chore: add basic validation to get rid of security vulnerability in u… #1792
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Images and Create Deployment | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - prod | |
| repository_dispatch: | |
| types: [build-images-for-staging, build-images-for-prod] | |
| workflow_call: | |
| env: | |
| # Force using BuildKit instead of normal Docker, required so that metadata | |
| # is written/read to allow us to use layers of previous builds as cache. | |
| DOCKER_BUILDKIT: 1 | |
| COMPOSE_DOCKER_CLI_BUILD: 1 | |
| DOCKER_REPO: ${{ secrets.ECR_REPO }}/ | |
| GITHUB_BRANCH: ${{ github.event.client_payload.ref || github.ref }} | |
| permissions: | |
| id-token: write | |
| contents: read | |
| deployments: write | |
| jobs: | |
| build_images: | |
| uses: ./.github/workflows/build-images.yml | |
| secrets: inherit | |
| create_deployment: | |
| needs: | |
| - build_images | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Generate payload | |
| run: | | |
| echo "payload={\"tag\":\"sha-${GITHUB_SHA:0:8}\"}" >> $GITHUB_ENV | |
| if [[ "${{ env.GITHUB_BRANCH }}" == "refs/heads/prod" ]]; then | |
| echo "DEPLOYMENT_STAGE=prod" >> $GITHUB_ENV | |
| elif [[ "${{ env.GITHUB_BRANCH }}" == "refs/heads/staging" ]]; then | |
| echo "DEPLOYMENT_STAGE=stage" >> $GITHUB_ENV | |
| else | |
| echo "DEPLOYMENT_STAGE=dev" >> $GITHUB_ENV | |
| fi | |
| - name: Create deployment | |
| uses: avakar/create-deployment@v1 | |
| # To stop deployment to a specific DEPLOYMENT_STAGE remove it from condition below. | |
| # The DEPLOYMENT_STAGE that should be present are dev, stage, prod. | |
| if: env.DEPLOYMENT_STAGE == 'prod' || env.DEPLOYMENT_STAGE == 'stage' | |
| with: | |
| auto_merge: false | |
| environment: ${{ env.DEPLOYMENT_STAGE }} | |
| payload: ${{ env.payload }} | |
| required_contexts: "" # Temporary hack to avoid checking Github Status for the commit | |
| # TODO: Avoid circular dependency on the deploy step; this step hasn't finished yet so | |
| # it's not considered ready for deploy normally by required_contexts, but we need to | |
| # deploy for this to be considered ready. | |
| # Unfortunately there is no blocklist for required_contexts, only an allowlist, so | |
| # we'd have to enumerate every other Github PR status here, which can be constantly changing. | |
| # For now, we just ignore required_contexts to deploy on every success. | |
| # See https://github.community/t/can-i-avoid-creating-a-check-run-from-a-job-needed-for-deployments-api/16426 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.CZIBUILDBOT_GITHUB_TOKEN }} |