steal your keys or give you malware.
            Exercise caution. Use test accounts.
@@ -44,7 +47,7 @@ jobs:
        run: curl -s https://raw.githubusercontent.com/element-hq/element-call/main/config/netlify_redirects > webapp/_redirects

      - name: Add config file
-        run: curl -s "https://raw.githubusercontent.com/${{ github.event.pull_request.head.repo.full_name }}/${{ github.event.pull_request.head.ref }}/config/element_io_preview.json" > webapp/config.json
+        run: curl -s "https://raw.githubusercontent.com/${{ env.PR_FULL_NAME }}/${{ env.PR_HEAD_REF }}/config/element_io_preview.json" > webapp/config.json

      - name: ☁️ Deploy to Netlify
        id: netlify
@@ -52,7 +55,7 @@ jobs:
        with:
          publish-dir: webapp
          deploy-message: "Deploy from GitHub Actions"
-          alias: pr${{ github.event.pull_request.number }}
+          alias: pr${{ env.PR_NUMBER }}
        env:
          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
          NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}