[Snyk] Security upgrade express from 4.17.2 to 4.19.2 #153
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Staging - Azure Deploy App Service | |
| # **What it does**: Build and deploy staging PRs to Azure | |
| # **Why we have it**: It's our new staging deployment mechanism, only applicable to docs-internal | |
| # **Who does it impact**: All contributors. | |
| # This whole workflow is only guaranteed to be secure in the *private | |
| # repo* and because we repo-sync these files over the to the public one, | |
| # IT'S IMPORTANT THAT THIS WORKFLOW IS ONLY ENABLED IN docs-internal! | |
| on: | |
| # The advantage of 'pull_request' over 'pull_request_target' is that we | |
| # can make changes to this file and test them in a pull request, instead | |
| # of relying on landing it in 'main' first. | |
| # From a security point of view, its arguably safer this way because | |
| # unlike 'pull_request_target', these only have secrets if the pull | |
| # request creator has permission to access secrets. | |
| pull_request: | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| deployments: write | |
| # This allows one deploy workflow to interrupt another | |
| concurrency: | |
| group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label }}' | |
| cancel-in-progress: true | |
| jobs: | |
| build-and-deploy-staging-azure: | |
| if: ${{ github.repository == 'github/docs-internal' }} | |
| name: Build and deploy image to staging App Service | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| environment: | |
| name: staging-pr-${{ github.event.number }} | |
| url: ${{ steps.deploy.outputs.defaultHostName }} | |
| env: | |
| GITHUB_EVENT_NUMBER: ${{ github.event.number }} | |
| STAGING_RESOURCE_GROUPS: 4 | |
| NONPROD_REGISTRY_USERNAME: ghdocs | |
| # Image tag is unique to each workflow run so that it always triggers a new deployment | |
| DOCKER_IMAGE: ${{ secrets.NONPROD_REGISTRY_SERVER }}/${{ github.repository }}/pr-${{ github.event.number }}:${{ github.event.pull_request.head.sha }}-${{ github.run_number }}-${{ github.run_attempt }} | |
| steps: | |
| - name: 'Set env vars' | |
| id: vars | |
| run: | | |
| REPO_NAME=${GITHUB_REPOSITORY#*\/} | |
| echo "REPO_NAME=${REPO_NAME}" >> $GITHUB_ENV | |
| echo "DEPLOYMENT_NAME=${REPO_NAME}-pr-${GITHUB_EVENT_NUMBER}" >> $GITHUB_ENV | |
| echo "RESOURCE_GROUP=preview-env-${REPO_NAME}-$((${GITHUB_EVENT_NUMBER} % ${STAGING_RESOURCE_GROUPS}))" >> $GITHUB_ENV | |
| echo "APP_NAME=gh${REPO_NAME}-staging-${GITHUB_EVENT_NUMBER}" >> $GITHUB_ENV | |
| - name: 'Az CLI login' | |
| uses: azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf | |
| with: | |
| creds: ${{ secrets.NONPROD_AZURE_CREDENTIALS }} | |
| - name: 'Docker login' | |
| uses: azure/docker-login@81744f9799e7eaa418697cb168452a2882ae844a | |
| with: | |
| login-server: ${{ secrets.NONPROD_REGISTRY_SERVER }} | |
| username: ${{ env.NONPROD_REGISTRY_USERNAME }} | |
| password: ${{ secrets.NONPROD_REGISTRY_PASSWORD }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 | |
| - name: Cache Docker layers | |
| uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-buildx-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-buildx- | |
| - name: Check out repo | |
| uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| # To prevent issues with cloning early access content later | |
| persist-credentials: 'false' | |
| lfs: 'true' | |
| - name: Check out LFS objects | |
| run: git lfs checkout | |
| - if: ${{ github.repository == 'github/docs-internal' }} | |
| name: Clone early access | |
| env: | |
| DOCUBOT_REPO_PAT: ${{ secrets.DOCUBOT_REPO_PAT }} | |
| GIT_BRANCH: ${{ github.event.pull_request.head.sha }} | |
| run: npm install dotenv && node script/early-access/clone-for-build.js | |
| - name: 'Build and push image' | |
| uses: docker/build-push-action@1814d3dfb36d6f84174e61f4a4b05bd84089a4b9 | |
| with: | |
| context: . | |
| push: true | |
| target: ${{ fromJSON('["production", "production_early_access"]')[github.repository == 'github/docs-internal'] }} | |
| tags: ${{ env.DOCKER_IMAGE }} | |
| # we only pull the `main` cache image | |
| cache-from: | | |
| type=local,src=/tmp/.buildx-cache | |
| type=registry,ref=${{ secrets.NONPROD_REGISTRY_SERVER }}/${{ github.repository }}:main | |
| # `main-docker-cache.yml` handles updating the remote cache so we don't pollute it with PR specific code | |
| cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max | |
| # Succeed despite any non-zero exit code (e.g. if there is no deployment to cancel) | |
| - name: 'Cancel any existing deployments for this PR' | |
| run: | | |
| az deployment group cancel --name ${{ env.DEPLOYMENT_NAME }} -g ${{ env.RESOURCE_GROUP }} || true | |
| # Deploy ARM template is idempotent | |
| # Note: once the resources exist the image tag must change for a new deployment to occur (the image tag includes workflow run number, run attempt, as well as sha) | |
| - name: Run ARM deploy | |
| id: deploy | |
| uses: azure/arm-deploy@841b12551939c88af8f6df767c24c38a5620fd0d | |
| with: | |
| resourceGroupName: ${{ env.RESOURCE_GROUP }} | |
| subscriptionId: ${{ secrets.NONPROD_SUBSCRIPTION_ID }} | |
| template: ./staging-azure-deploy-template.json | |
| deploymentName: ${{ env.DEPLOYMENT_NAME }} | |
| parameters: appName="${{ env.APP_NAME }}" | |
| location="East US" | |
| linuxFxVersion="DOCKER|${{ env.DOCKER_IMAGE }}" | |
| dockerRegistryUrl="https://${{ secrets.NONPROD_REGISTRY_SERVER }}" | |
| dockerRegistryUsername="${{ env.NONPROD_REGISTRY_USERNAME }}" | |
| dockerRegistryPassword="${{ secrets.NONPROD_REGISTRY_PASSWORD }}" | |
| - run: echo ${{ steps.deploy.outputs.defaultHostName }} | |
| - # Fixes cache growth problem | |
| # https://github.com/docker/build-push-action/issues/252 | |
| # https://github.com/moby/buildkit/issues/1896 | |
| name: Move cache | |
| run: | | |
| rm -rf /tmp/.buildx-cache | |
| mv /tmp/.buildx-cache-new /tmp/.buildx-cache |