[Snyk] Fix for 2 vulnerabilities #1742
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Staging - Build PR | |
# **What it does**: Builds PRs before deploying them. | |
# **Why we have it**: Because it's not safe to share our deploy secrets with forked repos: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
# **Who does it impact**: All contributors. | |
on: | |
pull_request: | |
types: | |
- opened | |
- reopened | |
- synchronize | |
permissions: | |
contents: read | |
# This allows one Build workflow run to interrupt another | |
concurrency: | |
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label }}' | |
cancel-in-progress: true | |
jobs: | |
debug: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Dump full context for debugging | |
env: | |
GITHUB_CONTEXT: ${{ toJSON(github) }} | |
run: echo "$GITHUB_CONTEXT" | |
build-pr: | |
if: ${{ github.repository == 'github/docs-internal' || github.repository == 'github/docs' }} | |
runs-on: ${{ fromJSON('["ubuntu-latest", "self-hosted"]')[github.repository == 'github/docs-internal'] }} | |
timeout-minutes: 5 | |
# This interrupts Build, Deploy, and pre-write Undeploy workflow runs in | |
# progress for this PR branch. | |
concurrency: | |
group: 'PR Staging @ ${{ github.event.pull_request.head.label }}' | |
cancel-in-progress: true | |
steps: | |
- name: Check out repo | |
uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97 | |
# Make sure only approved files are changed if it's in github/docs | |
- name: Check changed files | |
if: ${{ github.repository == 'github/docs' && github.event.pull_request.user.login != 'Octomerger' }} | |
uses: dorny/paths-filter@eb75a1edc117d3756a18ef89958ee59f9500ba58 | |
id: filter | |
with: | |
# Base branch used to get changed files | |
base: 'main' | |
# Enables setting an output in the format in `${FILTER_NAME}_files | |
# with the names of the matching files formatted as JSON array | |
list-files: json | |
# Returns list of changed files matching each filter | |
filters: | | |
notAllowed: | |
- '*.js' | |
- '*.mjs' | |
- '*.cjs' | |
- '*.ts' | |
- '*.tsx' | |
- '*.json' | |
- '.npmrc' | |
- '.babelrc*' | |
- '.env*' | |
- 'script/**' | |
- 'Procfile' | |
# When there are changes to files we can't accept | |
- name: Fail when disallowed files are changed | |
if: ${{ steps.filter.outputs.notAllowed == 'true' }} | |
run: exit 1 | |
- name: Setup node | |
uses: actions/setup-node@270253e841af726300e85d718a5f606959b2903c | |
with: | |
node-version: 16.13.x | |
cache: npm | |
# Required for `npm pkg ...` command support | |
- name: Update to npm@^7.20.0 | |
run: npm install --global npm@^7.20.0 | |
- name: Install dependencies | |
run: npm ci | |
- name: Build | |
run: npm run build | |
- name: Remove development-only dependencies | |
run: npm prune --production | |
- name: Remove all npm scripts | |
run: npm pkg delete scripts | |
- name: Set npm script for Heroku build to noop | |
run: npm set-script heroku-postbuild "echo 'Application was pre-built!'" | |
- name: Delete heavy things we won't need deployed | |
run: | | |
# Not needed to run after having been built. | |
rm -fr .next/cache | |
# The dereferenced file is not used in runtime once the | |
# decorated file has been created from it. | |
rm -fr lib/rest/static/dereferenced | |
- name: Create an archive | |
run: | | |
tar -c --file=app.tar \ | |
node_modules/ \ | |
.next/ \ | |
assets/ \ | |
content/ \ | |
data/ \ | |
includes/ \ | |
lib/ \ | |
middleware/ \ | |
translations/ \ | |
server.mjs \ | |
package*.json \ | |
.npmrc \ | |
feature-flags.json \ | |
next.config.js \ | |
app.json \ | |
Procfile | |
# Upload only the files needed to run this application. | |
# We are not willing to trust the rest (e.g. script/) for the remainder | |
# of the deployment process. | |
- name: Upload build artifact | |
uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074 | |
with: | |
name: pr_build | |
path: app.tar |