From eafdfc54bff8e752d84477db02e35944ec89e214 Mon Sep 17 00:00:00 2001 From: Kim Pohas Date: Fri, 30 May 2025 12:21:50 -0400 Subject: [PATCH 1/5] GitHub workflow cleanup and alignment with Docusaurus 3.8 --- .github/workflows/build_and_deploy.yml | 7 ++- .github/workflows/delete-review.yml | 2 + .github/workflows/pr.yml | 64 +++++++++++++------------- 3 files changed, 37 insertions(+), 36 deletions(-) diff --git a/.github/workflows/build_and_deploy.yml b/.github/workflows/build_and_deploy.yml index 020c7414f7..01275e26df 100644 --- a/.github/workflows/build_and_deploy.yml +++ b/.github/workflows/build_and_deploy.yml @@ -13,7 +13,7 @@ on: default: "/" type: string environment: - description: GHA environment name + description: GitHub Actions environment name (used for scoping secrets and deployment) required: true type: string secrets: @@ -35,6 +35,7 @@ jobs: env: CI: true NODE_ENV: production + NODE_OPTIONS: "--max-old-space-size=8192 --max-http-header-size=8192" AWS_PAGER: "" HOSTNAME: ${{ inputs.hostname }} BASE_URL: ${{ inputs.base_url }} @@ -53,7 +54,7 @@ jobs: uses: actions/cache@v3 with: path: node_modules/.cache - key: ${{ runner.os }}-webpack-cache + key: ${{ runner.os }}-webpack-cache-${{ hashFiles('yarn.lock') }} - name: Install awscli uses: unfor19/install-aws-cli-action@v1 - name: Install jq @@ -61,8 +62,6 @@ jobs: - name: Install dependencies run: yarn install --frozen-lockfile - name: Build the Docusaurus site - env: - NODE_OPTIONS: "--max-old-space-size=8192 --max-http-header-size=8192" run: yarn build - name: Deploy the Docusaurus site env: diff --git a/.github/workflows/delete-review.yml b/.github/workflows/delete-review.yml index e9ae0ad3f1..920f7304df 100644 --- a/.github/workflows/delete-review.yml +++ b/.github/workflows/delete-review.yml @@ -9,6 +9,7 @@ jobs: name: review/${{ github.ref_name }} env: CI: true + NODE_OPTIONS: "--max-old-space-size=8192 --max-http-header-size=8192" AWS_PAGER: "" BASE_URL: /${{ github.ref_name }}/ AWS_DEFAULT_REGION: us-east-1 @@ -23,6 +24,7 @@ jobs: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} run: | + echo "Removing files at s3://${S3_BUCKET_NAME}${BASE_URL}" aws s3 rm --recursive s3://${S3_BUCKET_NAME}${BASE_URL} export INVALIDATION_ID=$( aws cloudfront create-invalidation \ diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index f2d6872475..0f6b7881dc 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -1,40 +1,40 @@ name: Pull Request Checks on: - pull_request: - branches: - - main - merge_group: - types: - - checks_requested + pull_request: + branches: + - main + merge_group: + types: + - checks_requested + +env: + CI: true + NODE_ENV: production + NODE_OPTIONS: "--max-old-space-size=8192 --max-http-header-size=8192" jobs: - build-and-deploy: - runs-on: ubuntu-latest - env: - CI: true - NODE_ENV: production - steps: - - uses: actions/checkout@v4 - - name: Set up Node.js - uses: actions/setup-node@v3 - with: - node-version: '20.x' - cache: 'yarn' - - name: Docusaurus Webpack cache - uses: actions/cache@v3 - with: - path: node_modules/.cache - key: ${{ runner.os }}-webpack-cache - - name: Install dependencies - run: yarn install --frozen-lockfile - - name: Build the Docusaurus site - env: - NODE_OPTIONS: "--max-old-space-size=8192 --max-http-header-size=8192" - run: yarn build - spellcheck: - runs-on: ubuntu-latest - steps: + build-and-deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Node.js + uses: actions/setup-node@v3 + with: + node-version: '20.x' + cache: 'yarn' + - name: Docusaurus Webpack cache + uses: actions/cache@v3 + with: + path: node_modules/.cache + key: ${{ runner.os }}-webpack-cache-${{ hashFiles('yarn.lock') }} + - name: Install dependencies + run: yarn install --frozen-lockfile + - name: Build the Docusaurus site + run: yarn build + spellcheck: + runs-on: ubuntu-latest + steps: - uses: actions/checkout@v4 - uses: codespell-project/actions-codespell@master name: Check spelling From 9ecd6e918e26d8ca63ddf51d9a25c3e0f504fe88 Mon Sep 17 00:00:00 2001 From: "Kim (Sumo Logic)" <56411016+kimsauce@users.noreply.github.com> Date: Fri, 30 May 2025 10:42:23 -0700 Subject: [PATCH 2/5] Potential fix for code scanning alert no. 7: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/pr.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 0f6b7881dc..82ce065908 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -1,4 +1,6 @@ name: Pull Request Checks +permissions: + contents: read on: pull_request: From a7afcdbbd3a33bf672295af3d658b3e5d8c29a92 Mon Sep 17 00:00:00 2001 From: Kim Pohas Date: Fri, 30 May 2025 13:46:01 -0400 Subject: [PATCH 3/5] cleanup --- .github/workflows/build_and_deploy.yml | 3 +++ .github/workflows/delete-review.yml | 3 +++ .github/workflows/pr.yml | 3 +++ .github/workflows/production.yml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/.github/workflows/build_and_deploy.yml b/.github/workflows/build_and_deploy.yml index 01275e26df..32de0ee6cc 100644 --- a/.github/workflows/build_and_deploy.yml +++ b/.github/workflows/build_and_deploy.yml @@ -1,5 +1,8 @@ name: Build and Deploy +permissions: + contents: read + on: workflow_call: inputs: diff --git a/.github/workflows/delete-review.yml b/.github/workflows/delete-review.yml index 920f7304df..9bc8feb642 100644 --- a/.github/workflows/delete-review.yml +++ b/.github/workflows/delete-review.yml @@ -1,5 +1,8 @@ name: delete-review +permissions: + contents: read + on: delete jobs: diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 0f6b7881dc..cdc5a42c86 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -1,5 +1,8 @@ name: Pull Request Checks +permissions: + contents: read + on: pull_request: branches: diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml index ffd6697aa2..1eb8812397 100644 --- a/.github/workflows/production.yml +++ b/.github/workflows/production.yml @@ -1,5 +1,8 @@ name: deploy-to-production +permissions: + contents: read + on: push: branches: From 31d80e8bef8777fbb1e3641c617c2efa48c749e7 Mon Sep 17 00:00:00 2001 From: "Kim (Sumo Logic)" <56411016+kimsauce@users.noreply.github.com> Date: Fri, 30 May 2025 10:47:11 -0700 Subject: [PATCH 4/5] Update .github/workflows/pr.yml --- .github/workflows/pr.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 3477834d54..cdc5a42c86 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -1,6 +1,4 @@ name: Pull Request Checks -permissions: - contents: read permissions: contents: read From 3600fbdb45de79c4e0292fbc1c575ae8e13c08ac Mon Sep 17 00:00:00 2001 From: Kim Pohas Date: Fri, 30 May 2025 13:49:15 -0400 Subject: [PATCH 5/5] add pull-requests: read --- .github/workflows/pr.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 3477834d54..0ae9a57a6a 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -4,6 +4,7 @@ permissions: permissions: contents: read + pull-requests: read on: pull_request: