fix: repositories page auth — use correct sessionStorage key and add … #48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-FileCopyrightText: 2026 The Linux Foundation | |
| # | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| workflow_dispatch: | |
| inputs: | |
| force_deploy: | |
| description: "Force deploy even if no deployable changes detected" | |
| type: boolean | |
| default: false | |
| env: | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | |
| jobs: | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Generate Prisma client | |
| run: | | |
| npx prisma generate | |
| bash scripts/patch-prisma-for-workers.sh | |
| - name: ESLint | |
| run: npm run lint | |
| - name: actionlint | |
| run: | | |
| bash <(curl -sS https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) | |
| ./actionlint -color | |
| - name: ShellCheck | |
| run: shellcheck scripts/*.sh | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Generate Prisma client | |
| run: | | |
| npx prisma generate | |
| bash scripts/patch-prisma-for-workers.sh | |
| - name: Type check | |
| run: npm run type-check | |
| - name: Run tests | |
| run: npm test | |
| # ── Detect deployable changes ──────────────────────────────────────────────── | |
| changes: | |
| name: Check changes | |
| runs-on: ubuntu-latest | |
| outputs: | |
| deployable: ${{ steps.filter.outputs.deployable }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 2 | |
| - name: Detect deployable file changes | |
| id: filter | |
| run: | | |
| # On manual dispatch, always deploy. | |
| if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then | |
| echo "deployable=true" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| CHANGED=$(git diff --name-only HEAD~1 HEAD) | |
| echo "Changed files:" | |
| echo "$CHANGED" | |
| if echo "$CHANGED" | grep -qE '^(src/|docs/|prisma/|scripts/|package|tsconfig|wrangler\.toml)'; then | |
| echo "deployable=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "deployable=false" >> "$GITHUB_OUTPUT" | |
| echo "No deployable changes — deploy will be skipped." | |
| fi | |
| # ── Deploy (main only, after lint + test pass, deployable changes only) ──── | |
| deploy: | |
| name: Deploy | |
| needs: [lint, test, changes] | |
| if: >- | |
| github.ref == 'refs/heads/main' && | |
| (needs.changes.outputs.deployable == 'true' || | |
| inputs.force_deploy == true) | |
| runs-on: ubuntu-latest | |
| environment: production | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Generate Prisma client | |
| run: | | |
| npx prisma generate | |
| bash scripts/patch-prisma-for-workers.sh | |
| - name: Build | |
| run: npm run build | |
| - name: Set D1 database ID | |
| run: | | |
| if [ -n "$CF_D1_DATABASE_ID" ]; then | |
| sed -i 's|^database_id = "[^"]*"|database_id = "'"$CF_D1_DATABASE_ID"'"|' wrangler.toml | |
| fi | |
| env: | |
| CF_D1_DATABASE_ID: ${{ secrets.CF_D1_DATABASE_ID }} | |
| - name: Run D1 migrations | |
| run: npx wrangler d1 migrations apply action-gate | |
| env: | |
| CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
| CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} | |
| - name: Deploy API worker | |
| run: npx wrangler deploy | |
| env: | |
| CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
| CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} | |
| - name: Stamp git SHA and repo into dashboard | |
| run: | | |
| sed -i "s/__GIT_SHA__/${GITHUB_SHA::8}/g" docs/index.html docs/my-attestations.html docs/repositories.html | |
| sed -i "s|__GITHUB_REPO__|${GITHUB_REPOSITORY}|g" docs/index.html docs/my-attestations.html docs/repositories.html docs/app.js docs/my-attestations.js docs/repositories.js | |
| - name: Deploy dashboard | |
| run: npx wrangler pages deploy docs --project-name action-gate-dashboard --commit-dirty=true | |
| env: | |
| CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
| CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} |