From 89514bda7604281774d94b6b293cd51a8d8cf0f8 Mon Sep 17 00:00:00 2001 From: balakrishna-binary Date: Wed, 17 Jan 2024 11:23:45 +0800 Subject: [PATCH 1/6] chore: add sha to the github action versions --- .github/actions/npm_install/action.yml | 32 ++--- .github/workflows/generate_preview_link.yml | 8 +- .../workflows/pre_generate_preview_link.yml | 2 +- .github/workflows/release_production.yml | 112 +++++++++--------- .github/workflows/release_staging.yml | 104 ++++++++-------- .github/workflows/test.yml | 28 ++--- 6 files changed, 143 insertions(+), 143 deletions(-) diff --git a/.github/actions/npm_install/action.yml b/.github/actions/npm_install/action.yml index 35e6155f1b4..bce743f7cb4 100644 --- a/.github/actions/npm_install/action.yml +++ b/.github/actions/npm_install/action.yml @@ -3,19 +3,19 @@ description: Install npm packages runs: using: composite steps: - - name: restore_cache - uses: actions/cache@v3.3.2 - with: - key: node-{{ checksum "package-lock.json" }} - path: UPDATE_ME - restore-keys: |- - node-{{ checksum "package-lock.json" }} - node- - - name: Install npm packages - run: npm ci - shell: bash - - name: save_cache - uses: actions/cache@v3.3.2 - with: - path: node_modules - key: node-{{ checksum "package-lock.json" }} + - name: restore_cache + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 + with: + key: node-{{ checksum "package-lock.json" }} + path: UPDATE_ME + restore-keys: |- + node-{{ checksum "package-lock.json" }} + node- + - name: Install npm packages + run: npm ci + shell: bash + - name: save_cache + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 + with: + path: node_modules + key: node-{{ checksum "package-lock.json" }} diff --git a/.github/workflows/generate_preview_link.yml b/.github/workflows/generate_preview_link.yml index ba988edd61f..385efd4cf52 100644 --- a/.github/workflows/generate_preview_link.yml +++ b/.github/workflows/generate_preview_link.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Download artifact id: download-artifact - uses: dawidd6/action-download-artifact@v2 + uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e with: workflow_conclusion: success run_id: ${{ github.event.workflow_run.id }} @@ -54,12 +54,12 @@ jobs: token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: ref: ${{ github.event.workflow_run.head_sha }} - name: Setup Node - uses: actions/setup-node@v1 + uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e with: node-version: 12.22 @@ -80,7 +80,7 @@ jobs: run: npm run test - name: Setup Node - uses: actions/setup-node@v3 + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 with: node-version: 20 diff --git a/.github/workflows/pre_generate_preview_link.yml b/.github/workflows/pre_generate_preview_link.yml index 207fc62534e..8130a45559a 100644 --- a/.github/workflows/pre_generate_preview_link.yml +++ b/.github/workflows/pre_generate_preview_link.yml @@ -28,7 +28,7 @@ jobs: echo "$USERNAME" > ./pr/USERNAME - name: Upload PR information to artifact - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 with: name: "pr-${{github.run_id}}" path: pr/ diff --git a/.github/workflows/release_production.yml b/.github/workflows/release_production.yml index e348623908f..dc1fb52ae75 100644 --- a/.github/workflows/release_production.yml +++ b/.github/workflows/release_production.yml @@ -2,67 +2,67 @@ name: DSmartTrader Production Release on: push: tags: - - production_* + - production_* jobs: build_and_test: name: Build and Test runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Setup Node - uses: actions/setup-node@v1 - with: - node-version: 12 - - name: Install dependencies - uses: "./.github/actions/npm_install" - - name: Build - uses: "./.github/actions/build" - with: - target: production - - name: Versioning - uses: "./.github/actions/versioning" - with: - target_branch: production - - name: "Run Tests" - run: npm run test - - name: Upload Artifacts - uses: actions/upload-artifact@v3 - with: - name: dist - path: dist + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - name: Setup Node + uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e + with: + node-version: 12 + - name: Install dependencies + uses: "./.github/actions/npm_install" + - name: Build + uses: "./.github/actions/build" + with: + target: production + - name: Versioning + uses: "./.github/actions/versioning" + with: + target_branch: production + - name: "Run Tests" + run: npm run test + - name: Upload Artifacts + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + with: + name: dist + path: dist publish_cloudflare_production: name: Publish to Cloudflare Production runs-on: ubuntu-latest needs: [build_and_test] steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Setup Node - uses: actions/setup-node@v3 - with: - node-version: 20 - - name: Download Artifacts - uses: