From 1f1231a73043651b661dc67c7650579cd62eed56 Mon Sep 17 00:00:00 2001 From: Erik Michelson Date: Tue, 30 Jul 2024 00:44:22 +0200 Subject: [PATCH] ci: remove netlify deployment workflow This workflow was used in an early stage of development of HedgeDoc 2. It allowed the core developers to quickly check fixes, improvements or new features to the HedgeDoc UI without the requirement to check-out the branch locally. As not every pull request required a deployment, this workflow was only triggered when the "ci: force deployment" label was added. Since some time already, the frontend and backend are so tightly coupled that the netfliy deployment doesn't make any sense anymore and therefore hasn't been used anymore. This commit therefore removes this leftover workflow. @RedYetiDev contacted us privately and reported that this deployment workflow could have been abused to invoke arbitrary commands, including extraction of environment variables which include our tokens for the turborepo build cache or the netlify deployment token. For this it would have been required that somebody created a "safe" pull request, which would have been labelled with the deployment label and then changed afterwards since the workflow checks out the pull request source repository, not the target. We assured that the label was only added to pull requests from trusted members of the HedgeDoc core team. There was never any malicious use of the workflow. Furthermore, no released versions of HedgeDoc (1.x) could have been affected by this, even in the worst-case scenario. We're thankful for putting this risk at our attention! If you too encounter something unusual regarding security in HedgeDoc itself or our toolchain around it, don't hesitate to contact us. Details on this are wriiten in our SECURITY.md in the root of the repository. Signed-off-by: Erik Michelson --- .../workflows/frontend-netlify-deploy-pr.yml | 109 ------------------ docs/content/how-to/develop/frontend.md | 7 +- frontend/netlify.toml | 9 -- frontend/netlify/intro.md | 7 -- frontend/netlify/intro.md.license | 3 - frontend/netlify/motd.md | 6 - frontend/netlify/motd.md.license | 3 - renovate.json | 33 ------ 8 files changed, 2 insertions(+), 175 deletions(-) delete mode 100644 .github/workflows/frontend-netlify-deploy-pr.yml delete mode 100644 frontend/netlify.toml delete mode 100644 frontend/netlify/intro.md delete mode 100644 frontend/netlify/intro.md.license delete mode 100644 frontend/netlify/motd.md delete mode 100644 frontend/netlify/motd.md.license diff --git a/.github/workflows/frontend-netlify-deploy-pr.yml b/.github/workflows/frontend-netlify-deploy-pr.yml deleted file mode 100644 index 8db2976a1..000000000 --- a/.github/workflows/frontend-netlify-deploy-pr.yml +++ /dev/null @@ -1,109 +0,0 @@ -# SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file) -# -# SPDX-License-Identifier: AGPL-3.0-only - -name: Frontend / Deploy PR to Netlify - -on: - pull_request: - branches: [ develop ] - types: - - labeled - - opened - - synchronize - - reopened - - ready_for_review - pull_request_target: - branches: [ develop ] - types: - - labeled - - opened - - synchronize - - reopened - - ready_for_review - -permissions: - contents: read - deployments: write - -env: - NETLIFY_VERSION: 13.2.2 - NETLIFY_NEXTJS_PLUGIN_VERSION: 4.33.0 - NODEJS_VERSION: 20 - -defaults: - run: - working-directory: frontend - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.head.label }}-${{ github.event_name }}-${{ github.job }} - cancel-in-progress: true - -jobs: - deploy: - if: "contains(github.event.pull_request.labels.*.name, 'ci: force deployment') && ((github.event_name == 'pull_request_target') == github.event.pull_request.head.repo.fork)" - runs-on: ubuntu-latest - name: Deploys to netlify - env: - DEPLOY_URL: "https://${{ github.event.number }}--hedgedoc-ui-test.netlify.app/" - steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - name: Setup node - uses: ./.github/actions/setup-node - with: - NODEJS_VERSION: ${{ env.NODEJS_VERSION }} - - - name: Patch intro.md to include netlify banner. - run: cp netlify/intro.md public/public/intro.md - - - name: Patch motd.md to include privacy policy. - run: cp netlify/motd.md public/public/motd.md - - - name: Patch base URL - run: echo "HD_BASE_URL=\"${{ env.DEPLOY_URL }}\"" >> .env.production - - - name: Build app - run: yarn build --filter=frontend - shell: bash - working-directory: . - env: - NEXT_PUBLIC_USE_MOCK_API: true - TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }} - TURBO_API: ${{ vars.TURBO_API }} - TURBO_TEAM: ${{ vars.TURBO_TEAM }} - - - name: Remove Next.js cache to avoid it being deployed - run: rm -r .next/cache - - - name: Mark GitHub deployment as started - uses: bobheadxi/deployments@88ce5600046c82542f8246ac287d0a53c461bca3 # v1.4.0 - id: github-deployment - with: - step: start - token: ${{ secrets.GITHUB_TOKEN }} - env: "PR #${{ github.event.number }}" - override: true - ref: ${{ github.head_ref }} - - - name: Install netlify CLI - run: "yarn add --dev netlify-cli@${{ env.NETLIFY_VERSION }} @netlify/plugin-nextjs@${{ env.NETLIFY_NEXTJS_PLUGIN_VERSION }}" - - - name: Run netlify CLI - env: - NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }} - run: "netlify deploy --build --context deploy-preview --alias \"${{ github.event.number }}\" --json --message \"PR #${{ github.event.number }}\"" - - - name: Mark GitHub deployment as finished - uses: bobheadxi/deployments@88ce5600046c82542f8246ac287d0a53c461bca3 # v1.4.0 - with: - step: finish - token: ${{ secrets.GITHUB_TOKEN }} - env_url: ${{ env.DEPLOY_URL }} - env: ${{ steps.github-deployment.outputs.env }} - status: ${{ job.status }} - deployment_id: ${{ steps.github-deployment.outputs.deployment_id }} - override: true diff --git a/docs/content/how-to/develop/frontend.md b/docs/content/how-to/develop/frontend.md index ae39fddc5..020f1a6a0 100644 --- a/docs/content/how-to/develop/frontend.md +++ b/docs/content/how-to/develop/frontend.md @@ -17,10 +17,9 @@ after compilation. You shouldn't need to set them yourself. Use the designated n ## UI Test Curious about the new look and feel? We provide a demo of the new UI on -[HedgeDoc.dev][hedgedoc-dev]. This version uses mocked data and has no data persistence. +[HedgeDoc.dev][hedgedoc-dev]. This version is reset every day, so data is not persisted. -The UI test is hosted by [netlify][netlify]. Please check their [privacy policy][netlify-privacy] -as well as [ours][privacy]. +Please see also our [privacy policy][privacy]. ## Running Tests @@ -59,7 +58,5 @@ window.localStorage.setItem("debugLogging", "true"); ``` [hedgedoc-dev]: https://hedgedoc.dev -[netlify]: https://netlify.com -[netlify-privacy]: https://netlify.com/privacy [privacy]: https://hedgedoc.org/privacy-policy [cypress]: https://cypress.io diff --git a/frontend/netlify.toml b/frontend/netlify.toml deleted file mode 100644 index ba619a434..000000000 --- a/frontend/netlify.toml +++ /dev/null @@ -1,9 +0,0 @@ -[build] -publish = ".next" -command = "echo Pseudo build command because the build is made by the CI" - -[[plugins]] -package = "@netlify/plugin-nextjs" - -[dev] -targetPort = 3001 diff --git a/frontend/netlify/intro.md b/frontend/netlify/intro.md deleted file mode 100644 index 3c81547f5..000000000 --- a/frontend/netlify/intro.md +++ /dev/null @@ -1,7 +0,0 @@ -:::info -What you see is an UI-Test! It's filled with dummy data, not connected to a backend and no data will be saved. -::: - -![HedgeDoc Screenshot](/public/screenshot.png) - -[![Deployed using netlify](https://www.netlify.com/img/global/badges/netlify-color-accent.svg)](https://www.netlify.com) diff --git a/frontend/netlify/intro.md.license b/frontend/netlify/intro.md.license deleted file mode 100644 index 078e5a9ac..000000000 --- a/frontend/netlify/intro.md.license +++ /dev/null @@ -1,3 +0,0 @@ -SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file) - -SPDX-License-Identifier: CC0-1.0 diff --git a/frontend/netlify/motd.md b/frontend/netlify/motd.md deleted file mode 100644 index 04abdc441..000000000 --- a/frontend/netlify/motd.md +++ /dev/null @@ -1,6 +0,0 @@ -This demo is hosted by [netlify](https://netlify.com). -Please check their [privacy policy](https://netlify.com/privacy) as well as [our privacy policy](https://hedgedoc.org/privacy-policy). - -:::info -What you see is an UI-Test! It's filled with dummy data, not connected to a backend and no data will be saved. -::: diff --git a/frontend/netlify/motd.md.license b/frontend/netlify/motd.md.license deleted file mode 100644 index 078e5a9ac..000000000 --- a/frontend/netlify/motd.md.license +++ /dev/null @@ -1,3 +0,0 @@ -SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file) - -SPDX-License-Identifier: CC0-1.0 diff --git a/renovate.json b/renovate.json index 530dda164..2bc39424f 100644 --- a/renovate.json +++ b/renovate.json @@ -96,39 +96,6 @@ "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}", "extractVersionTemplate": "^v(?.*)$" }, - { - "fileMatch": [ - ".github/workflows/frontend-netlify-deploy-main.yml$", - ".github/workflows/frontend-netlify-deploy-pr.yml$" - ], - "matchStrings": [ - "NETLIFY_VERSION=(?.*?)\\n" - ], - "datasourceTemplate": "npm", - "depNameTemplate": "netlify-cli" - }, - { - "fileMatch": [ - ".github/workflows/frontend-netlify-deploy-main.yml$", - ".github/workflows/frontend-netlify-deploy-pr.yml$" - ], - "matchStrings": [ - "NETLIFY_NEXTJS_PLUGIN_VERSION=(?.*?)\\n" - ], - "datasourceTemplate": "npm", - "depNameTemplate": "@netlify/plugin-nextjs" - }, - { - "fileMatch": [ - ".github/workflows/deploy-main.yml$", - ".github/workflows/deploy-pr.yml$" - ], - "matchStrings": [ - "NODEJS_VERSION=(?.*?)\\n" - ], - "datasourceTemplate": "node", - "depNameTemplate": "node version in workflows" - }, { "fileMatch": [ "package.json"