-
Notifications
You must be signed in to change notification settings - Fork 154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[#1272] Actions: move deployment to Surge to a secure workflow #1411
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@dcshzj Can you propose a nicer commit message that describes the dangering we are facing and how we are going to solve it? It is a good PR to practice your commit message writing ability. |
@fzdy1914 I have updated the commit message, is it okay? |
The commit message is good now. But the sample run you provided does not have a showcase of how current deployment will be. You have mentioned that Why we have to use the |
Sorry, are you referring to the deployment to surge? It's not included because only this repository has access to the secret, so only jobs that run on this repository will be able to successfully deploy to surge.
Yep it is only the This is an example where it is a PR from one branch to another non-default branch: dcshzj#3
The |
Can you set up a surge for your repo? This set up will not conflict with the setting of RepoSense.
OK, in this case. To have a test, can you temporarily merge your new branch in your master (and revert it when the testing is done)? And then, send one PR to master and another PR to another branch to see if the workflow goes well? |
@fzdy1914 Here are the links for the workflows:
Seems to work as expected. |
Yep, it is working. However, to be more precise, can you refer to the way how But you can argue that showing the PR preview links is enough to indicate that the workflow is running without any error. But anyway, I am thinking of effectively locating certain workflow if we indeed need to find it. |
@dcshzj Thank you for the quick work on the PR. I think it would be a good practice to document this in some repository or in some way since we all won't be working on the project all the time. This would help future maintainers and developers be more prepared and avoid such code. |
Sure, can add a note in the DG. Alternatively, a good commit message should be enough as it can be reached using git or github? |
I have implemented this by expanding on the commit status that we have used in the past. I also took the opportunity to remove the redundant code, since we are not doing surge.sh builds for pushes. Thus, the failure of the GitHub Actions will now first report a pending status first. If any step fails for some reason, a failure status will be reported for the dashboard and docs deployments. Otherwise, it will remain pending until the deployment to surge is completed, then a success status will be reported. A sample PR is available here: dcshzj#2
Would it be okay to keep it as part of the commit message? I think the separation of workflow files would raise eyebrows, but the commit history will have this PR for record. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Set the env_url to pull_request
event if fail, but to workflow
even when success.
It should be working now. To verify:
Untrusted code is now only run in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Resolves security issue.
Fixes #1272.