Commit graph

4 commits

Author SHA1 Message Date
Naveen 13a194466b
chore: Set permissions for GitHub actions (#2555)
* chore: Set permissions for GitHub actions

 Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>

* Update docs-production-deploy.yml

* added `packages: write` permissions

this is apparently needed by GH so this repository can push new images.

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
2022-05-11 09:51:15 +02:00
dependabot[bot] bf7fba68bd
chore(deps): bump actions/checkout from 2 to 3 (#2470)
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com>
2022-03-09 11:57:01 +13:00
Brennan Kinney bdb770a0aa
ci(fix): Do not trust user controlled input (#2337)
The prepare workflow runs in an untrusted context already and thus should not have anything worthwhile to exploit.

However care should still be taken to avoid interpolating expressions into shell scripts directly that is data a user can control the value of. Especially to avoid any maintainer referencing an existing workflow from copying a risky snippet unaware of different security contexts for workflows.

In this case, as per Github Documentation and referenced issue comment, the PR title is user controllable data, which if directly interpolated into the shell script being run (as it previously was), allows for injecting commands to execute.
2021-12-21 21:46:09 +13:00
Brennan Kinney cf22475382
docs(ci): Deploy Previews (#1988)
* docs(ci): Support deploy previews for documentation

Each PR that contributes to docs will generate a unique (to that PR) URL to preview the PR live for review.

* docs(ci): Split workflow

To support previews from non-collaborators PR contributions, we cannot rely on secrets access from workflows triggered by the `pull_request` event.

To do so securely, according to official advice from Github, we must run the third-party contribution in the restricted `pull_request` context, and then use a 2nd workflow to deploy the build (which requires secrets access).

* docs(ci): Rename doc workflows + add commit status

Better naming convention for documentation workflows.

Split workflow only indicated status on PR of the 1st stage (building the preview to deploy), not the deployment progress/result. This needs to be managed more directly until the action better supports split-workflow scenario.

* docs(ci): Add concurrency limit to preview deploy workflow

This would be more ideal on the 2nd phase workflow (`workflow_run`), however keeping it simple for now.

Limits the concurrency of the initial pull request workflow for documentation contributions that have PRs with multiple event triggers in a small time span (before the workflow triggered would complete). The main benefit is to avoid redundant deploys if the initial workflow has been triggered again to build the PR once more. It only will work against concurrent workflows for that PR in the 1st stage, if an existing `workflow_run` (2nd stage) is active for that PR it will not be cancelled.

* docs(ci): Add sponsor branding for deploy preview service

A requirement from Netlify for the [sponsored OSS organization plan](https://www.netlify.com/legal/open-source-policy).

* docs(ci): Use a shared build script

Production and Deploy Preview builds are now maintained via the same shell command, so version updates of docker image is in one place.

Additionally deletes unnecessary build output which upstream provides no support to exclude.

* docs: Add a custom 404 page

This is used by the preview deploys on Netlify. Production deploys on Github Pages require a top-level 404 page manually deployed (since all are deployed to a version subpath).

This 404 page was custom built and optimized by me. This is the final minified output, separate source to build is available if needed.

---

Likewise the `favicon.ico` is a fallback for browsers that implicitly check the domain root for this file if the SVG isn't supported/preferred. Browsers check for this file without it being present in the HTML head meta elements.

On Github Pages the `favicon.ico` isn't likely to be picked up by even top-level as typical deployment has the project name as a subpath. The docs however reference a PNG favicon which should be widely supported.

The `favicon.ico` was generated by RealFaviconGenerator online tool with SVG source input. It contains 16px, 32px and 48px sizes. Quality is better than the `favicon.io` generator.

* chore: Optimized logo

SVG source cleaned up and optimized with SVGO 2.3.

Minified versions (`.min.svg` extension) remove unnecessary data and white-space to reduce size further for production use. This extension better differentiates by filename that it's different from the `src` version.
2021-05-20 22:24:46 +12:00
Renamed from .github/workflows/deploy-docs.yml (Browse further)