Skip to content

[Snyk] Security upgrade next from 11.1.2 to 13.5.0 #211

[Snyk] Security upgrade next from 11.1.2 to 13.5.0

[Snyk] Security upgrade next from 11.1.2 to 13.5.0 #211

name: Staging - Build PR
# **What it does**: Builds PRs before deploying them.
# **Why we have it**: Because it's not safe to share our deploy secrets with forked repos: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
# **Who does it impact**: All contributors.
on:
pull_request:
types:
- opened
- reopened
- synchronize
# This is necessary so that the cached things can be reused between
# pull requests.
# If we don't let the workflow run on `main` the caching will only
# help between multiple runs of the same workflow. By letting
# it build on pushes to main too, the cache will be reusable
# in other people's PRs too.
push:
branches:
- main
permissions:
contents: read
# This allows one Build workflow run to interrupt another
concurrency:
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label }}'
cancel-in-progress: true
jobs:
build-pr:
if: ${{ github.repository == 'github/docs-internal' || github.repository == 'github/docs' }}
runs-on: ${{ fromJSON('["ubuntu-latest", "self-hosted"]')[github.repository == 'github/docs-internal'] }}
timeout-minutes: 5
# This interrupts Build, Deploy, and pre-write Undeploy workflow runs in
# progress for this PR branch.
concurrency:
group: 'PR Staging @ ${{ github.event.pull_request.head.label }}'
cancel-in-progress: true
steps:
- name: Check out repo
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
# Make sure only approved files are changed if it's in github/docs
- name: Check changed files
if: ${{ github.repository == 'github/docs' && github.event.pull_request.user.login != 'Octomerger' }}
uses: dorny/paths-filter@eb75a1edc117d3756a18ef89958ee59f9500ba58
id: filter
with:
# Base branch used to get changed files
base: 'main'
# Enables setting an output in the format in `${FILTER_NAME}_files
# with the names of the matching files formatted as JSON array
list-files: json
# Returns list of changed files matching each filter
filters: |
notAllowed:
- '*.js'
- '*.mjs'
- '*.cjs'
- '*.ts'
- '*.tsx'
- '*.json'
- '.npmrc'
- '.babelrc*'
- '.env*'
- 'script/**'
- 'Procfile'
# When there are changes to files we can't accept
- name: Fail when disallowed files are changed
if: ${{ steps.filter.outputs.notAllowed == 'true' }}
run: exit 1
- name: Setup node
uses: actions/setup-node@04c56d2f954f1e4c69436aa54cfef261a018f458
with:
node-version: 16.13.x
cache: npm
# Required for `npm pkg ...` command support
- name: Update to npm@^7.20.0
run: npm install --global npm@^7.20.0
- name: Install dependencies
run: npm ci
- name: Cache nextjs build
uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353
with:
path: .next/cache
key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }}-${{ hashFiles('.github/workflows/staging-build-pr.yml') }}
- name: Build
run: npm run build
- name: Remove development-only dependencies
run: npm prune --production
- name: Remove all npm scripts
run: npm pkg delete scripts
- name: Set npm script for Heroku build to noop
run: npm set-script heroku-postbuild "echo 'Application was pre-built!'"
- name: Delete heavy things we won't need deployed
if: ${{ github.repository == 'github/docs-internal' }}
run: |
# The dereferenced file is not used in runtime once the
# decorated file has been created from it.
rm -fr lib/rest/static/dereferenced
# Translations are never tested in Staging builds
# but let's keep the empty directory.
rm -fr translations
mkdir translations
# Delete all the big search indexes that are NOT English (`*-en-*`)
pushd lib/search/indexes
ls | grep -v '\-en\-' | xargs rm
popd
# Note! Some day it would be nice to be able to delete
# all the heavy assets because they bloat the tarball.
# But it's not obvious how to test it then. For now, we'll have
# to accept that every staging build has a copy of the images.
# The assumption here is that a staging build will not
# need these legacy redirects. Only the redirects from
# front-matter will be at play.
# These static redirects json files are notoriously large
# and they make the tarball unnecessarily large.
echo '[]' > lib/redirects/static/archived-frontmatter-fallbacks.json
echo '{}' > lib/redirects/static/developer.json
echo '{}' > lib/redirects/static/archived-redirects-from-213-to-217.json
# This will turn every `lib/**/static/*.json` into
# an equivalent `lib/**/static/*.json.br` file.
# Once the server starts, it'll know to fall back to reading
# the `.br` equivalent if the `.json` file isn't present.
node .github/actions-scripts/compress-large-files.js
- name: Create an archive
# Only bother if this is actually a pull request
if: ${{ github.event.pull_request.number }}
run: |
tar -c --file=app.tar \
node_modules/ \
.next/ \
assets/ \
content/ \
data/ \
includes/ \
lib/ \
middleware/ \
translations/ \
server.mjs \
package*.json \
.npmrc \
feature-flags.json \
next.config.js \
app.json \
Procfile
# We can't delete the .next/cache directory from the workflow
# because it's needed for caching, but we can at least delete it
# from within the tarball. Then it can be cached but not
# weigh down the tarball we intend to deploy.
tar --delete --file=app.tar .next/cache
# Upload only the files needed to run this application.
# We are not willing to trust the rest (e.g. script/) for the remainder
# of the deployment process.
- name: Upload build artifact
# Only bother if this is actually a pull request
if: ${{ github.event.pull_request.number }}
uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074
with:
name: pr_build
path: app.tar