fix(frontend): remediate npm audit high/critical advisories #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy Frontend to Cloudflare Pages | |
| on: | |
| push: | |
| branches: ['main'] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: 'cloudflare-pages-deploy' | |
| cancel-in-progress: false | |
| jobs: | |
| # Build holds only public VITE_* client config (baked into the browser | |
| # bundle anyway) — never the Cloudflare deploy token. | |
| build: | |
| name: Build (Node 24) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| defaults: | |
| run: | |
| working-directory: frontend | |
| outputs: | |
| has_token: ${{ steps.check.outputs.has_token }} | |
| env: | |
| VITE_API_URL: ${{ secrets.VITE_API_URL }} | |
| VITE_SUPABASE_URL: ${{ secrets.VITE_SUPABASE_URL }} | |
| VITE_SUPABASE_ANON_KEY: ${{ secrets.VITE_SUPABASE_ANON_KEY }} | |
| VITE_AION_SUPABASE_URL: ${{ secrets.VITE_AION_SUPABASE_URL }} | |
| VITE_AION_SUPABASE_ANON_KEY: ${{ secrets.VITE_AION_SUPABASE_ANON_KEY }} | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: '24' | |
| cache: npm | |
| cache-dependency-path: frontend/package-lock.json | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Lint (ESLint) | |
| run: npm run lint | |
| - name: Build | |
| run: npm run build | |
| - name: Test (Vitest) | |
| run: npm run test | |
| # Emit only a boolean — the token value is never placed in output/env. | |
| - name: Check deploy token presence | |
| id: check | |
| run: echo "has_token=${{ secrets.CLOUDFLARE_API_TOKEN != '' }}" >> "$GITHUB_OUTPUT" | |
| - name: Upload static artifact | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: nexus-frontend | |
| path: frontend/dist | |
| retention-days: 1 | |
| # Deploy is the only job that holds the Cloudflare token, and it runs no | |
| # third-party build code — just artifact download and wrangler. | |
| deploy: | |
| name: Deploy to Cloudflare Pages | |
| needs: build | |
| # Only main reaches production — blocks workflow_dispatch on arbitrary refs. | |
| if: github.ref == 'refs/heads/main' && needs.build.outputs.has_token == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Download static artifact | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: nexus-frontend | |
| path: dist | |
| # Cloudflare project production branch is `codex/bootstrap`; passing it | |
| # makes this a production deployment for home-notes-app.uk. | |
| - name: Deploy to Cloudflare Pages | |
| uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3.14.1 | |
| with: | |
| apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
| accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} | |
| command: pages deploy dist --project-name=nexus-archive --branch=codex/bootstrap --commit-dirty=true |