From be44aa0157d3c9a629518f41b0e84b99728da091 Mon Sep 17 00:00:00 2001
From: fkwp <fkwp@users.noreply.github.com>
Date: Thu, 11 Apr 2024 19:32:59 +0000
Subject: [PATCH] apply Keeping your GitHub Actions and workflows secure
 practises

---
 .github/workflows/build.yaml      | 63 +++++++++++++++++--------------
 .github/workflows/netlify-pr.yaml | 33 ++++++++--------
 2 files changed, 53 insertions(+), 43 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index aa958c5d..ed05044d 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -4,31 +4,38 @@ on:
   push:
     branches: [livekit, full-mesh]
 jobs:
-  build:
-    name: Build
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      - name: Yarn cache
-        uses: actions/setup-node@v4
-        with:
-          cache: "yarn"
-      - name: Install dependencies
-        run: "yarn install"
-      - name: Build
-        run: "yarn run build"
-        env:
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
-          SENTRY_URL: ${{ secrets.SENTRY_URL }}
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          VITE_APP_VERSION: ${{ github.sha }}
-          NODE_OPTIONS: "--max-old-space-size=4096"
-      - name: Upload Artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: build
-          path: dist
-          # We'll only use this in a triggered job, then we're done with it
-          retention-days: 1
+  build_element_call:
+    uses: ./.github/workflows/build_resuable.yaml
+    secrets:
+      SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+      SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
+      SENTRY_URL: ${{ secrets.SENTRY_URL }}
+      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+  # build:
+  #   name: Build
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - name: Checkout code
+  #       uses: actions/checkout@v4
+  #     - name: Yarn cache
+  #       uses: actions/setup-node@v4
+  #       with:
+  #         cache: "yarn"
+  #     - name: Install dependencies
+  #       run: "yarn install"
+  #     - name: Build
+  #       run: "yarn run build"
+  #       env:
+  #         SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+  #         SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
+  #         SENTRY_URL: ${{ secrets.SENTRY_URL }}
+  #         SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+  #         VITE_APP_VERSION: ${{ github.sha }}
+  #         NODE_OPTIONS: "--max-old-space-size=4096"
+  #     - name: Upload Artifact
+  #       uses: actions/upload-artifact@v4
+  #       with:
+  #         name: build
+  #         path: dist
+  #         # We'll only use this in a triggered job, then we're done with it
+  #         retention-days: 1
diff --git a/.github/workflows/netlify-pr.yaml b/.github/workflows/netlify-pr.yaml
index f5fcf2b7..55a495fd 100644
--- a/.github/workflows/netlify-pr.yaml
+++ b/.github/workflows/netlify-pr.yaml
@@ -1,26 +1,29 @@
 name: Netlify PR Preview
 on:
-  pull_request:
+  workflow_run:
+    workflows: ["Build"]
     types:
-      - synchronize
-      - opened
-      - labeled
+      - completed
+    branches-ignore:
+      - "main"
+      - "livekit"
 
 jobs:
-  build_element_call:
-    uses: ./.github/workflows/build_resuable.yaml
-    secrets:
-      SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
-      SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
-      SENTRY_URL: ${{ secrets.SENTRY_URL }}
-      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
   deploy:
-    needs: build_element_call
+    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request' }}
+    env:
+      PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
+      PR_FULL_NAME: ${{ github.event.workflow_run.pull_requests[0].head.repo.full_name }}
+      PR_HEAD_REF: ${{ github.event.workflow_run.pull_requests[0].head.ref }}
+      PR_HEAD_SHA: ${{ github.event.workflow_run.pull_requests[0].head.sha }}
     runs-on: ubuntu-latest
     permissions:
       deployments: write
     environment: Netlify
     steps:
+      - run: ${{ tojson(github.event) }}
+        shell: cat {0}
+
       - name: 📝 Create Deployment
         uses: bobheadxi/deployments@v1
         id: deployment
@@ -28,7 +31,7 @@ jobs:
           step: start
           token: ${{ secrets.GITHUB_TOKEN }}
           env: Netlify
-          ref: ${{ github.event.pull_request.head.sha || github.ref || github.head_ref }}
+          ref: ${{ env.PR_HEAD_SHA || github.ref || github.head_ref }}
           desc: |
             Do you trust the author of this PR? Maybe this build will steal your keys or give you malware.
             Exercise caution. Use test accounts.
@@ -44,7 +47,7 @@ jobs:
         run: curl -s https://raw.githubusercontent.com/element-hq/element-call/main/config/netlify_redirects > webapp/_redirects
 
       - name: Add config file
-        run: curl -s "https://raw.githubusercontent.com/${{ github.event.pull_request.head.repo.full_name }}/${{ github.event.pull_request.head.ref }}/config/element_io_preview.json" > webapp/config.json
+        run: curl -s "https://raw.githubusercontent.com/${{ env.PR_FULL_NAME }}/${{ env.PR_HEAD_REF }}/config/element_io_preview.json" > webapp/config.json
 
       - name: ☁️ Deploy to Netlify
         id: netlify
@@ -52,7 +55,7 @@ jobs:
         with:
           publish-dir: webapp
           deploy-message: "Deploy from GitHub Actions"
-          alias: pr${{ github.event.pull_request.number }}
+          alias: pr${{ env.PR_NUMBER }}
         env:
           NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
           NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}