actions/download-artifact@v3.0.2 - with: - name: dist - path: dist - - name: Publish to Cloudflare - uses: "./.github/actions/publish_to_pages_production" - with: - CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} - CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} - - name: Build Docker image and push to Docker hub and K8S - uses: "./.github/actions/build_and_push_docker_image" - with: - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} - DOCKERHUB_ORGANISATION: ${{ secrets.DOCKERHUB_ORGANISATION }} - K8S_NAMESPACE: smarttrader-deriv-app-production - KUBE_SERVER: ${{ secrets.KUBE_SERVER }} - SERVICEACCOUNT_TOKEN: ${{ secrets.SERVICEACCOUNT_TOKEN }} - CA_CRT: ${{ secrets.CA_CRT }} - APP_VERSION: latest + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - name: Setup Node + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 + with: + node-version: 20 + - name: Download Artifacts + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + with: + name: dist + path: dist + - name: Publish to Cloudflare + uses: "./.github/actions/publish_to_pages_production" + with: + CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} + CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} + - name: Build Docker image and push to Docker hub and K8S + uses: "./.github/actions/build_and_push_docker_image" + with: + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} + DOCKERHUB_ORGANISATION: ${{ secrets.DOCKERHUB_ORGANISATION }} + K8S_NAMESPACE: smarttrader-deriv-app-production + KUBE_SERVER: ${{ secrets.KUBE_SERVER }} + SERVICEACCOUNT_TOKEN: ${{ secrets.SERVICEACCOUNT_TOKEN }} + CA_CRT: ${{ secrets.CA_CRT }} + APP_VERSION: latest notify_on_slack: name: Notify on Slack @@ -72,16 +72,16 @@ jobs: needs: [publish_cloudflare_production, build_and_test] steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: Setup Node - uses: actions/setup-node@v3 + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 with: node-version: 20 - name: Conclusion - uses: technote-space/workflow-conclusion-action@v3 + uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 - name: Download Artifacts - uses: actions/download-artifact@v3.0.2 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a with: name: dist path: dist @@ -93,5 +93,5 @@ jobs: with: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} status: ${{ env.WORKFLOW_CONCLUSION }} - release_type: Production + release_type: Production version: ${{ steps.extract_version.outputs.RELEASE_VERSION }} diff --git a/.github/workflows/release_staging.yml b/.github/workflows/release_staging.yml index 17c53b728ce..bd92f0d85ed 100644 --- a/.github/workflows/release_staging.yml +++ b/.github/workflows/release_staging.yml @@ -8,60 +8,60 @@ jobs: name: Build and Test runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Setup Node - uses: actions/setup-node@v1 - with: - node-version: 12 - - name: Install dependencies - uses: "./.github/actions/npm_install" - - name: Build Staging - uses: "./.github/actions/build" - with: - target: staging - - name: Build Translations - uses: "./.github/actions/build" - with: - target: translations - - name: Versioning - uses: "./.github/actions/versioning" - with: - target_branch: staging - - name: "Run Tests" - run: npm run test - - uses: actions/upload-artifact@v3 - with: - name: dist - path: dist + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - name: Setup Node + uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e + with: + node-version: 12 + - name: Install dependencies + uses: "./.github/actions/npm_install" + - name: Build Staging + uses: "./.github/actions/build" + with: + target: staging + - name: Build Translations + uses: "./.github/actions/build" + with: + target: translations + - name: Versioning + uses: "./.github/actions/versioning" + with: + target_branch: staging + - name: "Run Tests" + run: npm run test + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 + with: + name: dist + path: dist publish_cloudflare_staging: name: Publish to Cloudflare Pages Staging runs-on: ubuntu-latest needs: [build_and_test] steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Setup Node - uses: actions/setup-node@v3 - with: - node-version: 20 - - uses: actions/download-artifact@v3.0.2 - with: - name: dist - path: dist - - name: Publish to Cloudflare - uses: "./.github/actions/publish_to_pages_staging" - with: - CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} - CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} - - name: Build Docker image and push to Docker hub and K8S - uses: "./.github/actions/build_and_push_docker_image" - with: - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} - DOCKERHUB_ORGANISATION: ${{ secrets.DOCKERHUB_ORGANISATION }} - K8S_NAMESPACE: smarttrader-deriv-app-staging - KUBE_SERVER: ${{ secrets.KUBE_SERVER }} - SERVICEACCOUNT_TOKEN: ${{ secrets.SERVICEACCOUNT_TOKEN }} - CA_CRT: ${{ secrets.CA_CRT }} - APP_VERSION: latest-staging + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - name: Setup Node + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 + with: + node-version: 20 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + with: + name: dist + path: dist + - name: Publish to Cloudflare + uses: "./.github/actions/publish_to_pages_staging" + with: + CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} + CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} + - name: Build Docker image and push to Docker hub and K8S + uses: "./.github/actions/build_and_push_docker_image" + with: + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} + DOCKERHUB_ORGANISATION: ${{ secrets.DOCKERHUB_ORGANISATION }} + K8S_NAMESPACE: smarttrader-deriv-app-staging + KUBE_SERVER: ${{ secrets.KUBE_SERVER }} + SERVICEACCOUNT_TOKEN: ${{ secrets.SERVICEACCOUNT_TOKEN }} + CA_CRT: ${{ secrets.CA_CRT }} + APP_VERSION: latest-staging diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b9db24945f2..fff6fbac09d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -8,17 +8,17 @@ jobs: name: Build and Test runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Setup Node - uses: actions/setup-node@v1 - with: - node-version: 12.22 - - name: Install dependencies - uses: "./.github/actions/npm_install" - - name: Build - uses: "./.github/actions/build" - with: - target: production - - name: "Run Tests" - run: npm run test + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - name: Setup Node + uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e + with: + node-version: 12.22 + - name: Install dependencies + uses: "./.github/actions/npm_install" + - name: Build + uses: "./.github/actions/build" + with: + target: production + - name: "Run Tests" + run: npm run test From 8f7c5a426c44e354f0b504c63a2da8416b20b5e3 Mon Sep 17 00:00:00 2001 From: balakrishna-binary Date: Wed, 17 Jan 2024 11:46:49 +0800 Subject: [PATCH 2/6] chore: remove unwanted permissions --- .github/workflows/generate_preview_link.yml | 11 +++-------- .github/workflows/pre_generate_preview_link.yml | 3 --- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/.github/workflows/generate_preview_link.yml b/.github/workflows/generate_preview_link.yml index 385efd4cf52..0e89eda1464 100644 --- a/.github/workflows/generate_preview_link.yml +++ b/.github/workflows/generate_preview_link.yml @@ -1,13 +1,5 @@ name: Generate preview link -permissions: - actions: write - checks: write - contents: write - deployments: write - pull-requests: write - statuses: write - on: workflow_run: workflows: ["Pre-generate preview link"] @@ -24,6 +16,9 @@ concurrency: jobs: build_and_deploy_preview_link: runs-on: Ubuntu-latest + permissions: + checks: write + pull-requests: write steps: - name: Download artifact id: download-artifact diff --git a/.github/workflows/pre_generate_preview_link.yml b/.github/workflows/pre_generate_preview_link.yml index 8130a45559a..c5a006978cf 100644 --- a/.github/workflows/pre_generate_preview_link.yml +++ b/.github/workflows/pre_generate_preview_link.yml @@ -1,8 +1,5 @@ name: Pre-generate preview link -permissions: - pull-requests: write - on: pull_request: types: [opened, synchronize] From 2294c27a96288235ff5bb3b0c48d27475e67c3b4 Mon Sep 17 00:00:00 2001 From: balakrishna-binary Date: Wed, 17 Jan 2024 14:10:03 +0800 Subject: [PATCH 3/6] chore: add codeowners and dependabot --- .github/CODEOWNERS | 6 ++++++ .github/dependabot.yml | 6 ++++++ 2 files changed, 12 insertions(+) create mode 100644 .github/CODEOWNERS create mode 100644 .github/dependabot.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000000..3c169facb28 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,6 @@ +# Configuration of code ownership and review approvals for the binary-com/deriv-app repo. +# +# More info: https://help.github.com/articles/about-codeowners/ +# + +* @deriv-com/admin-binary-static \ No newline at end of file diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000000..7b2ee3a6292 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: npm + directory: "/" + schedule: + interval: daily From 7873eb41043596019fc0e03d430688859436c127 Mon Sep 17 00:00:00 2001 From: balakrishna-deriv <56330681+balakrishna-deriv@users.noreply.github.com> Date: Wed, 17 Jan 2024 14:11:25 +0800 Subject: [PATCH 4/6] Update .github/CODEOWNERS --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 3c169facb28..6ed9e8c32c4 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -3,4 +3,4 @@ # More info: https://help.github.com/articles/about-codeowners/ # -* @deriv-com/admin-binary-static \ No newline at end of file +* @deriv-com/admin-binary-static From 014c5d24884ab8e1c34df295f55af7d1dde66e0f Mon Sep 17 00:00:00 2001 From: balakrishna-binary Date: