[Snyk] Security upgrade jsonwebtoken from 8.5.1 to 9.0.2 #57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deploy to Vercel | |
on: | |
# Build when there is a PR into main or develop | |
pull_request: | |
branches: [main, develop] | |
# Build when pushing to main or develop (e.g. when the PR is closed) | |
push: | |
branches: | |
- "main" | |
- "develop" | |
workflow_dispatch: | |
# Vercel requires one project for each directory in a monorepo: | |
# https://vercel.com/blog/monorepos | |
jobs: | |
environment_check: | |
runs-on: ubuntu-latest | |
outputs: | |
prod_flag: ${{ steps.production.outputs.prod_flag }} | |
production: ${{ steps.production.outputs.production_push }} | |
staging: ${{ steps.staging.outputs.staging_push }} | |
env: | |
VERCEL_TEAM_ID: ${{ secrets.VERCEL_TEAM_ID }} | |
steps: | |
- name: Check Variables | |
uses: 0xJem/secret-gate-action@v1.1.1 | |
with: | |
inputsToCheck: VERCEL_TEAM_ID | |
failOnMissing: true | |
- name: Set production flags | |
id: production | |
# github.ref_name is the branch/tag name that triggered the workflow run | |
# therefore, this will only run and trigger a production build on push | |
# to the main branch, which is the desired outcome | |
# It WILL NOT run on a PR merge into the main branch, which is deliberate | |
run: | | |
if [[ ${{ github.ref_name }} == 'main' ]]; then | |
echo "This is a production build" | |
echo "::set-output name=production_push::true" | |
echo "::set-output name=prod_flag::--prod" | |
else | |
echo "This is not a production build" | |
echo "::set-output name=production_push::false" | |
fi | |
- name: Set staging flags | |
# github.ref_name is the branch/tag name that triggered the workflow run | |
# therefore, this will only run and trigger a staging build on push | |
# to the develop branch, which is the desired outcome | |
# It WILL NOT run on a PR merge into the develop branch, which is deliberate | |
id: staging | |
run: | | |
if [[ ${{ github.ref_name }} == 'develop' ]]; then | |
echo "This is a staging build" | |
echo "::set-output name=staging_push::true" | |
else | |
echo "This is not a staging build" | |
echo "::set-output name=staging_push::false" | |
fi | |
backend: | |
runs-on: ubuntu-latest | |
needs: environment_check | |
outputs: | |
preview-url: ${{ steps.backend_deploy.outputs.preview-url }} | |
env: | |
ALCHEMY_MAINNET_API_KEY: ${{ secrets.ALCHEMY_MAINNET_API_KEY }} | |
ALCHEMY_RINKEBY_API_KEY: ${{ secrets.ALCHEMY_RINKEBY_API_KEY }} | |
COVALENTHQ_API_KEY: ${{ secrets.COVALENTHQ_API_KEY }} | |
DISCORD_BOT_TOKEN: ${{ secrets.DISCORD_BOT_TOKEN }} | |
DISCORD_BOT_TOKEN_PROD: ${{ secrets.DISCORD_BOT_TOKEN_PROD }} | |
DISCORD_ROLE_ID: ${{ secrets.DISCORD_ROLE_ID }} | |
DISCORD_ROLE_ID_PROD: ${{ secrets.DISCORD_ROLE_ID_PROD }} | |
DISCORD_SERVER_ID: ${{ secrets.DISCORD_SERVER_ID }} | |
DISCORD_SERVER_ID_PROD: ${{ secrets.DISCORD_SERVER_ID_PROD }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
HASURA_ADMIN_SECRET: ${{ secrets.HASURA_ADMIN_SECRET }} | |
HASURA_ADMIN_SECRET_PROD: ${{ secrets.HASURA_ADMIN_SECRET_PROD }} | |
HASURA_ENDPOINT: ${{ secrets.HASURA_ENDPOINT }} | |
HASURA_ENDPOINT_PROD: ${{ secrets.HASURA_ENDPOINT_PROD }} | |
JWT_SECRET: ${{ secrets.JWT_SECRET }} | |
MORALIS_API_KEY: ${{ secrets.MORALIS_API_KEY }} | |
PROD_FLAG: ${{ needs.environment_check.outputs.prod_flag }} | |
VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }} | |
VERCEL_PROJECT_ID: ${{ secrets.VERCEL_BACKEND_PROJECT_ID }} | |
VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }} | |
steps: | |
- name: Check Variables | |
uses: 0xJem/secret-gate-action@v1.1.1 | |
with: | |
inputsToCheck: ALCHEMY_MAINNET_API_KEY,ALCHEMY_RINKEBY_API_KEY,COVALENTHQ_API_KEY,DISCORD_BOT_TOKEN,DISCORD_BOT_TOKEN_PROD,DISCORD_ROLE_ID,DISCORD_ROLE_ID_PROD,DISCORD_SERVER_ID,DISCORD_SERVER_ID_PROD,GITHUB_TOKEN,HASURA_ADMIN_SECRET,HASURA_ADMIN_SECRET_PROD,HASURA_ENDPOINT,HASURA_ENDPOINT_PROD,JWT_SECRET,MORALIS_API_KEY,VERCEL_ORG_ID,VERCEL_PROJECT_ID,VERCEL_TOKEN | |
failOnMissing: true | |
- name: Set Scope | |
run: | | |
echo "SCOPE_FLAG=--scope ${{ secrets.VERCEL_TEAM_ID }}" >> $GITHUB_ENV | |
- uses: actions/checkout@v2 | |
- name: Setup node | |
uses: actions/setup-node@v2 | |
with: | |
node-version-file: "backend/.nvmrc" | |
# Certain environment variables need different values in production | |
# We don't use GitHub Actions' environments, because those secrets are only available | |
# when a job states the environment that it belongs to. It would result in a lot of | |
# duplicated code. | |
- name: Set production environment variables | |
run: | | |
if [[ ${{ needs.environment_check.outputs.production }} == true ]]; then | |
echo "DISCORD_BOT_TOKEN=${{ env.DISCORD_BOT_TOKEN_PROD }}" >> $GITHUB_ENV | |
echo "DISCORD_ROLE_ID=${{ env.DISCORD_ROLE_ID_PROD }}" >> $GITHUB_ENV | |
echo "DISCORD_SERVER_ID=${{ env.DISCORD_SERVER_ID_PROD }}" >> $GITHUB_ENV | |
echo "HASURA_ADMIN_SECRET=${{ env.HASURA_ADMIN_SECRET_PROD }}" >> $GITHUB_ENV | |
echo "HASURA_ENDPOINT=${{ env.HASURA_ENDPOINT_PROD }}" >> $GITHUB_ENV | |
fi | |
# We build the source so that typechain is compiled. The Vercel deployment fails if this compilation is done on their servers. | |
- name: Build | |
run: cd backend && yarn install --frozen-lockfile && yarn run build | |
- uses: amondnet/vercel-action@v20 | |
id: backend_deploy | |
with: | |
vercel-token: ${{ secrets.VERCEL_TOKEN }} | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
vercel-org-id: ${{ secrets.VERCEL_ORG_ID }} | |
vercel-project-id: ${{ secrets.VERCEL_PROJECT_ID }} | |
working-directory: ./backend | |
vercel-args: --env JWT_SECRET=${{ env.JWT_SECRET }} --env DISCORD_BOT_TOKEN=${{ env.DISCORD_BOT_TOKEN }} --env DISCORD_SERVER_ID=${{ env.DISCORD_SERVER_ID }} --env DISCORD_ROLE_ID=${{ env.DISCORD_ROLE_ID }} --env HASURA_ENDPOINT=${{ env.HASURA_ENDPOINT }} --env HASURA_ADMIN_SECRET=${{ env.HASURA_ADMIN_SECRET }} --env MORALIS_API_KEY=${{ env.MORALIS_API_KEY }} --env COVALENTHQ_API_KEY=${{ env.COVALENTHQ_API_KEY }} --env ALCHEMY_MAINNET_API_KEY=${{ env.ALCHEMY_MAINNET_API_KEY }} --env ALCHEMY_RINKEBY_API_KEY=${{ env.ALCHEMY_RINKEBY_API_KEY }} ${{ env.PROD_FLAG }} ${{ env.SCOPE_FLAG }} | |
frontend: | |
runs-on: ubuntu-latest | |
outputs: | |
preview-url: ${{ steps.determine_url.outputs.url }} | |
needs: | |
- backend | |
- environment_check | |
env: | |
BACKEND_URL: ${{ needs.backend.outputs.preview-url }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
INFURA_PROJECT_ID: ${{ secrets.INFURA_PROJECT_ID }} | |
PROD_FLAG: ${{ needs.environment_check.outputs.prod_flag }} | |
VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }} | |
VERCEL_PROJECT_ID: ${{ secrets.VERCEL_FRONTEND_PROJECT_ID }} | |
VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }} | |
steps: | |
- name: Check Variables | |
uses: 0xJem/secret-gate-action@v1.1.1 | |
with: | |
inputsToCheck: BACKEND_URL,GITHUB_TOKEN,INFURA_PROJECT_ID,VERCEL_ORG_ID,VERCEL_PROJECT_ID,VERCEL_TOKEN | |
failOnMissing: true | |
- name: Set Scope | |
run: | | |
echo "SCOPE_FLAG=--scope ${{ secrets.VERCEL_TEAM_ID }}" >> $GITHUB_ENV | |
- uses: actions/checkout@v2 | |
- name: Setup node | |
uses: actions/setup-node@v2 | |
with: | |
node-version-file: "frontend/.nvmrc" | |
- uses: amondnet/vercel-action@v20 | |
id: frontend_deploy | |
with: | |
vercel-token: ${{ secrets.VERCEL_TOKEN }} | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
vercel-org-id: ${{ secrets.VERCEL_ORG_ID }} | |
vercel-project-id: ${{ secrets.VERCEL_PROJECT_ID }} | |
working-directory: ./frontend | |
# Vercel/Next.js will replace the URL at build-time, not run-time | |
vercel-args: --build-env NEXT_PUBLIC_BACKEND_API_URL=${{ env.BACKEND_URL }} --build-env NEXT_PUBLIC_INFURA_ID=${{ env.INFURA_PROJECT_ID }} ${{ env.PROD_FLAG }} ${{ env.SCOPE_FLAG }} | |
- name: Production Domain Alias | |
# If doing a production build, we also link the domain name | |
# It can take some time after deployment for the domains to be ready, so we pause before linking the domain | |
run: | | |
if [[ ${{ needs.environment_check.outputs.production }} == true ]]; then | |
sleep 120 | |
vercel --token ${{ env.VERCEL_TOKEN }} ${{ env.SCOPE_FLAG }} alias set ${{ steps.frontend_deploy.outputs.preview-url }} verified.olympusdao.finance | |
fi | |
- name: Staging Domain Alias | |
# If doing a staging (develop branch) build, we also link the domain name | |
# It can take some time after deployment for the domains to be ready, so we pause before linking the domain | |
run: | | |
if [[ ${{ needs.environment_check.outputs.staging }} == true ]]; then | |
sleep 120 | |
vercel --token ${{ env.VERCEL_TOKEN }} ${{ env.SCOPE_FLAG }} alias set ${{ steps.frontend_deploy.outputs.preview-url }} verified-staging.olympusdao.finance | |
fi | |
- name: Determine output URL | |
id: determine_url | |
run: | | |
if [[ ${{ needs.environment_check.outputs.production }} == true ]]; then | |
echo "Frontend URL is verified.olympusdao.finance" | |
echo "::set-output name=url::https://verified.olympusdao.finance" | |
elif [[ ${{ needs.environment_check.outputs.staging }} == true ]]; then | |
echo "Frontend URL is verified-staging.olympusdao.finance" | |
echo "::set-output name=url::https://verified-staging.olympusdao.finance" | |
else | |
echo "Frontend URL is ${{ steps.frontend_deploy.outputs.preview-url }}" | |
echo "::set-output name=url::${{ steps.frontend_deploy.outputs.preview-url }}" | |
fi | |
discord: | |
runs-on: ubuntu-latest | |
needs: | |
- frontend | |
- environment_check | |
env: | |
DISCORD_APP_ID: ${{ secrets.DISCORD_APP_ID }} | |
DISCORD_APP_ID_PROD: ${{ secrets.DISCORD_APP_ID_PROD }} | |
DISCORD_BOT_TOKEN: ${{ secrets.DISCORD_BOT_TOKEN }} | |
DISCORD_BOT_TOKEN_PROD: ${{ secrets.DISCORD_BOT_TOKEN_PROD }} | |
DISCORD_PUBLIC_KEY: ${{ secrets.DISCORD_PUBLIC_KEY }} | |
DISCORD_PUBLIC_KEY_PROD: ${{ secrets.DISCORD_PUBLIC_KEY_PROD }} | |
FRONTEND_URL: ${{ needs.frontend.outputs.preview-url }} | |
JWT_EXPIRATION_TIME: ${{ secrets.JWT_EXPIRATION_TIME }} | |
JWT_SECRET: ${{ secrets.JWT_SECRET }} | |
