apply Keeping your GitHub Actions and workflows secure practises
This commit is contained in:
fkwp
33
.github/workflows/netlify-pr.yaml
vendored
33
.github/workflows/netlify-pr.yaml
vendored
@@ -1,26 +1,29 @@
|
||||
name: Netlify PR Preview
|
||||
on:
|
||||
pull_request:
|
||||
workflow_run:
|
||||
workflows: ["Build"]
|
||||
types:
|
||||
- synchronize
|
||||
- opened
|
||||
- labeled
|
||||
- completed
|
||||
branches-ignore:
|
||||
- "main"
|
||||
- "livekit"
|
||||
|
||||
jobs:
|
||||
build_element_call:
|
||||
uses: ./.github/workflows/build_resuable.yaml
|
||||
secrets:
|
||||
SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
|
||||
SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
|
||||
SENTRY_URL: ${{ secrets.SENTRY_URL }}
|
||||
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
|
||||
deploy:
|
||||
needs: build_element_call
|
||||
if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request' }}
|
||||
env:
|
||||
PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
|
||||
PR_FULL_NAME: ${{ github.event.workflow_run.pull_requests[0].head.repo.full_name }}
|
||||
PR_HEAD_REF: ${{ github.event.workflow_run.pull_requests[0].head.ref }}
|
||||
PR_HEAD_SHA: ${{ github.event.workflow_run.pull_requests[0].head.sha }}
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
deployments: write
|
||||
environment: Netlify
|
||||
steps:
|
||||
- run: ${{ tojson(github.event) }}
|
||||
shell: cat {0}
|
||||
|
||||
- name: 📝 Create Deployment
|
||||
uses: bobheadxi/deployments@v1
|
||||
id: deployment
|
||||
@@ -28,7 +31,7 @@ jobs:
|
||||
step: start
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
env: Netlify
|
||||
ref: ${{ github.event.pull_request.head.sha || github.ref || github.head_ref }}
|
||||
ref: ${{ env.PR_HEAD_SHA || github.ref || github.head_ref }}
|
||||
desc: |
|
||||
Do you trust the author of this PR? Maybe this build will steal your keys or give you malware.
|
||||
Exercise caution. Use test accounts.
|
||||
@@ -44,7 +47,7 @@ jobs:
|
||||
run: curl -s https://raw.githubusercontent.com/element-hq/element-call/main/config/netlify_redirects > webapp/_redirects
|
||||
|
||||
- name: Add config file
|
||||
run: curl -s "https://raw.githubusercontent.com/${{ github.event.pull_request.head.repo.full_name }}/${{ github.event.pull_request.head.ref }}/config/element_io_preview.json" > webapp/config.json
|
||||
run: curl -s "https://raw.githubusercontent.com/${{ env.PR_FULL_NAME }}/${{ env.PR_HEAD_REF }}/config/element_io_preview.json" > webapp/config.json
|
||||
|
||||
- name: ☁️ Deploy to Netlify
|
||||
id: netlify
|
||||
@@ -52,7 +55,7 @@ jobs:
|
||||
with:
|
||||
publish-dir: webapp
|
||||
deploy-message: "Deploy from GitHub Actions"
|
||||
alias: pr${{ github.event.pull_request.number }}
|
||||
alias: pr${{ env.PR_NUMBER }}
|
||||
env:
|
||||
NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
|
||||
NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
|
||||
|
||||
Reference in New Issue
Block a user