Skip to content

upgrade the open-sdg theme to resolve security issue #314

upgrade the open-sdg theme to resolve security issue

upgrade the open-sdg theme to resolve security issue #314

# This workflow can be invoked by all branches except production where only the development branch can trigger the "deploy" job.
name: Build and Deploy Development Static Site Dev # run this workflow when a push has been made. if a push has been made to the development branch it will deploy the site to the hosting environment
on: # run this workflow when a push has been made to `development` branch
push:
branches-ignore:
- production
workflow_dispatch:
#repository_dispatch: # Listen for repository dispatch event from open-sdg-data-starter workflow, TBD
# types: [dev_triggered_from_open-sdg-data-starter], TBD
jobs:
build:
runs-on: ubuntu-22.04
steps:
- name: Checkout repo
uses: actions/checkout@v4 # checks out the code in the repository
- name: Setup Ruby
uses: ruby/setup-ruby@v1 # sets up ruby in our environment and install Ruby dependencies
with:
ruby-version: '3.2' # install ruby version 3.2
bundler-cache: true # https://github.com/ruby/setup-ruby?tab=readme-ov-file#caching-bundle-install-automatically, it will perform caching and does run `bundle config --local path $PWD/vendor/bundle` & `bundle install`. It will handle the Gemfile.lock file appropriately.
- name: Build the development site
run: bundle exec jekyll build --config _config.yml # build the site using the development configuration file
- name: Perform HTML validation # test our rendered html files
run: bash scripts/test/html_proofer_staging.sh
- name: Zip site artifact # only zip the site if the push was made to the development branch
if: ${{ github.ref == 'refs/heads/development' }}
run: zip -r _site.zip _site
- name: Upload site artifact # only upload the zip if the push was made to the development branch
if: ${{ github.ref == 'refs/heads/development' }}
uses: actions/upload-artifact@v4
with:
name: site-deployment-dev
path: _site.zip
retention-days: 1 # delete the artifact after 1 day
deploy:
runs-on: ubuntu-22.04
needs: [build]
if: (github.ref == 'refs/heads/development')
environment:
name: development
url: https://${{ vars.SITE_DOMAIN_NAME }}
permissions: # required for configure-aws-credentials action to work properly
id-token: write
contents: read
steps:
- name: Install AWS CLI
run: pip3 install awscli --upgrade --user # install the cli with upgrade to any requirements and into the subdir of the user
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4 # use the official GitHub Action from AWS to setup credentials
with:
role-to-assume: ${{ secrets.ROLE_ARN }}
aws-region: ${{ secrets.AWS_REGION }}
mask-aws-account-id: true
- name: Fetch site artifact
uses: actions/download-artifact@v4
with:
name: site-deployment-dev
- name: Unzip site artifact
run: unzip _site.zip
- name: Push Contents to S3 # push the current working directory to the S3 bucket
run: aws s3 sync _site/ s3://${{ secrets.S3_BUCKET_NAME }} --exclude ".git/*" --exclude ".github/*" --delete # have the bucket have the same content in the repo & exclude the git related directories.
- name: Invalidate CloudFront Cache # Invalidate the CloudFront Distribution Cache to get contents from the S3 bucket
run: aws cloudfront create-invalidation --distribution-id ${{ secrets.CDN_DISTRIBUTION_ID }} --paths "/*"