PROD_FLAG: ${{ needs.environment_check.outputs.prod_flag }} | |
VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }} | |
VERCEL_PROJECT_ID: ${{ secrets.VERCEL_DISCORD_PROJECT_ID }} | |
VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }} | |
steps: | |
- name: Check Variables | |
uses: 0xJem/secret-gate-action@v1.1.1 | |
with: | |
inputsToCheck: DISCORD_APP_ID,DISCORD_APP_ID_PROD,DISCORD_BOT_TOKEN,DISCORD_BOT_TOKEN_PROD,DISCORD_PUBLIC_KEY,DISCORD_PUBLIC_KEY_PROD,FRONTEND_URL,JWT_EXPIRATION_TIME,JWT_SECRET,VERCEL_ORG_ID,VERCEL_PROJECT_ID,VERCEL_TOKEN | |
failOnMissing: true | |
- name: Set Scope | |
run: | | |
echo "SCOPE_FLAG=--scope ${{ secrets.VERCEL_TEAM_ID }}" >> $GITHUB_ENV | |
- uses: actions/checkout@v2 | |
- name: Setup node | |
uses: actions/setup-node@v2 | |
with: | |
node-version-file: "discord/.nvmrc" | |
# Certain environment variables need different values in production | |
# We don't use GitHub Actions' environments, because those secrets are only available | |
# when a job states the environment that it belongs to. It would result in a lot of | |
# duplicated code. | |
- name: Set production environment variables | |
run: | | |
if [[ ${{ needs.environment_check.outputs.production }} == true ]]; then | |
echo "DISCORD_APP_ID=${{ env.DISCORD_APP_ID_PROD }}" >> $GITHUB_ENV | |
echo "DISCORD_BOT_TOKEN=${{ env.DISCORD_BOT_TOKEN_PROD }}" >> $GITHUB_ENV | |
echo "DISCORD_PUBLIC_KEY=${{ env.DISCORD_PUBLIC_KEY_PROD }}" >> $GITHUB_ENV | |
fi | |
- name: Install Dependencies | |
run: yarn install --frozen-lockfile | |
working-directory: ./discord | |
- name: Sync Discord commands | |
run: yarn run slash-up sync | |
working-directory: ./discord | |
- uses: amondnet/vercel-action@v20 | |
id: discord_deploy | |
with: | |
vercel-token: ${{ secrets.VERCEL_TOKEN }} | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
vercel-org-id: ${{ env.VERCEL_ORG_ID }} | |
vercel-project-id: ${{ env.VERCEL_PROJECT_ID }} | |
working-directory: ./discord | |
vercel-args: --env JWT_SECRET=${{ env.JWT_SECRET }} --env JWT_EXPIRATION_TIME=${{ env.JWT_EXPIRATION_TIME }} --env DISCORD_APP_ID=${{ env.DISCORD_APP_ID }} --env DISCORD_BOT_TOKEN=${{ env.DISCORD_BOT_TOKEN }} --env DISCORD_PUBLIC_KEY=${{ env.DISCORD_PUBLIC_KEY }} --env FRONTEND_URL=${{ env.FRONTEND_URL }} ${{ env.PROD_FLAG }} ${{ env.SCOPE_FLAG }} | |
- name: Production Domain Alias | |
# If doing a production build, we also set a consistent domain name | |
# It can take some time after deployment for the domains to be ready, so we pause before linking the domain | |
run: | | |
if [[ ${{ needs.environment_check.outputs.production }} == true ]]; then | |
sleep 120 | |
vercel --token ${{ env.VERCEL_TOKEN }} ${{ env.SCOPE_FLAG }} alias set ${{ steps.discord_deploy.outputs.preview-url }} verified-ohmies-discord.vercel.app | |
fi | |
- name: Staging Domain Alias | |
# If doing a staging (develop branch) build, we also link the domain name | |
# It can take some time after deployment for the domains to be ready, so we pause before linking the domain | |
run: | | |
if [[ ${{ needs.environment_check.outputs.staging }} == true ]]; then | |
sleep 120 | |
vercel --token ${{ env.VERCEL_TOKEN }} ${{ env.SCOPE_FLAG }} alias set ${{ steps.discord_deploy.outputs.preview-url }} verified-ohmies-discord-staging.vercel.app | |
fi | |
# TODO run tests |