Fix CVEs #256

Workflow file for this run

.github/workflows/workflow.yml at a82b252

	name: Build

	on:
	push:
	branches:
	- main
	paths-ignore:
	- .github/workflows/security-scanning.yml
	- .github/workflows/skipped-security-scanning.yml
	- .github/workflows/skipped-workflow.yml
	- '.vscode/**'
	- .editorconfig
	- LICENSE
	- README.md
	pull_request:
	types:
	- opened
	- reopened
	- synchronize
	- closed
	branches:
	- main
	paths-ignore:
	- .github/workflows/security-scanning.yml
	- .github/workflows/skipped-security-scanning.yml
	- .github/workflows/skipped-workflow.yml
	- '.vscode/**'
	- .editorconfig
	- LICENSE
	- README.md

	permissions:
	id-token: write

	env:
	RESOURCE_GROUP_NAME: cors-rg
	STATIC_WEB_APP_NAME: cors-stapp
	AZURE_LOCATION: eastasia

	jobs:
	build:
	name: Build
	if: github.event_name == 'push' \|\| (github.event_name == 'pull_request' && github.event.action != 'closed')
	outputs:
	deployPullRequest: ${{ steps.should_deploy_pr.outputs.deployPullRequest }}
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: yarn install
	run: yarn install
	- name: yarn lint
	run: yarn lint
	- name: yarn build-prod
	run: yarn build-prod
	- name: Version web artifact
	run: jq --arg formattedDate $(date +%Y%m%d) '.build = $formattedDate + "." + $ENV.GITHUB_RUN_NUMBER \| .commit = $ENV.GITHUB_SHA \| .apiBaseUrl = "https://cors-func.azurewebsites.net"' dist/browser/environment.json > tmp.$$.json && mv tmp.$$.json dist/browser/environment.json
	- name: Publish API
	working-directory: ./api
	run: \|
	dotnet publish --configuration Release --output ./dist
	cd dist
	zip -r ./api.zip ./*
	- name: Upload API artifact
	uses: actions/upload-artifact@v4
	with:
	name: api
	path: api/dist/api.zip
	if-no-files-found: error
	- name: Upload web artifact
	uses: actions/upload-artifact@v4
	with:
	name: web
	path: dist/browser
	if-no-files-found: error
	- name: Upload bicep artifact
	uses: actions/upload-artifact@v4
	with:
	name: bicep
	path: deploy
	if-no-files-found: error
	- name: Determine if we're deploying on Pull Request
	id: should_deploy_pr
	if: ${{ github.event_name == 'pull_request' }}
	run: \|
	headCommitMessage=$(git log ${{ github.event.pull_request.head.sha }} -n 1 --format=%B)
	echo "HEAD commit message is: $headCommitMessage"
	if [[ $headCommitMessage == "[deploy-pr]" ]]; then
	echo "::notice ::Deploying Pull Request to preview environment"
	echo "deployPullRequest=true" >> $GITHUB_OUTPUT
	fi

	release:
	name: Release
	if: ${{ github.ref == 'refs/heads/main' \|\| needs.build.outputs.deployPullRequest == 'true' }}
	runs-on: ubuntu-22.04
	environment: PROD
	needs: build
	env:
	resourceGroupName: cors-cache
	storageAccountName: corscache
	DEPLOYMENT_NAME:
	DEPLOYMENT_TOKEN:
	steps:
	- name: Download bicep artifact
	uses: actions/download-artifact@v4
	with:
	name: bicep
	path: deploy
	- name: Download web artifact
	uses: actions/download-artifact@v4
	with:
	name: web
	path: web
	- name: Download API artifact
	uses: actions/download-artifact@v4
	with:
	name: api
	path: api
	- name: Sign in to Azure
	uses: azure/login@v2
	with:
	client-id: ${{ secrets.AZURE_CLIENT_ID_1 }}
	tenant-id: ${{ secrets.AZURE_TENANT_ID }}
	subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	- name: Set deployment name
	run: echo "DEPLOYMENT_NAME=cors-$(date +%y%m%d-%H%M%S)-$(uuidgen \| cut -c 1-4)" >> $GITHUB_ENV
	- name: Create / update resource group
	run: az group create --name ${{ env.RESOURCE_GROUP_NAME }} --location ${{ env.AZURE_LOCATION }}
	- name: Deploy Bicep file
	uses: azure/arm-deploy@v2
	with:
	scope: resourcegroup
	deploymentName: ${{ env.DEPLOYMENT_NAME }}
	resourceGroupName: ${{ env.RESOURCE_GROUP_NAME }}
	template: deploy/main.bicep
	parameters: >
	staticWebAppLocation=${{ env.AZURE_LOCATION }}
	failOnStdErr: false
	- name: Set Static Web App deployment token
	run: \|
	jsonDeploymentToken=$(az staticwebapp secrets list --name ${{ env.STATIC_WEB_APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP_NAME }} --query 'properties.apiKey')
	deploymentToken="${jsonDeploymentToken:1:-1}"
	echo "::add-mask::$deploymentToken"
	echo "DEPLOYMENT_TOKEN=$deploymentToken" >> $GITHUB_ENV
	- name: Deploy to Static Web App
	uses: Azure/static-web-apps-deploy@v1
	with:
	azure_static_web_apps_api_token: ${{ env.DEPLOYMENT_TOKEN }}
	action: 'upload'
	app_location: 'web'
	output_location: ''
	skip_app_build: true
	skip_api_build: true
	- name: Deploy API
	run: az functionapp deploy --resource-group ${{ env.RESOURCE_GROUP_NAME }} --name 'cors-func' --src-path 'api/api.zip'

	delete_preview_environment:
	name: Delete Static Web App Pull Request preview environment
	if: github.event_name == 'pull_request' && github.event.action == 'closed'
	runs-on: ubuntu-22.04
	environment: PROD
	env:
	DEPLOYMENT_TOKEN:
	steps:
	- name: Sign in to Azure
	uses: azure/login@v1
	with:
	client-id: ${{ secrets.AZURE_CLIENT_ID_1 }}
	tenant-id: ${{ secrets.AZURE_TENANT_ID }}
	subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	- name: Set Static Web App deployment token
	run: \|
	jsonDeploymentToken=$(az staticwebapp secrets list --name ${{ env.STATIC_WEB_APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP_NAME }} --query 'properties.apiKey')
	deploymentToken="${jsonDeploymentToken:1:-1}"
	echo "::add-mask::$deploymentToken"
	echo "DEPLOYMENT_TOKEN=$deploymentToken" >> $GITHUB_ENV
	- name: Delete preview environment
	uses: Azure/static-web-apps-deploy@v1
	with:
	azure_static_web_apps_api_token: ${{ env.DEPLOYMENT_TOKEN }}
	action: 'close'
	app_location: 'web'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix CVEs #256

Workflow file

Fix CVEs #256

Jobs

Run details

Workflow file for this run