Build Secure #10661
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Secure | |
| # Secure execution of continuous integration jobs | |
| # which are performed upon completion of the | |
| # "Continuous Integration" workflow | |
| # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
| on: | |
| workflow_run: | |
| workflows: [Build] | |
| types: [completed] | |
| env: | |
| PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0] != null && github.event.workflow_run.pull_requests[0].number || '' }} | |
| IMAGE_REPO_PREVIEW: ghcr.io/sbb-design-systems/lyne-components/docs-preview | |
| jobs: | |
| preview-image: | |
| runs-on: ubuntu-latest | |
| if: > | |
| github.event.workflow_run.event == 'pull_request' && | |
| github.event.workflow_run.conclusion == 'success' && | |
| github.event.workflow_run.pull_requests[0] != null | |
| permissions: | |
| checks: write | |
| deployments: write | |
| packages: write | |
| pull-requests: write | |
| services: | |
| dev-docs: | |
| image: ghcr.io/sbb-design-systems/lyne-components/docs:dev | |
| ports: | |
| - 8050:8080 | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version-file: .nvmrc | |
| cache: yarn | |
| - run: yarn install --frozen-lockfile --non-interactive | |
| - uses: actions/download-artifact@v8 | |
| with: | |
| name: docs | |
| path: dist/storybook/ | |
| run-id: ${{ github.event.workflow_run.id }} | |
| github-token: ${{ secrets.GH_ACTIONS_ARTIFACT_DOWNLOAD }} | |
| - name: Remove files with forbidden extensions | |
| run: node ./scripts/clean-docs-files.ts | |
| - name: Calculate CSP hash for preview docs | |
| run: yarn build nginx-conf | |
| - name: Create size check | |
| uses: actions/github-script@v8 | |
| with: | |
| script: | | |
| const { title, summary, text } = await import('${{ github.workspace }}/scripts/compare-stats.ts'); | |
| await github.rest.checks.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| name: 'Size Check', | |
| head_sha: context.payload.workflow_run.head_sha, | |
| output: { title, summary, text }, | |
| status: 'completed', | |
| conclusion: 'success', | |
| }); | |
| - name: Create GitHub Deployment | |
| uses: actions/github-script@v8 | |
| with: | |
| script: | | |
| const environment = `pr${process.env.PR_NUMBER}`; | |
| const payload = { owner: context.repo.owner, repo: context.repo.repo, environment }; | |
| const { data: deployment } = await github.rest.repos.createDeployment({ | |
| ...payload, | |
| ref: context.payload.workflow_run.head_sha, | |
| auto_merge: false, | |
| required_contexts: ['build'] | |
| }); | |
| await github.rest.repos.createDeploymentStatus({ | |
| ...payload, | |
| deployment_id: deployment.id, | |
| state: 'in_progress', | |
| environment_url: `https://${context.repo.repo}-${environment}.app.sbb.ch`, | |
| }); | |
| - uses: ./.github/actions/setup-mint | |
| - name: 'Container: Build and preview image' | |
| run: | | |
| echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin | |
| docker build --tag ${{ env.IMAGE_REPO_PREVIEW }}:pr$PR_NUMBER-fat . | |
| mint slim \ | |
| --target ${{ env.IMAGE_REPO_PREVIEW }}:pr$PR_NUMBER-fat \ | |
| --tag ${{ env.IMAGE_REPO_PREVIEW }}:pr$PR_NUMBER \ | |
| --preserve-path /usr/share/nginx/html \ | |
| --include-new false | |
| docker push ${{ env.IMAGE_REPO_PREVIEW }}:pr$PR_NUMBER | |
| docker image list | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| - name: "Add 'preview-available' label" | |
| # This label is used for filtering deployments in ArgoCD | |
| run: gh issue edit $PR_NUMBER --add-label "preview-available" | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |