[Snyk] Security upgrade next from 11.1.2 to 13.5.0 #211
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Staging - Build PR | |
# **What it does**: Builds PRs before deploying them. | |
# **Why we have it**: Because it's not safe to share our deploy secrets with forked repos: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
# **Who does it impact**: All contributors. | |
on: | |
pull_request: | |
types: | |
- opened | |
- reopened | |
- synchronize | |
# This is necessary so that the cached things can be reused between | |
# pull requests. | |
# If we don't let the workflow run on `main` the caching will only | |
# help between multiple runs of the same workflow. By letting | |
# it build on pushes to main too, the cache will be reusable | |
# in other people's PRs too. | |
push: | |
branches: | |
- main | |
permissions: | |
contents: read | |
# This allows one Build workflow run to interrupt another | |
concurrency: | |
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label }}' | |
cancel-in-progress: true | |
jobs: | |
build-pr: | |
if: ${{ github.repository == 'github/docs-internal' || github.repository == 'github/docs' }} | |
runs-on: ${{ fromJSON('["ubuntu-latest", "self-hosted"]')[github.repository == 'github/docs-internal'] }} | |
timeout-minutes: 5 | |
# This interrupts Build, Deploy, and pre-write Undeploy workflow runs in | |
# progress for this PR branch. | |
concurrency: | |
group: 'PR Staging @ ${{ github.event.pull_request.head.label }}' | |
cancel-in-progress: true | |
steps: | |
- name: Check out repo | |
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 | |
# Make sure only approved files are changed if it's in github/docs | |
- name: Check changed files | |
if: ${{ github.repository == 'github/docs' && github.event.pull_request.user.login != 'Octomerger' }} | |
uses: dorny/paths-filter@eb75a1edc117d3756a18ef89958ee59f9500ba58 | |
id: filter | |
with: | |
# Base branch used to get changed files | |
base: 'main' | |
# Enables setting an output in the format in `${FILTER_NAME}_files | |
# with the names of the matching files formatted as JSON array | |
list-files: json | |
# Returns list of changed files matching each filter | |
filters: | | |
notAllowed: | |
- '*.js' | |
- '*.mjs' | |
- '*.cjs' | |
- '*.ts' | |
- '*.tsx' | |
- '*.json' | |
- '.npmrc' | |
- '.babelrc*' | |
- '.env*' | |
- 'script/**' | |
- 'Procfile' | |
# When there are changes to files we can't accept | |
- name: Fail when disallowed files are changed | |
if: ${{ steps.filter.outputs.notAllowed == 'true' }} | |
run: exit 1 | |
- name: Setup node | |
uses: actions/setup-node@04c56d2f954f1e4c69436aa54cfef261a018f458 | |
with: | |
node-version: 16.13.x | |
cache: npm | |
# Required for `npm pkg ...` command support | |
- name: Update to npm@^7.20.0 | |
run: npm install --global npm@^7.20.0 | |
- name: Install dependencies | |
run: npm ci | |
- name: Cache nextjs build | |
uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353 | |
with: | |
path: .next/cache | |
key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}-${{ hashFiles('.github/workflows/staging-build-pr.yml') }} | |
- name: Build | |
run: npm run build | |
- name: Remove development-only dependencies | |
run: npm prune --production | |
- name: Remove all npm scripts | |
run: npm pkg delete scripts | |
- name: Set npm script for Heroku build to noop | |
run: npm set-script heroku-postbuild "echo 'Application was pre-built!'" | |
- name: Delete heavy things we won't need deployed | |
if: ${{ github.repository == 'github/docs-internal' }} | |
run: | | |
# The dereferenced file is not used in runtime once the | |
# decorated file has been created from it. | |
rm -fr lib/rest/static/dereferenced | |
# Translations are never tested in Staging builds | |
# but let's keep the empty directory. | |
rm -fr translations | |
mkdir translations | |
# Delete all the big search indexes that are NOT English (`*-en-*`) | |
pushd lib/search/indexes | |
ls | grep -v '\-en\-' | xargs rm | |
popd | |
# Note! Some day it would be nice to be able to delete | |
# all the heavy assets because they bloat the tarball. | |
# But it's not obvious how to test it then. For now, we'll have | |
# to accept that every staging build has a copy of the images. | |
# The assumption here is that a staging build will not | |
# need these legacy redirects. Only the redirects from | |
# front-matter will be at play. | |
# These static redirects json files are notoriously large | |
# and they make the tarball unnecessarily large. | |
echo '[]' > lib/redirects/static/archived-frontmatter-fallbacks.json | |
echo '{}' > lib/redirects/static/developer.json | |
echo '{}' > lib/redirects/static/archived-redirects-from-213-to-217.json | |
# This will turn every `lib/**/static/*.json` into | |
# an equivalent `lib/**/static/*.json.br` file. | |
# Once the server starts, it'll know to fall back to reading | |
# the `.br` equivalent if the `.json` file isn't present. | |
node .github/actions-scripts/compress-large-files.js | |
- name: Create an archive | |
# Only bother if this is actually a pull request | |
if: ${{ github.event.pull_request.number }} | |
run: | | |
tar -c --file=app.tar \ | |
node_modules/ \ | |
.next/ \ | |
assets/ \ | |
content/ \ | |
data/ \ | |
includes/ \ | |
lib/ \ | |
middleware/ \ | |
translations/ \ | |
server.mjs \ | |
package*.json \ | |
.npmrc \ | |
feature-flags.json \ | |
next.config.js \ | |
app.json \ | |
Procfile | |
# We can't delete the .next/cache directory from the workflow | |
# because it's needed for caching, but we can at least delete it | |
# from within the tarball. Then it can be cached but not | |
# weigh down the tarball we intend to deploy. | |
tar --delete --file=app.tar .next/cache | |
# Upload only the files needed to run this application. | |
# We are not willing to trust the rest (e.g. script/) for the remainder | |
# of the deployment process. | |
- name: Upload build artifact | |
# Only bother if this is actually a pull request | |
if: ${{ github.event.pull_request.number }} | |
uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074 | |
with: | |
name: pr_build | |
path: app.tar |