[Snyk] Security upgrade next from 11.1.3 to 14.2.15 #179
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Staging - Build PR | |
| # **What it does**: Builds PRs before deploying them. | |
| # **Why we have it**: Because it's not safe to share our deploy secrets with forked repos: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
| # **Who does it impact**: All contributors. | |
| # IT'S CRUCIALLY IMPORTANT THAT THIS WORKFLOW IS ONLY ENABLED IN docs! | |
| on: | |
| pull_request: | |
| permissions: | |
| contents: read | |
| # This allows a subsequently queued workflow run to interrupt previous runs | |
| # These are different from the concurrency in that here it checks if the | |
| # whole workflow runs again. The "inner concurrency" is used for | |
| # undeployments to cleaning up resources. | |
| concurrency: | |
| group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' | |
| cancel-in-progress: true | |
| jobs: | |
| build-pr: | |
| # Important. This whole file is only supposed to run in the PUBLIC repo. | |
| if: ${{ github.repository == 'github/docs' }} | |
| runs-on: ${{ fromJSON('["ubuntu-latest", "self-hosted"]')[github.repository == 'github/docs-internal'] }} | |
| timeout-minutes: 5 | |
| # This interrupts Build, Deploy, and pre-write Undeploy workflow runs in | |
| # progress for this PR branch. | |
| concurrency: | |
| group: 'PR Staging @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' | |
| cancel-in-progress: true | |
| steps: | |
| - name: Check out repo | |
| uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 | |
| # Make sure only approved files are changed if it's in github/docs | |
| - name: Check changed files | |
| if: ${{ github.event.pull_request.user.login != 'Octomerger' }} | |
| uses: dorny/paths-filter@eb75a1edc117d3756a18ef89958ee59f9500ba58 | |
| id: filter | |
| with: | |
| # Base branch used to get changed files | |
| base: 'main' | |
| # Enables setting an output in the format in `${FILTER_NAME}_files | |
| # with the names of the matching files formatted as JSON array | |
| list-files: json | |
| # Returns list of changed files matching each filter | |
| filters: | | |
| notAllowed: | |
| - '*.js' | |
| - '*.mjs' | |
| - '*.cjs' | |
| - '*.ts' | |
| - '*.tsx' | |
| - '*.json' | |
| - '.npmrc' | |
| - '.babelrc*' | |
| - '.env*' | |
| - 'script/**' | |
| - 'Procfile' | |
| # When there are changes to files we can't accept | |
| - name: Fail when disallowed files are changed | |
| if: ${{ steps.filter.outputs.notAllowed == 'true' }} | |
| run: exit 1 | |
| - name: Setup node | |
| uses: actions/setup-node@04c56d2f954f1e4c69436aa54cfef261a018f458 | |
| with: | |
| node-version: 16.13.x | |
| cache: npm | |
| # Required for `npm pkg ...` command support | |
| - name: Update to npm@^7.20.0 | |
| run: npm install --global npm@^7.20.0 | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Cache nextjs build | |
| uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353 | |
| with: | |
| path: .next/cache | |
| key: ${{ runner.os }}-nextjs-${{ hashFiles('package*.json') }} | |
| - name: Build | |
| run: npm run build | |
| - name: Remove development-only dependencies | |
| run: npm prune --production | |
| - name: Remove all npm scripts | |
| run: npm pkg delete scripts | |
| - name: Set npm script for Heroku build to noop | |
| run: npm set-script heroku-postbuild "echo 'Application was pre-built!'" | |
| - name: Create an archive | |
| run: | | |
| tar -c --file=app.tar \ | |
| node_modules/ \ | |
| .next/ \ | |
| assets/ \ | |
| content/ \ | |
| data/ \ | |
| includes/ \ | |
| lib/ \ | |
| middleware/ \ | |
| translations/ \ | |
| server.mjs \ | |
| package*.json \ | |
| .npmrc \ | |
| feature-flags.json \ | |
| next.config.js \ | |
| app.json \ | |
| Procfile | |
| # We can't delete the .next/cache directory from the workflow | |
| # because it's needed for caching, but we can at least delete it | |
| # from within the tarball. Then it can be cached but not | |
| # weigh down the tarball we intend to deploy. | |
| tar --delete --file=app.tar .next/cache | |
| # Upload only the files needed to run this application. | |
| # We are not willing to trust the rest (e.g. script/) for the remainder | |
| # of the deployment process. | |
| - name: Upload build artifact | |
| uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074 | |
| with: | |
| name: pr_build | |
| path: app.tar |