Skip to content
This repository has been archived by the owner on Sep 26, 2024. It is now read-only.

adrienne / fix cloudflare deployment security #5667

Merged
merged 17 commits into from
Sep 26, 2023
Merged

adrienne / fix cloudflare deployment security #5667

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
89a6b34
refactor: sanitized email input from html element symbols
adrienne-deriv Feb 16, 2023
4cb9901
Merge branch 'master' of github.com:binary-com/deriv-com
adrienne-deriv Jun 8, 2023
85ad00b
Merge branch 'master' of github.com:binary-com/deriv-com
adrienne-deriv Jun 14, 2023
8179b91
Merge branch 'master' of github.com:adrienne-deriv/deriv-com
adrienne-deriv Aug 7, 2023
cd6cb15
Merge branch 'master' of github.com:binary-com/deriv-com
adrienne-deriv Aug 10, 2023
db86c13
Merge branch 'master' of github.com:binary-com/deriv-com
adrienne-deriv Aug 28, 2023
780be4e
Merge branch 'master' of github.com:binary-com/deriv-com
adrienne-deriv Sep 11, 2023
f631ab4
Merge branch 'master' of github.com:binary-com/deriv-com
adrienne-deriv Sep 22, 2023
291507d
chore: added pre-flow workflow for cloudflare pages
adrienne-deriv Sep 22, 2023
a401298
chore: reverted prettier changes
adrienne-deriv Sep 22, 2023
538ebd2
Revert "chore: reverted prettier changes"
adrienne-deriv Sep 22, 2023
165ee47
chore: reverted prettier changes again
adrienne-deriv Sep 22, 2023
d8fd559
chore: reverted pretiter changes againn
adrienne-deriv Sep 22, 2023
202edf7
Update messages.json
adrienne-deriv Sep 22, 2023
22fe2f5
Update messages.json
adrienne-deriv Sep 22, 2023
b641ca5
chore: change secrets name
adrienne-deriv Sep 26, 2023
2139b0b
Merge branch 'fix-cloudflare-deployment-security' of github.com:adrie…
adrienne-deriv Sep 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
134 changes: 134 additions & 0 deletions .github/workflows/generate-preview-link.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
name: Generate preview link

permissions:
actions: write
checks: write
contents: write
deployments: write
pull-requests: write
statuses: write

on:
workflow_run:
workflows: ['Pre-generate preview link']
types:
- completed

env:
NODE_OPTIONS: '--max-old-space-size=8192'

concurrency:
group: cloudflare-pages-build-${{ github.event.workflow_run.head_branch }}
cancel-in-progress: true

jobs:
build_to_cloudflare_pages:
runs-on: Ubuntu-latest
if: >
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success'
steps:
- name: Download artifact
id: download-artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow_conclusion: success
run_id: ${{ github.event.workflow_run.id }}
name: 'pr-${{ github.event.workflow_run.id }}'

- name: Retrieve and verify user organization
id: pr_information
yashim-deriv marked this conversation as resolved.
Show resolved Hide resolved
run: |
echo "Verifying user's organization..."
user=$(cat ./USERNAME)
response=$(curl -s -L \
-w "%{http_code}" \
-o /dev/null -H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.LIST_ORGS_TOKEN }}" \
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need a separate Github classic token for this with SSO verification for binary-com organization
cc: @balakrishna-deriv

Copy link
Contributor

@balakrishna-deriv balakrishna-deriv Sep 25, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will secrets.GITHUB_TOKEN work? I think it might work because we are only doing a read operation.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noo it needs a new token that is SSOed with binary-com organization, the GITHUB_TOKEN is provided by default

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Screenshot 2023-09-25 at 12 14 51 PM

-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/orgs/binary-com/memberships/$user")

if [ $response != "200" ]; then
echo "User is not a member of binary-com organization."
exit 1
else
echo "User is a member of binary-com organization."
echo "issue_number=$(cat ./NR)" > $GITHUB_OUTPUT
fi
- name: Checkout to repo
uses: actions/checkout@v3
with:
ref: ${{ github.event.workflow_run.head_sha }}

- name: Setup node
uses: actions/setup-node@v2

- name: Get build output from master cache
uses: actions/cache/restore@v3
with:
key: master-cache-public
restore-keys: |
master-cache-public-replica
path: |
.cache
public
- name: Get cached dependencies
id: cache-npm
uses: actions/cache/restore@v3
with:
path: node_modules
key: npm-${{ hashFiles('**/package-lock.json') }}

- name: Install dependencies
if: ${{ steps.cache-npm.outputs.cache-hit != 'true' }}
run: npm ci

- name: Build project
id: build-project
run: npm run build

- name: Publish to Cloudflare Pages
id: publish-to-pages
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_TEST_LINKS_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_TEST_LINKS_ACCOUNT_ID }}
run: |
echo "Installing Wrangler CLI"
npm i -g wrangler
echo "Deploying build to Cloudflare Pages"
directory='public'
projectName='deriv-com-preview-links'
branch=${{github.event.workflow_run.head_branch}}
preview_url=$(wrangler pages deploy $directory --project-name=$projectName --branch=$branch > log.txt 2>&1; echo $?)
echo "------"
cat log.txt
branchName=$(echo $branch | sed 's/[\/_]/-/g')
if grep -q "Deployment complete" log.txt; then
echo "preview_url=https://$branchName.deriv-com-preview-links.pages.dev" > "$GITHUB_OUTPUT"
else
echo "Deployment to Cloudflare Pages failed."
exit 1
fi
- name: 'Generate preview link comment'
id: generate_preview_url
uses: actions/github-script@v3
with:
github-token: ${{ github.token }}
script: |
const preview_url = `https://${{github.event.workflow_run.head_branch}}.deriv-com-preview-links.pages.dev`
const comment = [
`**Preview Link**: ${preview_url}`,
'| Name | Result |',
'| :--- | :------ |',
`| **Build status** | Completed ✅ |`,
`| **Preview URL** | [Visit Preview](${preview_url}) |`,
''
].join('\n')
core.setOutput("comment", comment);
- name: Post Cloudflare Pages Preview comment
uses: marocchino/sticky-pull-request-comment@v2
with:
header: Cloudflare Pages Preview Comment
number: ${{steps.pr_information.outputs.issue_number}}
message: ${{steps.generate_preview_url.outputs.comment}}
recreate: true
28 changes: 28 additions & 0 deletions .github/workflows/pre-generate-preview-link.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: Pre-generate preview link

permissions:
pull-requests: write

on:
pull_request:
types: [opened, synchronize]

concurrency:
group: cloudflare-pages-verify-${{ github.head_ref }}
cancel-in-progress: true

jobs:
verify_pull_request:
runs-on: Ubuntu-latest
steps:
- name: Retrieve PR information
run: |
mkdir -p ./pr
echo ${{ github.event.number }} > ./pr/NR
echo ${{ github.event.pull_request.user.login }} > ./pr/USERNAME
- name: Upload PR information to artifact
uses: actions/upload-artifact@v2
with:
name: 'pr-${{github.run_id}}'
path: pr/
Loading
Loading