Mon, 29 Jan 2024 11:31:46 +0800 Subject: [PATCH 5/6] chore: fix ga vulnerability --- .github/workflows/generate_preview_link.yml | 35 +++++-------------- .../workflows/pre_generate_preview_link.yml | 31 ---------------- 2 files changed, 9 insertions(+), 57 deletions(-) delete mode 100644 .github/workflows/pre_generate_preview_link.yml diff --git a/.github/workflows/generate_preview_link.yml b/.github/workflows/generate_preview_link.yml index 0e89eda1464..f45bc2c975d 100644 --- a/.github/workflows/generate_preview_link.yml +++ b/.github/workflows/generate_preview_link.yml @@ -1,10 +1,8 @@ name: Generate preview link on: - workflow_run: - workflows: ["Pre-generate preview link"] - types: - - completed + pull_request_target: + types: [opened, synchronize] env: HEAD_REF: ${{ github.head_ref }} @@ -20,34 +18,19 @@ jobs: checks: write pull-requests: write steps: - - name: Download artifact - id: download-artifact - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e + - name: Verify user + uses: "deriv-com/shared-actions/.github/actions/verify_user_in_organization@v1" with: - workflow_conclusion: success - run_id: ${{ github.event.workflow_run.id }} - name: "pr-${{ github.event.workflow_run.id }}" - path: .pr - - - name: Retrieve pull request - id: pr_information - run: | - echo "username=$(cat .pr/USERNAME)" >> $GITHUB_OUTPUT - echo "issue_number=$(cat .pr/ISSUE_NUMBER)" >> $GITHUB_OUTPUT + username: ${{github.event.pull_request.user.login}} + token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} - name: Post preview build comment id: post_preview_build_comment uses: "deriv-com/shared-actions/.github/actions/post_preview_build_comment@v1" with: - issue_number: ${{steps.pr_information.outputs.issue_number}} + issue_number: ${{github.event.number}} head_sha: ${{github.event.workflow_run.head_sha}} - - name: Verify user - uses: "deriv-com/shared-actions/.github/actions/verify_user_in_organization@v1" - with: - username: ${{steps.pr_information.outputs.username}} - token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} - - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: @@ -86,14 +69,14 @@ jobs: CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_TEST_LINKS_API_TOKEN }} CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_TEST_LINKS_ACCOUNT_ID }} project_name: "smarttrader-preview" - branch_name: "pr-${{steps.pr_information.outputs.issue_number}}" + branch_name: "pr-${{github.event.number}}" output_dir: dist - name: "Generate preview link comment" uses: "deriv-com/shared-actions/.github/actions/post_preview_link_comment@v1" if: always() && steps.post_preview_build_comment.outcome == 'success' with: - issue_number: ${{steps.pr_information.outputs.issue_number}} + issue_number: ${{github.event.number}} check_run_id: ${{steps.post_preview_build_comment.outputs.check_run_id}} preview_url: ${{steps.publish_to_pages_branch.outputs.cf_pages_url}} status: ${{job.status}} diff --git a/.github/workflows/pre_generate_preview_link.yml b/.github/workflows/pre_generate_preview_link.yml deleted file mode 100644 index c5a006978cf..00000000000 --- a/.github/workflows/pre_generate_preview_link.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Pre-generate preview link - -on: - pull_request: - types: [opened, synchronize] - -env: - HEAD_REF: ${{ github.head_ref }} - -concurrency: - group: cloudflare-pages-verify-"$HEAD_REF" - cancel-in-progress: true - -jobs: - upload_pr_info: - runs-on: Ubuntu-latest - steps: - - name: Retrieve PR information - env: - ISSUE_NUMBER: ${{ github.event.number }} - USERNAME: ${{ github.event.pull_request.user.login }} - run: | - mkdir -p ./pr - echo "$ISSUE_NUMBER" > ./pr/ISSUE_NUMBER - echo "$USERNAME" > ./pr/USERNAME - - - name: Upload PR information to artifact - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 - with: - name: "pr-${{github.run_id}}" - path: pr/ From 94a3fd83fa9781345e3e794f80462f244a301173 Mon Sep 17 00:00:00 2001 From: balakrishna-binary Date: Mon, 29 Jan 2024 15:58:35 +0800 Subject: [PATCH 6/6] fix: head sha --- .github/workflows/generate_preview_link.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/generate_preview_link.yml b/.github/workflows/generate_preview_link.yml index f45bc2c975d..5d94d190069 100644 --- a/.github/workflows/generate_preview_link.yml +++ b/.github/workflows/generate_preview_link.yml @@ -29,12 +29,12 @@ jobs: uses: "deriv-com/shared-actions/.github/actions/post_preview_build_comment@v1" with: issue_number: ${{github.event.number}} - head_sha: ${{github.event.workflow_run.head_sha}} + head_sha: ${{github.event.pull_request.head.sha}} - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: - ref: ${{ github.event.workflow_run.head_sha }} + ref: ${{github.event.pull_request.head.sha}} - name: Setup Node uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e