Skip to content

Add failure notification job to deployer workflow #42

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ben-dydx-ops merged 2 commits into from
Dec 11, 2025
Merged

Add failure notification job to deployer workflow #42

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ef615d3
Add failure notification job to deployer workflow
ben-dydx-ops Dec 11, 2025
46b5fa4
Use variable for BOT_ENDPOINT in deployer.yml
ben-dydx-ops Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions .github/workflows/deployer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -223,3 +223,31 @@
# Force push the changes to the main branch
sleep 1
git push --force origin main
# ========================================
# JOB 4: Notify Failure
# ========================================
notify-failure:
runs-on: ubuntu-latest
needs: [fetch-versions, determine-if-deployment-needed, deploy]
if: failure() || cancelled()
steps:
- name: Send failure notice to deploymentPromoted bot
env:
BOT_ENDPOINT: ${{ vars.DEPLOYMENT_PROMOTED_URL }}
PROJECT_NAME: v4-web
LATEST_PATCH: ${{ needs.fetch-versions.outputs.latest-patch-in-line-version }}
PRODUCTION_VERSION: ${{ needs.fetch-versions.outputs.production-version }}
run: |
VERSION_PAYLOAD="$LATEST_PATCH"
if [ -z "$VERSION_PAYLOAD" ]; then
VERSION_PAYLOAD="$PRODUCTION_VERSION"
fi

curl -X POST "$BOT_ENDPOINT" \
-H "Content-Type: application/json" \
-d "$(jq -n \
--arg project "$PROJECT_NAME" \
--arg status "failed" \
--arg version "$VERSION_PAYLOAD" \
--arg workflow_run "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
'{project: $project, status: $status, version: $version, meta: {workflow_run: $workflow_run}}')"
Comment on lines +230 to +253

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 6 months ago

To fix this issue, explicitly limit the permissions at the root of the workflow (.github/workflows/deployer.yml) by setting a permissions: block. Since no step in this workflow appears to require write access to repository contents, secrets, or other sensitive scopes (other than the use of a GitHub App token in the deploy job, which is handled via an app token, not the Actions default token), the safest minimal setting is to declare permissions: read-all at the workflow/root level. If finer granularity is desired, specify only those permissions required (e.g., contents: read); for most workflows, contents: read is enough, and jobs that require more can declare it themselves. For maximal security and future clarity, add the block just after the workflow name: and before the on: key.

No external dependencies or package changes are required.

Suggested changeset 1
.github/workflows/deployer.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/deployer.yml b/.github/workflows/deployer.yml
--- a/.github/workflows/deployer.yml
+++ b/.github/workflows/deployer.yml
@@ -1,4 +1,6 @@
 name: Deploy new upstream release to Vercel
+permissions:
+  contents: read
 
 on:
   workflow_dispatch:
EOF
@@ -1,4 +1,6 @@
name: Deploy new upstream release to Vercel
permissions:
contents: read

on:
workflow_dispatch:
Copilot is powered by AI and may make mistakes. Always verify output.
Loading