ci: remove netlify deployment workflow

This workflow was used in an early stage of development of HedgeDoc 2. It allowed the core developers to quickly check fixes, improvements or new features to the HedgeDoc UI without the requirement to check-out the branch locally. As not every pull request required a deployment, this workflow was only triggered when the "ci: force deployment" label was added. Since some time already, the frontend and backend are so tightly coupled that the netfliy deployment doesn't make any sense anymore and therefore hasn't been used anymore. This commit therefore removes this leftover workflow. @RedYetiDev contacted us privately and reported that this deployment workflow could have been abused to invoke arbitrary commands, including extraction of environment variables which include our tokens for the turborepo build cache or the netlify deployment token. For this it would have been required that somebody created a "safe" pull request, which would have been labelled with the deployment label and then changed afterwards since the workflow checks out the pull request source repository, not the target. We assured that the label was only added to pull requests from trusted members of the HedgeDoc core team. There was never any malicious use of the workflow. Furthermore, no released versions of HedgeDoc (1.x) could have been affected by this, even in the worst-case scenario. We're thankful for putting this risk at our attention! If you too encounter something unusual regarding security in HedgeDoc itself or our toolchain around it, don't hesitate to contact us. Details on this are wriiten in our SECURITY.md in the root of the repository. Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-09-16 14:08:47 -04:00 · 2024-07-30 00:44:22 +02:00 · 2024-07-30 00:44:22 +02:00 · 1f1231a730
commit 1f1231a730
parent cdb9a5cbb0
8 changed files with 2 additions and 175 deletions
--- a/.github/workflows/frontend-netlify-deploy-pr.yml
+++ b/.github/workflows/frontend-netlify-deploy-pr.yml
@ -1,109 +0,0 @@
-# SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
-#
-# SPDX-License-Identifier: AGPL-3.0-only
-
-name: Frontend / Deploy PR to Netlify
-
-on:
-  pull_request:
-    branches: [ develop ]
-    types:
-      - labeled
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  pull_request_target:
-    branches: [ develop ]
-    types:
-      - labeled
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-
-permissions:
-  contents: read
-  deployments: write
-
-env:
-  NETLIFY_VERSION: 13.2.2
-  NETLIFY_NEXTJS_PLUGIN_VERSION: 4.33.0
-  NODEJS_VERSION: 20
-
-defaults:
-  run:
-    working-directory: frontend
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.head.label }}-${{ github.event_name }}-${{ github.job }}
-  cancel-in-progress: true
-
-jobs:
-  deploy:
-    if: "contains(github.event.pull_request.labels.*.name, 'ci: force deployment') && ((github.event_name == 'pull_request_target') == github.event.pull_request.head.repo.fork)"
-    runs-on: ubuntu-latest
-    name: Deploys to netlify
-    env:
-      DEPLOY_URL: "https://${{ github.event.number }}--hedgedoc-ui-test.netlify.app/"
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Setup node
-        uses: ./.github/actions/setup-node
-        with:
-          NODEJS_VERSION: ${{ env.NODEJS_VERSION }}
-
-      - name: Patch intro.md to include netlify banner.
-        run: cp netlify/intro.md public/public/intro.md
-
-      - name: Patch motd.md to include privacy policy.
-        run: cp netlify/motd.md public/public/motd.md
-
-      - name: Patch base URL
-        run: echo "HD_BASE_URL=\"${{ env.DEPLOY_URL }}\"" >> .env.production
-
-      - name: Build app
-        run: yarn build --filter=frontend
-        shell: bash
-        working-directory: .
-        env:
-          NEXT_PUBLIC_USE_MOCK_API: true
-          TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
-          TURBO_API: ${{ vars.TURBO_API }}
-          TURBO_TEAM: ${{ vars.TURBO_TEAM }}
-
-      - name: Remove Next.js cache to avoid it being deployed
-        run: rm -r .next/cache
-
-      - name: Mark GitHub deployment as started
-        uses: bobheadxi/deployments@88ce5600046c82542f8246ac287d0a53c461bca3 # v1.4.0
-        id: github-deployment
-        with:
-          step: start
-          token: ${{ secrets.GITHUB_TOKEN }}
-          env: "PR #${{ github.event.number }}"
-          override: true
-          ref: ${{ github.head_ref }}
-
-      - name: Install netlify CLI
-        run: "yarn add --dev netlify-cli@${{ env.NETLIFY_VERSION }} @netlify/plugin-nextjs@${{ env.NETLIFY_NEXTJS_PLUGIN_VERSION }}"
-
-      - name: Run netlify CLI
-        env:
-          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-        run: "netlify deploy --build --context deploy-preview --alias \"${{ github.event.number }}\" --json --message \"PR #${{ github.event.number }}\""
-
-      - name: Mark GitHub deployment as finished
-        uses: bobheadxi/deployments@88ce5600046c82542f8246ac287d0a53c461bca3 # v1.4.0
-        with:
-          step: finish
-          token: ${{ secrets.GITHUB_TOKEN }}
-          env_url: ${{ env.DEPLOY_URL }}
-          env: ${{ steps.github-deployment.outputs.env }}
-          status: ${{ job.status }}
-          deployment_id: ${{ steps.github-deployment.outputs.deployment_id }}
-          override: true
--- a/docs/content/how-to/develop/frontend.md
+++ b/docs/content/how-to/develop/frontend.md
@ -17,10 +17,9 @@ after compilation. You shouldn't need to set them yourself. Use the designated n
 ## UI Test

