ADD - CI/CD #5
ADD - CI/CD #5
Conversation
* ADD - Implement CI workflow * UPD - Refactor CI workflow to remove duplicate pnpm setup step * UPD - Refactor CI workflow to remove duplicate pnpm setup step * UPD - Simplify request handling by directly using params.uuid * UPD - Simplify request handling by directly using params.uuid * UPD - Simplify request handling by directly using params.uuid * UPD - Simplify request handling by directly using params.uuid * UPD - Update route parameter handling to use Promise for uuid extraction * UPD - Update route parameter handling to use Promise for uuid extraction * UPD - Enhance CI configuration by adding Docker metadata extraction and updating image tags * UPD - Enhance CI configuration by adding Docker metadata extraction and updating image tags * UPD - Add step to generate Prisma Client in CI configuration * UPD - Add step to generate Prisma Client in CI configuration * UPD - Update Dockerfile to generate Prisma Client and optimize production dependencies * UPD - Update Dockerfile to generate Prisma Client and optimize production dependencies * UPD - Refactor CI configuration to improve environment variable handling and streamline deployment conditions * UPD - Simplify CI configuration by removing environment input and directly setting deployment environments * UPD - Update CI configuration to enforce manual deployment conditions for dev and prod environments * UPD - Add CI workflows for manual deployment to DEV and PROD environments * UPD - Enhance CI configuration to support manual deployment to DEV and PROD environments * UPD - CI * UPD - CI * UPD - CI * UPD - CI * UPD - CI * UPD - CI * UPD - CI * UPD - CI * UPD - CI
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup pnpm | ||
| uses: pnpm/action-setup@v3 | ||
| with: | ||
| version: 9 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 20 | ||
| cache: 'pnpm' | ||
|
|
||
| - name: Install dependencies | ||
| run: pnpm install --frozen-lockfile | ||
|
|
||
| - name: Generate Prisma Client | ||
| run: pnpm prisma generate | ||
|
|
||
| - name: Skip tests (no test script defined) | ||
| run: echo "⚠️ Aucun test défini, étape ignorée." | ||
|
|
||
| - name: Build app | ||
| run: pnpm build | ||
|
|
||
|
|
||
| # 2️⃣ Build & push Docker image | ||
| docker-build-push: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix the problem, explicitly set the minimal required permissions: for the build-and-test job. Since the steps in build-and-test only check out code, install dependencies, generate code, and build the app—and do not need to write to the repository—the minimal permission block should be contents: read. This prevents the job from inheriting potentially broad permissions from the repository's defaults. Add the block directly under the job definition (line 15, after runs-on) for clarity and granularity.
| @@ -14,6 +14,8 @@ | ||
| # 1️⃣ Build & tests | ||
| build-and-test: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Checkout code |
| runs-on: self-hosted | ||
| needs: docker-build-push | ||
|
|
||
| steps: | ||
| - name: Clean workspace | ||
| run: rm -rf * | ||
|
|
||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Log in to GitHub Container Registry | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Pull new image + restart stack | ||
| run: | | ||
| echo "🔧 Deploying on the server..." | ||
| cd /home/baptiste/Dev/WPT/dev | ||
| docker-compose pull | ||
| docker rm -f wpt-dev_website || true | ||
| docker-compose up -d --remove-orphans | ||
| echo "🚀 Deployed in DEV!" | ||
|
|
||
| deploy-prod: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix this problem, we should explicitly set a permissions block for the deploy-dev job in the .github/workflows/ci.yml workflow file. The minimal starting point, as recommended, is to restrict the GitHub token permissions to contents: read, unless more privileges are needed (which is not indicated by the job's steps).
Specifically, add a permissions block to the deploy-dev job:
deploy-dev:
runs-on: self-hosted
needs: docker-build-push
permissions:
contents: read
# ...This change should be added immediately after the existing needs: docker-build-push line (line 90), before steps:.
No new methods, imports, or other code modifications are necessary.
| @@ -88,6 +88,8 @@ | ||
| deploy-dev: | ||
| runs-on: self-hosted | ||
| needs: docker-build-push | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Clean workspace |
* UPD - CI * UPD - CI
| runs-on: self-hosted | ||
| needs: docker-build-push | ||
| if: github.ref == 'refs/heads/main' && github.event_name != 'pull_request' | ||
| steps: | ||
| - name: Clean workspace | ||
| run: rm -rf * | ||
|
|
||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Log in to GitHub Container Registry | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Pull new image + restart PROD stack | ||
| run: | | ||
| echo "🔧 Deploying on PROD..." | ||
| cd /home/baptiste/Dev/WPT/prod | ||
| docker-compose pull | ||
| docker rm -f wpt_website || true | ||
| docker-compose up -d --remove-orphans | ||
| echo "🚀 Deployed in PROD!" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix the problem, add a permissions block to the deploy-prod job, restricting the GITHUB_TOKEN to the least required privileges (likely contents: read). This ensures that the deploy-prod job cannot unexpectedly write to source code or other resources via the token. Place the following block directly under the runs-on and above needs (or immediately after needs, if preferred for consistency):
permissions:
contents: readThis matches the minimal usage for jobs that only need to fetch code or authenticate for Docker pulls. Review other self-hosted jobs (deploy-dev), and add a similar block if appropriate, but CodeQL only explicitly flagged deploy-prod, so let's just do that per instructions. No imports or other definitions are necessary—just a YAML block.
| @@ -115,6 +115,8 @@ | ||
| # 4️⃣ Deploy PROD (skip par défaut, relançable sur main) | ||
| deploy-prod: | ||
| runs-on: self-hosted | ||
| permissions: | ||
| contents: read | ||
| needs: docker-build-push | ||
| if: github.ref == 'refs/heads/main' && github.event_name != 'pull_request' | ||
| steps: |
No description provided.