From f08ee15cea5e3152a974aa1ca8d10d300b30f200 Mon Sep 17 00:00:00 2001 From: Manav Rathi Date: Tue, 9 Sep 2025 12:00:56 +0530 Subject: [PATCH 1/2] [web] Harden workflows --- .github/workflows/web-deploy-one.yml | 4 +++- .github/workflows/web-deploy-preview.yml | 4 +++- .github/workflows/web-deploy-staging.yml | 3 ++- .github/workflows/web-deploy.yml | 13 ++++++++++++- .github/workflows/web-lint.yml | 13 ++++++++++++- 5 files changed, 32 insertions(+), 5 deletions(-) diff --git a/.github/workflows/web-deploy-one.yml b/.github/workflows/web-deploy-one.yml index fd24af13e3..0b2dbe7539 100644 --- a/.github/workflows/web-deploy-one.yml +++ b/.github/workflows/web-deploy-one.yml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup node and enable yarn caching uses: actions/setup-node@v4 @@ -38,7 +40,7 @@ jobs: cache-dependency-path: "web/yarn.lock" - name: Install dependencies - run: yarn install + run: yarn install --frozen-lockfile - name: Build ${{ inputs.app }} run: yarn build:${{ inputs.app }} diff --git a/.github/workflows/web-deploy-preview.yml b/.github/workflows/web-deploy-preview.yml index 52d131179c..73dceeb54e 100644 --- a/.github/workflows/web-deploy-preview.yml +++ b/.github/workflows/web-deploy-preview.yml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup node and enable yarn caching uses: actions/setup-node@v4 @@ -38,7 +40,7 @@ jobs: cache-dependency-path: "web/yarn.lock" - name: Install dependencies - run: yarn install + run: yarn install --frozen-lockfile - name: Build ${{ inputs.app }} run: yarn build:${{ inputs.app }} diff --git a/.github/workflows/web-deploy-staging.yml b/.github/workflows/web-deploy-staging.yml index e0652c36b1..659b656e59 100644 --- a/.github/workflows/web-deploy-staging.yml +++ b/.github/workflows/web-deploy-staging.yml @@ -37,6 +37,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ steps.select-branch.outputs.branch }} + persist-credentials: false - name: Setup node and enable yarn caching uses: actions/setup-node@v4 @@ -46,7 +47,7 @@ jobs: cache-dependency-path: "web/yarn.lock" - name: Install dependencies - run: yarn install + run: yarn install --frozen-lockfile - name: Build photos run: yarn build:photos diff --git a/.github/workflows/web-deploy.yml b/.github/workflows/web-deploy.yml index ee6e1d6e7b..d6f34a4936 100644 --- a/.github/workflows/web-deploy.yml +++ b/.github/workflows/web-deploy.yml @@ -33,6 +33,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup node and enable yarn caching uses: actions/setup-node@v4 @@ -42,7 +44,16 @@ jobs: cache-dependency-path: "web/yarn.lock" - name: Install dependencies - run: yarn install + run: yarn install --frozen-lockfile + + - name: Audit dependencies + run: | + yarn audit --level critical + exit_code=$? + if [ $exit_code -ge 16 ]; then + echo "::error::Yarn audit found critical issues" + exit 1 + fi - name: Build photos run: yarn build:photos diff --git a/.github/workflows/web-lint.yml b/.github/workflows/web-lint.yml index 517022997d..ad7a237a47 100644 --- a/.github/workflows/web-lint.yml +++ b/.github/workflows/web-lint.yml @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup node and enable yarn caching uses: actions/setup-node@v4 @@ -32,6 +34,15 @@ jobs: cache: "yarn" cache-dependency-path: "web/yarn.lock" - - run: yarn install + - run: yarn install --frozen-lockfile - run: yarn lint + + - name: Audit dependencies + run: | + yarn audit --level critical + exit_code=$? + if [ $exit_code -ge 16 ]; then + echo "::error::Yarn audit found critical issues" + exit 1 + fi From 82c7d1865c7794b1850756ccdd7fb7c6ac894238 Mon Sep 17 00:00:00 2001 From: Manav Rathi Date: Tue, 9 Sep 2025 12:49:08 +0530 Subject: [PATCH 2/2] Update --- .github/workflows/web-deploy.yml | 5 ++--- .github/workflows/web-lint.yml | 5 ++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/web-deploy.yml b/.github/workflows/web-deploy.yml index d6f34a4936..0e586ba073 100644 --- a/.github/workflows/web-deploy.yml +++ b/.github/workflows/web-deploy.yml @@ -48,9 +48,8 @@ jobs: - name: Audit dependencies run: | - yarn audit --level critical - exit_code=$? - if [ $exit_code -ge 16 ]; then + yarn audit --level critical || exit_code=$? + if [[ $exit_code -ge 16 ]]; then echo "::error::Yarn audit found critical issues" exit 1 fi diff --git a/.github/workflows/web-lint.yml b/.github/workflows/web-lint.yml index ad7a237a47..8bab3f4e77 100644 --- a/.github/workflows/web-lint.yml +++ b/.github/workflows/web-lint.yml @@ -40,9 +40,8 @@ jobs: - name: Audit dependencies run: | - yarn audit --level critical - exit_code=$? - if [ $exit_code -ge 16 ]; then + yarn audit --level critical || exit_code=$? + if [[ $exit_code -ge 16 ]]; then echo "::error::Yarn audit found critical issues" exit 1 fi