rzerres/element-call
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

apply Keeping your GitHub Actions and workflows secure practises

Browse Source
This commit is contained in:
fkwp
2024-04-11 19:32:59 +00:00
parent e74095be54
commit be44aa0157
2 changed files with 53 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
.github/workflows/build.yaml vendored
View File

@@ -4,31 +4,38 @@ on:
push: push:
branches: [livekit, full-mesh] branches: [livekit, full-mesh]
jobs: jobs:
build: build_element_call:
name: Build uses: ./.github/workflows/build_resuable.yaml
runs-on: ubuntu-latest secrets:
steps: SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
- name: Checkout code SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
uses: actions/checkout@v4 SENTRY_URL: ${{ secrets.SENTRY_URL }}
- name: Yarn cache SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
uses: actions/setup-node@v4 # build:
with: # name: Build
cache: "yarn" # runs-on: ubuntu-latest
- name: Install dependencies # steps:
run: "yarn install" # - name: Checkout code
- name: Build # uses: actions/checkout@v4
run: "yarn run build" # - name: Yarn cache
env: # uses: actions/setup-node@v4
SENTRY_ORG: ${{ secrets.SENTRY_ORG }} # with:
SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }} # cache: "yarn"
SENTRY_URL: ${{ secrets.SENTRY_URL }} # - name: Install dependencies
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} # run: "yarn install"
VITE_APP_VERSION: ${{ github.sha }} # - name: Build
NODE_OPTIONS: "--max-old-space-size=4096" # run: "yarn run build"
- name: Upload Artifact # env:
uses: actions/upload-artifact@v4 # SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
with: # SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
name: build # SENTRY_URL: ${{ secrets.SENTRY_URL }}
path: dist # SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
# We'll only use this in a triggered job, then we're done with it # VITE_APP_VERSION: ${{ github.sha }}
retention-days: 1 # NODE_OPTIONS: "--max-old-space-size=4096"
# - name: Upload Artifact
# uses: actions/upload-artifact@v4
# with:
# name: build
# path: dist
# # We'll only use this in a triggered job, then we're done with it
# retention-days: 1

33
.github/workflows/netlify-pr.yaml vendored
View File

@@ -1,26 +1,29 @@
name: Netlify PR Preview name: Netlify PR Preview
on: on:
pull_request: workflow_run:
workflows: ["Build"]
types: types:
- synchronize - completed
- opened branches-ignore:
- labeled - "main"
- "livekit"
jobs: jobs:
build_element_call:
uses: ./.github/workflows/build_resuable.yaml
secrets:
SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
SENTRY_URL: ${{ secrets.SENTRY_URL }}
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
deploy: deploy:
needs: build_element_call if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request' }}
env:
PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
PR_FULL_NAME: ${{ github.event.workflow_run.pull_requests[0].head.repo.full_name }}
PR_HEAD_REF: ${{ github.event.workflow_run.pull_requests[0].head.ref }}
PR_HEAD_SHA: ${{ github.event.workflow_run.pull_requests[0].head.sha }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
deployments: write deployments: write
environment: Netlify environment: Netlify
steps: steps:
- run: ${{ tojson(github.event) }}
shell: cat {0}
- name: 📝 Create Deployment - name: 📝 Create Deployment
uses: bobheadxi/deployments@v1 uses: bobheadxi/deployments@v1
id: deployment id: deployment
@@ -28,7 +31,7 @@ jobs:
step: start step: start
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
env: Netlify env: Netlify
ref: ${{ github.event.pull_request.head.sha || github.ref || github.head_ref }} ref: ${{ env.PR_HEAD_SHA || github.ref || github.head_ref }}
desc: | desc: |
Do you trust the author of this PR? Maybe this build will steal your keys or give you malware. Do you trust the author of this PR? Maybe this build will steal your keys or give you malware.
Exercise caution. Use test accounts. Exercise caution. Use test accounts.
@@ -44,7 +47,7 @@ jobs:
run: curl -s https://raw.githubusercontent.com/element-hq/element-call/main/config/netlify_redirects > webapp/_redirects run: curl -s https://raw.githubusercontent.com/element-hq/element-call/main/config/netlify_redirects > webapp/_redirects
- name: Add config file - name: Add config file
run: curl -s "https://raw.githubusercontent.com/${{ github.event.pull_request.head.repo.full_name }}/${{ github.event.pull_request.head.ref }}/config/element_io_preview.json" > webapp/config.json run: curl -s "https://raw.githubusercontent.com/${{ env.PR_FULL_NAME }}/${{ env.PR_HEAD_REF }}/config/element_io_preview.json" > webapp/config.json
- name: ☁️ Deploy to Netlify - name: ☁️ Deploy to Netlify
id: netlify id: netlify
@@ -52,7 +55,7 @@ jobs:
with: with:
publish-dir: webapp publish-dir: webapp
deploy-message: "Deploy from GitHub Actions" deploy-message: "Deploy from GitHub Actions"
alias: pr${{ github.event.pull_request.number }} alias: pr${{ env.PR_NUMBER }}
env: env:
NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }} NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }} NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}