Skip to content
This repository has been archived by the owner on Sep 26, 2024. It is now read-only.

Commit

Permalink
adrienne/fix: cloudflare deployment security (#5667)
Browse files Browse the repository at this point in the history 
* refactor: sanitized email input from html element symbols

* chore: added pre-flow workflow for cloudflare pages

* chore: reverted prettier changes

* Revert "chore: reverted prettier changes"

This reverts commit a401298.

* chore: reverted prettier changes again

* chore: reverted pretiter changes againn

* Update messages.json

* Update messages.json

* chore: change secrets name
  • Loading branch information
@adrienne-deriv
adrienne-deriv authored Sep 26, 2023
1 parent fe3674e commit 186f43e
Show file tree
Hide file tree
Showing 3 changed files with 163 additions and 1 deletion.
134 changes: 134 additions & 0 deletions .github/workflows/generate-preview-link.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
name: Generate preview link

permissions:
actions: write
checks: write
contents: write
deployments: write
pull-requests: write
statuses: write

on:
workflow_run:
workflows: ['Pre-generate preview link']
types:
- completed

env:
NODE_OPTIONS: '--max-old-space-size=8192'

concurrency:
group: cloudflare-pages-build-${{ github.event.workflow_run.head_branch }}
cancel-in-progress: true

jobs:
build_to_cloudflare_pages:
runs-on: Ubuntu-latest
if: >
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success'
steps:
- name: Download artifact
id: download-artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow_conclusion: success
run_id: ${{ github.event.workflow_run.id }}
name: 'pr-${{ github.event.workflow_run.id }}'

- name: Retrieve and verify user organization
id: pr_information
run: |
echo "Verifying user's organization..."
user=$(cat ./USERNAME)
response=$(curl -s -L \
-w "%{http_code}" \
-o /dev/null -H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.PERSONAL_ACCESS_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/orgs/binary-com/memberships/$user")
if [ $response != "200" ]; then
echo "User is not a member of binary-com organization."
exit 1
else
echo "User is a member of binary-com organization."
echo "issue_number=$(cat ./NR)" > $GITHUB_OUTPUT
fi
- name: Checkout to repo
uses: actions/checkout@v3
with:
ref: ${{ github.event.workflow_run.head_sha }}

- name: Setup node
uses: actions/setup-node@v2

- name: Get build output from master cache
uses: actions/cache/restore@v3
with:
key: master-cache-public
restore-keys: |
master-cache-public-replica
path: |
.cache
public
- name: Get cached dependencies
id: cache-npm
uses: actions/cache/restore@v3
with:
path: node_modules
key: npm-${{ hashFiles('**/package-lock.json') }}

- name: Install dependencies
if: ${{ steps.cache-npm.outputs.cache-hit != 'true' }}
run: npm ci

- name: Build project
id: build-project
run: npm run build

- name: Publish to Cloudflare Pages
id: publish-to-pages
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_TEST_LINKS_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_TEST_LINKS_ACCOUNT_ID }}
run: |
echo "Installing Wrangler CLI"
npm i -g wrangler
echo "Deploying build to Cloudflare Pages"
directory='public'
projectName='deriv-com-preview-links'
branch=${{github.event.workflow_run.head_branch}}
preview_url=$(wrangler pages deploy $directory --project-name=$projectName --branch=$branch > log.txt 2>&1; echo $?)
echo "------"
cat log.txt
branchName=$(echo $branch | sed 's/[\/_]/-/g')
if grep -q "Deployment complete" log.txt; then
echo "preview_url=https://$branchName.deriv-com-preview-links.pages.dev" > "$GITHUB_OUTPUT"
else
echo "Deployment to Cloudflare Pages failed."
exit 1
fi
- name: 'Generate preview link comment'
id: generate_preview_url
uses: actions/github-script@v3
with:
github-token: ${{ github.token }}
script: |
const preview_url = `https://${{github.event.workflow_run.head_branch}}.deriv-com-preview-links.pages.dev`
const comment = [
`**Preview Link**: ${preview_url}`,
'| Name | Result |',
'| :--- | :------ |',
`| **Build status** | Completed ✅ |`,
`| **Preview URL** | [Visit Preview](${preview_url}) |`,
''
].join('\n')
core.setOutput("comment", comment);
- name: Post Cloudflare Pages Preview comment
uses: marocchino/sticky-pull-request-comment@v2
with:
header: Cloudflare Pages Preview Comment
number: ${{steps.pr_information.outputs.issue_number}}
message: ${{steps.generate_preview_url.outputs.comment}}
recreate: true
28 changes: 28 additions & 0 deletions .github/workflows/pre-generate-preview-link.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: Pre-generate preview link

permissions:
pull-requests: write

on:
pull_request:
types: [opened, synchronize]

concurrency:
group: cloudflare-pages-verify-${{ github.head_ref }}
cancel-in-progress: true

jobs:
verify_pull_request:
runs-on: Ubuntu-latest
steps:
- name: Retrieve PR information
run: |
mkdir -p ./pr
echo ${{ github.event.number }} > ./pr/NR
echo ${{ github.event.pull_request.user.login }} > ./pr/USERNAME
- name: Upload PR information to artifact
uses: actions/upload-artifact@v2
with:
name: 'pr-${{github.run_id}}'
path: pr/
2 changes: 1 addition & 1 deletion crowdin/messages.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4565,4 +4565,4 @@
"-1165835520": "employees",
"-651384976": "nationalities",
"-1033881248": "See our open positions"
}
}

1 comment on commit 186f43e

@vercel
Copy link

@vercel vercel bot commented on 186f43e Sep 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Successfully deployed to the following URLs:

deriv-com – ./

deriv-com-git-master.binary.sx
deriv-com.binary.sx

Please sign in to comment.