From 5827f60045fa525f20b2d33ea1c0838cccdf717c Mon Sep 17 00:00:00 2001 From: Ollama Date: Fri, 15 May 2026 09:57:03 +0200 Subject: [PATCH] fix: Address remaining CodeRabbit review comments - Fix invalid jq string filter syntax (missing quotes around interpolation) - Add environment validation job in deploy.yml for workflow_call input - Add fork detection guard in deploy-pr.yml to prevent fork PR deployments Fixes: - deploy.yml:183-184 - jq filter syntax error - deploy.yml:31 - unvalidated environment input in reusable workflow - deploy-pr.yml:5 - fork PR deployments blocked by pull_request_review restrictions - deploy-pr.yml:168-200 - jq filter syntax errors --- .github/workflows/deploy-pr.yml | 24 +++++++++--------------- .github/workflows/deploy.yml | 22 ++++++++++++++++++++-- 2 files changed, 29 insertions(+), 17 deletions(-) diff --git a/.github/workflows/deploy-pr.yml b/.github/workflows/deploy-pr.yml index f2e8b6401..f2ee45fe6 100644 --- a/.github/workflows/deploy-pr.yml +++ b/.github/workflows/deploy-pr.yml @@ -17,7 +17,9 @@ jobs: deploy-staging: name: Deploy to staging runs-on: ubuntu-latest - if: github.event.review.state == 'approved' + if: > + github.event.review.state == 'approved' && + github.event.pull_request.head.repo.full_name == github.repository environment: name: staging @@ -165,8 +167,8 @@ jobs: STATE="${{ steps.webhook.outputs.status }}" if [ "$STATE" = "success" ]; then - DESCRIPTION=$(jq -n --arg tag "$IMAGE_TAG" --arg pr "$PR_NUMBER" \ - 'Deployed PR #\($pr) (\($tag)) to staging') + DESCRIPTION=$(jq -nr --arg tag "$IMAGE_TAG" --arg pr "$PR_NUMBER" \ + '"Deployed PR #\($pr) (\($tag)) to staging"') gh api "repos/${GITHUB_REPOSITORY}/deployments/${{ steps.deployment.outputs.deployment_id }}/statuses" \ -X POST \ @@ -190,19 +192,11 @@ jobs: STATUS: ${{ steps.webhook.outputs.status }} run: | if [ "$STATUS" = "success" ]; then - BODY=$(jq -n --arg tag "$IMAGE_TAG" --arg sha "$REF_SHA" --arg url "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" \ - 'āœ… **Staging deployment completed** - - šŸ”— **URL**: https://dev.opensourcepos.org - šŸ“¦ **Image Tag**: `\($tag)` - šŸ”Ø **Commit**: \($sha) - - View logs: \($url)') + BODY=$(jq -nr --arg tag "$IMAGE_TAG" --arg sha "$REF_SHA" --arg url "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" \ + '"āœ… **Staging deployment completed**\n\nšŸ”— **URL**: https://dev.opensourcepos.org\nšŸ“¦ **Image Tag**: `\($tag)`\nšŸ”Ø **Commit**: \($sha)\n\nView logs: \($url)"') else - BODY=$(jq -n --arg url "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" \ - 'āŒ **Staging deployment failed** - - Check the [workflow logs](\($url)) for details.') + BODY=$(jq -nr --arg url "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" \ + '"āŒ **Staging deployment failed**\n\nCheck the [workflow logs](\($url)) for details."') fi gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" \ diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index b10a41ec9..c2ed3c934 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -39,8 +39,26 @@ permissions: deployments: write jobs: + validate-inputs: + name: Validate deployment inputs + runs-on: ubuntu-latest + steps: + - name: Validate environment + env: + TARGET_ENV: ${{ inputs.environment }} + run: | + set -euo pipefail + case "$TARGET_ENV" in + production|staging) ;; + *) + echo "::error::Invalid environment '$TARGET_ENV'. Expected 'production' or 'staging'." + exit 1 + ;; + esac + deploy: name: Deploy to ${{ inputs.environment }} + needs: validate-inputs runs-on: ubuntu-latest environment: @@ -180,8 +198,8 @@ jobs: STATE="${{ steps.webhook.outputs.status }}" if [ "$STATE" = "success" ]; then - DESCRIPTION=$(jq -n --arg tag "$IMAGE_TAG" --arg env "$TARGET_ENV" \ - 'Deployed image \($tag) to \($env)') + DESCRIPTION=$(jq -nr --arg tag "$IMAGE_TAG" --arg env "$TARGET_ENV" \ + '"Deployed image \($tag) to \($env)"') gh api "repos/${GITHUB_REPOSITORY}/deployments/${{ steps.deployment.outputs.deployment_id }}/statuses" \ -X POST \