From f21d5f5b610964f1eea33983ba0f28e8b2187d10 Mon Sep 17 00:00:00 2001 From: vinu-deriv Date: Fri, 24 Jan 2025 14:25:42 +0400 Subject: [PATCH] remove workflows --- .github/workflows/deploy-preview.yml | 221 ------------------------ .github/workflows/deploy-production.yml | 121 ------------- .github/workflows/deploy.yml | 66 ------- 3 files changed, 408 deletions(-) delete mode 100644 .github/workflows/deploy-preview.yml delete mode 100644 .github/workflows/deploy-production.yml delete mode 100644 .github/workflows/deploy.yml diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml deleted file mode 100644 index c399ede..0000000 --- a/.github/workflows/deploy-preview.yml +++ /dev/null @@ -1,221 +0,0 @@ -name: Deploy Preview - -on: - pull_request: - branches: [ master ] - types: [opened, synchronize, reopened] - -permissions: - contents: read - packages: read - pull-requests: write - deployments: write - id-token: write - -concurrency: - group: preview-${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.ref }} - cancel-in-progress: true - -env: - NODE_ENV: development - HUSKY: 0 - -jobs: - security-check: - name: Security Check - runs-on: ubuntu-latest - timeout-minutes: 5 - permissions: - pull-requests: read - contents: read - outputs: - is-fork: ${{ steps.check.outputs.is-fork }} - is-authorized: ${{ steps.check.outputs.is-authorized }} - steps: - - name: Verify user - uses: "deriv-com/shared-actions/.github/actions/verify_user_in_organization@v1" - with: - username: ${{github.event.pull_request.user.login}} - token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} - - name: Check PR source and permissions - id: check - uses: actions/github-script@v7 - with: - script: | - const pr = context.payload.pull_request; - const isFork = pr.head.repo.full_name !== pr.base.repo.full_name; - - let isAuthorized = false; - try { - const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({ - owner: context.repo.owner, - repo: context.repo.repo, - username: pr.user.login - }); - isAuthorized = ['admin', 'write'].includes(permission.permission); - } catch (e) { - console.error('Error checking permissions:', e); - isAuthorized = false; - } - - core.setOutput('is-fork', isFork.toString()); - core.setOutput('is-authorized', isAuthorized.toString()); - - if (isFork && !isAuthorized) { - core.notice('⚠️ This PR is from a fork and requires approval from maintainers'); - } - - preview: - name: Deploy Preview - needs: security-check - runs-on: ubuntu-latest - if: | - github.event.workflow_run.conclusion != 'action_required' || - github.event.workflow_run.conclusion == 'approved' - environment: - name: preview - url: ${{ steps.deploy.outputs.deployment-url }} - permissions: - deployments: write - issues: write - pull-requests: write - contents: read - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.head.sha }} - fetch-depth: 0 - - - name: Additional security checks for forks - id: security_checks - if: needs.security-check.outputs.is-fork == 'true' - run: | - # Function to check file patterns - check_patterns() { - local file="$1" - local patterns=( - "crypto\." - "eval[\s]*\(" - "child_process" - "exec[A-Z][a-z]*\(" - "http[s]?\." - "net\." - "process\.env" - "require\(['\"]child_process" - "fs\." - "new\s+Function" - "__proto__" - "Function\(" - "require\(['\"]\.