 Curious about the new look and feel? We provide a demo of the new UI on
-[HedgeDoc.dev][hedgedoc-dev]. This version uses mocked data and has no data persistence.
+[HedgeDoc.dev][hedgedoc-dev]. This version is reset every day, so data is not persisted.

-The UI test is hosted by [netlify][netlify]. Please check their [privacy policy][netlify-privacy]
-as well as [ours][privacy].
+Please see also our [privacy policy][privacy].

 ## Running Tests

@ -59,7 +58,5 @@ window.localStorage.setItem("debugLogging", "true");
 ```

 [hedgedoc-dev]: https://hedgedoc.dev
-[netlify]: https://netlify.com
-[netlify-privacy]: https://netlify.com/privacy
 [privacy]: https://hedgedoc.org/privacy-policy
 [cypress]: https://cypress.io
--- a/frontend/netlify.toml
+++ b/frontend/netlify.toml
@ -1,9 +0,0 @@
-[build]
-publish = ".next"
-command = "echo Pseudo build command because the build is made by the CI"
-
-[[plugins]]
-package = "@netlify/plugin-nextjs"
-
-[dev]
-targetPort = 3001
--- a/frontend/netlify/intro.md
+++ b/frontend/netlify/intro.md
@ -1,7 +0,0 @@
-:::info
-What you see is an UI-Test! It's filled with dummy data, not connected to a backend and no data will be saved.
-:::
-
-![HedgeDoc Screenshot](/public/screenshot.png)
-
-[![Deployed using netlify](https://www.netlify.com/img/global/badges/netlify-color-accent.svg)](https://www.netlify.com)
--- a/frontend/netlify/intro.md.license
+++ b/frontend/netlify/intro.md.license
@ -1,3 +0,0 @@
-SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
-
-SPDX-License-Identifier: CC0-1.0
--- a/frontend/netlify/motd.md
+++ b/frontend/netlify/motd.md
@ -1,6 +0,0 @@
-This demo is hosted by [netlify](https://netlify.com).
-Please check their [privacy policy](https://netlify.com/privacy) as well as [our privacy policy](https://hedgedoc.org/privacy-policy).
-
-:::info
-What you see is an UI-Test! It's filled with dummy data, not connected to a backend and no data will be saved.
-:::
--- a/frontend/netlify/motd.md.license
+++ b/frontend/netlify/motd.md.license
@ -1,3 +0,0 @@
-SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
-
-SPDX-License-Identifier: CC0-1.0
--- a/renovate.json
+++ b/renovate.json
@ -96,39 +96,6 @@
      "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}",
      "extractVersionTemplate": "^v(?<version>.*)$"
    },
-    {
-      "fileMatch": [
-        ".github/workflows/frontend-netlify-deploy-main.yml$",
-        ".github/workflows/frontend-netlify-deploy-pr.yml$"
-      ],
-      "matchStrings": [
-        "NETLIFY_VERSION=(?<currentValue>.*?)\\n"
-      ],
-      "datasourceTemplate": "npm",
-      "depNameTemplate": "netlify-cli"
-    },
-    {
-      "fileMatch": [
-        ".github/workflows/frontend-netlify-deploy-main.yml$",
-        ".github/workflows/frontend-netlify-deploy-pr.yml$"
-      ],
-      "matchStrings": [
-        "NETLIFY_NEXTJS_PLUGIN_VERSION=(?<currentValue>.*?)\\n"
-      ],
-      "datasourceTemplate": "npm",
-      "depNameTemplate": "@netlify/plugin-nextjs"
-    },
-    {
-      "fileMatch": [
-        ".github/workflows/deploy-main.yml$",
-        ".github/workflows/deploy-pr.yml$"
-      ],
-      "matchStrings": [
-        "NODEJS_VERSION=(?<currentValue>.*?)\\n"
-      ],
-      "datasourceTemplate": "node",
-      "depNameTemplate": "node version in workflows"
-    },
    {
      "fileMatch": [
        "package.json"