1
0
mirror of https://github.com/Unleash/unleash.git synced 2024-12-22 19:07:54 +01:00
unleash.unleash/.github/workflows/notify_enterprise.yaml
Gastón Fournier 05c6f42f7b
fix: avoid expression injection (#4157)
## About the changes
Using toJSON should escape any potentially harmful content from the
username and email input
2023-07-06 07:52:50 +00:00

67 lines
2.2 KiB
YAML

name: 'Notify enterprise of commit in main'
on:
push:
branches:
- main
paths-ignore:
- website/**
- coverage/**
# not sure if we will have all the payload as the push to main has.
# workflow_run:
# workflows: [ 'Publish to npm' ]
# types: [ completed ]
# branches:
# - 'main'
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [18.x]
steps:
- uses: actions/checkout@v3
- name: Trigger sync
uses: actions/github-script@v6
env:
COMMIT_ACTOR: ${{ github.event.commits[0].author.name }} <${{ github.event.commits[0].author.email }}>
with:
github-token: ${{ secrets.UNLEASH_CI_BUILDER_GITHUB_TOKEN }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: 'ivarconr',
repo: 'unleash-enterprise',
workflow_id: 'cicd.yaml',
ref: 'master',
inputs: {
commit: "${{ github.event.head_commit.id }}",
actor: ${{ toJSON(env.COMMIT_ACTOR) }},
message: ${{ toJSON(github.event.head_commit.message) }},
}
})
# build static assets after triggering the sync workflow.
# Adding a validation step in the sync workflow will ensure that the static assets are built before deployment.
- name: Build static assets
run: |
cd frontend
yarn install --frozen-lockfile
yarn build
- uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
- name: Get the commit hash
id: get_commit_hash
run: |
COMMIT_HASH=${{ github.sha }}
echo "Commit hash: $COMMIT_HASH"
echo "::set-output name=COMMIT_HASH::$COMMIT_HASH"
- name: Publish static assets to S3
run: |
aws s3 cp frontend/build s3://getunleash-static/unleash/commits/${{ steps.get_commit_hash.outputs.COMMIT_HASH }} --recursive