upgrade the open-sdg theme to resolve security issue #314
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow can be invoked by all branches except production where only the development branch can trigger the "deploy" job. | |
name: Build and Deploy Development Static Site Dev # run this workflow when a push has been made. if a push has been made to the development branch it will deploy the site to the hosting environment | |
on: # run this workflow when a push has been made to `development` branch | |
push: | |
branches-ignore: | |
- production | |
workflow_dispatch: | |
#repository_dispatch: # Listen for repository dispatch event from open-sdg-data-starter workflow, TBD | |
# types: [dev_triggered_from_open-sdg-data-starter], TBD | |
jobs: | |
build: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 # checks out the code in the repository | |
- name: Setup Ruby | |
uses: ruby/setup-ruby@v1 # sets up ruby in our environment and install Ruby dependencies | |
with: | |
ruby-version: '3.2' # install ruby version 3.2 | |
bundler-cache: true # https://github.com/ruby/setup-ruby?tab=readme-ov-file#caching-bundle-install-automatically, it will perform caching and does run `bundle config --local path $PWD/vendor/bundle` & `bundle install`. It will handle the Gemfile.lock file appropriately. | |
- name: Build the development site | |
run: bundle exec jekyll build --config _config.yml # build the site using the development configuration file | |
- name: Perform HTML validation # test our rendered html files | |
run: bash scripts/test/html_proofer_staging.sh | |
- name: Zip site artifact # only zip the site if the push was made to the development branch | |
if: ${{ github.ref == 'refs/heads/development' }} | |
run: zip -r _site.zip _site | |
- name: Upload site artifact # only upload the zip if the push was made to the development branch | |
if: ${{ github.ref == 'refs/heads/development' }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: site-deployment-dev | |
path: _site.zip | |
retention-days: 1 # delete the artifact after 1 day | |
deploy: | |
runs-on: ubuntu-22.04 | |
needs: [build] | |
if: (github.ref == 'refs/heads/development') | |
environment: | |
name: development | |
url: https://${{ vars.SITE_DOMAIN_NAME }} | |
permissions: # required for configure-aws-credentials action to work properly | |
id-token: write | |
contents: read | |
steps: | |
- name: Install AWS CLI | |
run: pip3 install awscli --upgrade --user # install the cli with upgrade to any requirements and into the subdir of the user | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v4 # use the official GitHub Action from AWS to setup credentials | |
with: | |
role-to-assume: ${{ secrets.ROLE_ARN }} | |
aws-region: ${{ secrets.AWS_REGION }} | |
mask-aws-account-id: true | |
- name: Fetch site artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: site-deployment-dev | |
- name: Unzip site artifact | |
run: unzip _site.zip | |
- name: Push Contents to S3 # push the current working directory to the S3 bucket | |
run: aws s3 sync _site/ s3://${{ secrets.S3_BUCKET_NAME }} --exclude ".git/*" --exclude ".github/*" --delete # have the bucket have the same content in the repo & exclude the git related directories. | |
- name: Invalidate CloudFront Cache # Invalidate the CloudFront Distribution Cache to get contents from the S3 bucket | |
run: aws cloudfront create-invalidation --distribution-id ${{ secrets.CDN_DISTRIBUTION_ID }} --paths "/*" |