\." - "require\(['\"]~" - "process\.binding" - "v8\." - "vm\." - "\.constructor\." - "Object\.prototype" - "Object\.defineProperty" - "Object\.setPrototypeOf" - ) - - for pattern in "${patterns[@]}"; do - if grep -q "$pattern" "$file"; then - echo "⚠️ Suspicious pattern found in $file: $pattern" - return 1 - fi - done - return 0 - } - - exit_code=0 - while IFS= read -r file; do - if [ -f "$file" ]; then - if file "$file" | grep -q "binary"; then - echo "❌ Binary file detected: $file" - exit_code=1 - fi - - if ! file "$file" | grep -q "binary"; then - if ! check_patterns "$file"; then - exit_code=1 - fi - fi - fi - done < <(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }}) - - if [ $exit_code -eq 0 ]; then - echo "SECURITY_CHECK_RESULT=✅ All security checks passed" >> $GITHUB_ENV - else - echo "SECURITY_CHECK_RESULT=⚠️ Security review required - See above for details" >> $GITHUB_ENV - exit 1 - fi - - - name: Setup environment - uses: ./.github/actions/setup-environment - - - name: Deploy to Vercel - id: deploy - timeout-minutes: 10 - uses: ./.github/actions/deploy/vercel/development - env: - # Pass all repository secrets to the action - REACT_APP_WS_PORT: ${{ secrets.REACT_APP_WS_PORT }} - REACT_APP_WS_URL: ${{ secrets.REACT_APP_WS_URL }} - REACT_OAUTH_URL: ${{ secrets.REACT_OAUTH_URL }} - REACT_CURRENT_ENVIRONMENT: preview - with: - vercel-token: ${{ secrets.VERCEL_TOKEN }} - vercel-org-id: ${{ secrets.VERCEL_ORG_ID }} - vercel-project-id: ${{ secrets.VERCEL_PROJECT_ID }} - pr-number: ${{ github.event.pull_request.number }} - - - name: Add preview URL to pull request - uses: actions/github-script@v7 - with: - script: | - const isFork = '${{ needs.security-check.outputs.is-fork }}' === 'true'; - const isAuthorized = '${{ needs.security-check.outputs.is-authorized }}' === 'true'; - - let securityStatus = ''; - if (isFork) { - securityStatus = `\n\n🔒 Security Status: - - PR is from a fork repository - - Author permission level: ${isAuthorized ? '✅ Authorized' : '⚠️ Requires Approval'} - - Security checks: ${process.env.SECURITY_CHECK_RESULT || '✅ Passed'} - - Note: First-time contributors require maintainer approval for workflow runs.`; - } - - const deploymentUrl = '${{ steps.deploy.outputs.deployment-url }}'; - const comment = `✨ Preview deployment is ready! - - 🔗 Preview URL: ${deploymentUrl} - 📝 Commit: ${context.sha.substring(0, 7)} - 🕒 Deployed at: ${new Date().toISOString()}${securityStatus}`; - - await github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: comment - }); - - - name: Update deployment status - uses: ./.github/actions/deployment-status - if: success() - with: - environment: 'preview' - deployment-url: ${{ steps.deploy.outputs.deployment-url }} - sha: ${{ github.event.pull_request.head.sha }} - status: 'success' - description: '✨ Preview deployment completed' - - - name: Handle deployment failure - if: failure() - uses: ./.github/actions/deployment-status - with: - environment: 'preview' - deployment-url: ${{ steps.deploy.outputs.deployment-url }} - sha: ${{ github.event.pull_request.head.sha }} - status: 'failure' - description: '❌ Preview deployment failed' diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml deleted file mode 100644 index 7fc84ea..0000000 --- a/.github/workflows/deploy-production.yml +++ /dev/null @@ -1,121 +0,0 @@ -name: Deploy Production - -on: - push: - branches: - - master - -permissions: - contents: read - packages: read - pull-requests: write - deployments: write - id-token: write - -concurrency: - group: production - cancel-in-progress: false - -env: - NODE_ENV: production - HUSKY: 0 - VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }} - VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }} - VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }} - -jobs: - validate: - name: Validate Deployment - runs-on: ubuntu-latest - timeout-minutes: 5 - outputs: - secrets-valid: ${{ steps.check-secrets.outputs.valid }} - permissions: - contents: read - steps: - - name: Verify user - uses: "deriv-com/shared-actions/.github/actions/verify_user_in_organization@v1" - with: - username: ${{github.event.pull_request.user.login}} - token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} - - name: Validate Required Secrets - id: check-secrets - run: | - echo "🔍 Checking required secrets..." - missing_secrets=() - - if [ -z "$VERCEL_TOKEN" ]; then - missing_secrets+=("VERCEL_TOKEN") - fi - if [ -z "$VERCEL_ORG_ID" ]; then - missing_secrets+=("VERCEL_ORG_ID") - fi - if [ -z "$VERCEL_PROJECT_ID" ]; then - missing_secrets+=("VERCEL_PROJECT_ID") - fi - - if [ ${#missing_secrets[@]} -ne 0 ]; then - echo "❌ Missing required secrets: ${missing_secrets[*]}" - echo "valid=false" >> $GITHUB_OUTPUT - exit 1 - fi - - echo "✅ All required secrets are present" - echo "valid=true" >> $GITHUB_OUTPUT - - deploy: - name: Deploy Production - needs: validate - runs-on: ubuntu-latest - timeout-minutes: 15 - environment: - name: production - url: ${{ steps.deploy.outputs.deployment-url }} - permissions: - deployments: write - statuses: write - contents: read - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Setup environment - uses: ./.github/actions/setup-environment - - - name: Deploy to Vercel - id: deploy - timeout-minutes: 10 - uses: ./.github/actions/deploy/vercel/production - env: - REACT_APP_WS_PORT: ${{ secrets.REACT_APP_WS_PORT }} - REACT_APP_WS_URL: ${{ secrets.REACT_APP_WS_URL }} - REACT_OAUTH_URL: ${{ secrets.REACT_OAUTH_URL }} - REACT_CURRENT_ENVIRONMENT: production - VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }} - VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }} - VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }} - with: - vercel-token: ${{ secrets.VERCEL_TOKEN }} - vercel-org-id: ${{ secrets.VERCEL_ORG_ID }} - vercel-project-id: ${{ secrets.VERCEL_PROJECT_ID }} - sha: ${{ github.sha }} - - - name: Update deployment status - uses: ./.github/actions/deployment-status - if: success() - with: - environment: 'production' - deployment-url: ${{ steps.deploy.outputs.deployment-url }} - sha: ${{ github.sha }} - status: 'success' - description: '✨ Production deployment completed' - - - name: Handle deployment failure - if: failure() - uses: ./.github/actions/deployment-status - with: - environment: 'production' - deployment-url: ${{ steps.deploy.outputs.deployment-url }} - sha: ${{ github.sha }} - status: 'failure' - description: '❌ Production deployment failed' diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml deleted file mode 100644 index ac6696d..0000000 --- a/.github/workflows/deploy.yml +++ /dev/null @@ -1,66 +0,0 @@ -name: Deploy to GitHub Pages - -on: - push: - branches: ["master"] - workflow_dispatch: - -permissions: - contents: read - pages: write - id-token: write - pull-requests: write - issues: write - -concurrency: - group: "pages" - cancel-in-progress: true - -env: - REACT_APP_WS_PORT: ${{ secrets.REACT_APP_WS_PORT }} - REACT_APP_WS_URL: ${{ secrets.REACT_APP_WS_URL }} - REACT_CURRENT_ENVIRONMENT: ${{ secrets.REACT_CURRENT_ENVIRONMENT }} - REACT_OAUTH_URL: ${{ secrets.REACT_OAUTH_URL }} - -jobs: - deploy: - environment: - name: github-pages - url: ${{ steps.deployment.outputs.page_url }} - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - name: Verify user - uses: "deriv-com/shared-actions/.github/actions/verify_user_in_organization@v1" - with: - username: ${{github.event.push.sender.login}} - token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} - - name: Checkout - uses: actions/checkout@v4 - - - name: Set up Node - uses: actions/setup-node@v4 - with: - node-version: 18 - cache: "npm" - - - name: Install dependencies - run: npm install - - - name: Build - run: npm run build - - - name: Setup Pages - uses: actions/configure-pages@v4 - with: - enablement: true - - - name: Upload artifact - uses: actions/upload-pages-artifact@v3 - with: - path: "./dist" - - - name: Deploy to GitHub Pages - id: deployment - uses: actions/deploy-pages@v4