-
Notifications
You must be signed in to change notification settings - Fork 0
Add OAuth revocation for mobile logout #9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| name: Deploy Backend | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| workflow_dispatch: | ||
|
|
||
| concurrency: | ||
| group: deploy-backend-${{ github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| permissions: | ||
| attestations: write | ||
| contents: read | ||
| id-token: write | ||
|
|
||
| env: | ||
| NODE_ENV: production | ||
| NODE_VERSION: 22.13.x | ||
|
|
||
| jobs: | ||
| verify-and-package: | ||
| name: Security, Tests, Audit, and Build | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 35 | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
|
Comment on lines
+29
to
+32
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
# Show the workflow and the specific area mentioned
echo "=== deploy.yml (lines 1-200) ==="
nl -ba .github/workflows/deploy.yml | sed -n '1,200p'
echo
echo "=== Uses lines (full file) ==="
rg -n "^\s*uses:\s*" .github/workflows/deploy.yml
echo
echo "=== Checkout persist-credentials config ==="
rg -n "persist-credentials" .github/workflows/deploy.yml || trueRepository: CheFu-code/chefu-inc-backend Length of output: 166 🏁 Script executed: #!/bin/bash
set -euo pipefail
echo "=== Listing workflow files ==="
ls -la .github/workflows || true
echo
echo "=== deploy.yml exists? ==="
test -f .github/workflows/deploy.yml && echo "Found: .github/workflows/deploy.yml" || echo "Missing: .github/workflows/deploy.yml"
echo
echo "=== deploy.yml first 220 lines (with line numbers via awk) ==="
awk '{printf "%d\t%s\n", NR, $0}' .github/workflows/deploy.yml | sed -n '1,220p'
echo
echo "=== All uses: entries ==="
rg -n "^\s*uses:\s*" .github/workflows/deploy.yml || true
echo
echo "=== Any persist-credentials ==="
rg -n "persist-credentials" .github/workflows/deploy.yml || true
echo
echo "=== Any attest-build-provenance upload-artifact uses ==="
rg -n "attest|provenance|upload-artifact" .github/workflows/deploy.yml || trueRepository: CheFu-code/chefu-inc-backend Length of output: 2997 🌐 Web query:
💡 Result: For actions/checkout@v4, persist-credentials defaults to true. The v4 action input persist-credentials is “Whether to configure the token or SSH key with the local git config” and its default is true [1]. The README also states that the auth token is persisted in the local git config by default, enabling scripts to run authenticated git commands, and that the token is removed during post-job cleanup; you can opt out by setting persist-credentials: false [2]. Citations:
Pin GitHub Actions to commit SHAs (and disable checkout credential persistence).
Lines 29-32 🧰 Tools🪛 zizmor (1.25.2)[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [error] 32-32: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
| with: | ||
| cache: npm | ||
| node-version: ${{ env.NODE_VERSION }} | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci --include=dev | ||
|
|
||
| - name: Lint | ||
| run: npm run lint | ||
|
|
||
| - name: Typecheck | ||
| run: npm run typecheck | ||
|
|
||
| - name: Run backend security integration tests | ||
| run: npm run test:security -- --silent | ||
|
|
||
| - name: Audit production dependency risk | ||
| run: npm audit --audit-level=high | ||
|
|
||
| - name: Build production API | ||
| run: npm run build | ||
|
|
||
| - name: Package backend artifact | ||
| run: | | ||
| set -euo pipefail | ||
| mkdir -p build-artifacts/backend | ||
| tar -czf build-artifacts/backend/chefu-api-dist-${{ github.sha }}.tgz dist package.json package-lock.json | ||
| (cd build-artifacts/backend && sha256sum *.tgz > SHA256SUMS) | ||
|
|
||
| - name: Upload backend artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| if-no-files-found: error | ||
| name: chefu-api-production-${{ github.sha }} | ||
| path: build-artifacts/backend/* | ||
| retention-days: 30 | ||
|
|
||
| - name: Attest backend artifact | ||
| uses: actions/attest-build-provenance@v2 | ||
| with: | ||
| subject-path: build-artifacts/backend/* | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| module.exports = { | ||
| clearMocks: true, | ||
| moduleFileExtensions: ["js", "json", "ts"], | ||
| roots: ["<rootDir>/test"], | ||
| testEnvironment: "node", | ||
| testRegex: ".*\\.spec\\.ts$", | ||
| transform: { | ||
| "^.+\\.(t|j)s$": [ | ||
| "ts-jest", | ||
| { | ||
| tsconfig: "tsconfig.spec.json", | ||
| }, | ||
| ], | ||
| }, | ||
| }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Disable persisted checkout credentials.
actions/checkoutshould setpersist-credentials: falseto avoid leaving a writable token in git config for later steps.Suggested patch
- name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false📝 Committable suggestion
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 28-29: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Source: Linters/SAST tools