chore(website): rotate Bing site verification code #48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy Website | |
| # Triggers ONLY when website code or this workflow changes. | |
| # Other paths (src/, bin/, e2b/, README, etc.) won't fire this workflow. | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - "website/**" | |
| - ".github/workflows/website-deploy.yml" | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - "website/**" | |
| - ".github/workflows/website-deploy.yml" | |
| # Allow manual run from the Actions tab if needed. | |
| workflow_dispatch: | |
| # Cancel in-flight runs for the same ref so a rapid push series | |
| # only deploys the latest commit. | |
| concurrency: | |
| group: website-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| deploy: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| deployments: write | |
| pull-requests: write # let wrangler-action attach a preview URL to PRs | |
| defaults: | |
| run: | |
| working-directory: website | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: actions/setup-node@v5 | |
| with: | |
| node-version: 20 | |
| cache: npm | |
| cache-dependency-path: website/package-lock.json | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Build (static export to website/out) | |
| run: npm run build | |
| env: | |
| # Raises GitHub API rate limit for scripts/fetch-changelog.mjs | |
| # from 60 → 5000 req/hour. Provided automatically by GitHub Actions. | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Sanitize the branch name in a separate run step, so the value handed | |
| # to wrangler-action's `command:` input is a static string (no shell | |
| # interpolation needed at deploy time, no injection risk). This is | |
| # required because wrangler-action runs the command via @actions/exec | |
| # which doesn't expand $VARS the way a shell would. | |
| - name: Resolve branch name | |
| id: branch | |
| env: | |
| RAW_BRANCH: ${{ github.head_ref || github.ref_name }} | |
| run: | | |
| # Strip everything except [A-Za-z0-9/._-] to defang any malicious branch name. | |
| branch=$(printf '%s' "$RAW_BRANCH" | tr -cd 'A-Za-z0-9/._-') | |
| if [ -z "$branch" ]; then | |
| echo "Branch name is empty after sanitization" >&2 | |
| exit 1 | |
| fi | |
| echo "name=$branch" >> "$GITHUB_OUTPUT" | |
| echo "Deploying branch: $branch" | |
| - name: Deploy to Cloudflare Pages | |
| id: deploy | |
| uses: cloudflare/wrangler-action@v4 | |
| with: | |
| apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
| accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} | |
| workingDirectory: website | |
| # `--branch=main` triggers a production deployment on Cloudflare Pages. | |
| # Anything else creates a preview deployment with a unique URL. | |
| # | |
| # `--commit-message=<sha>` overrides wrangler's auto-derived commit | |
| # message. wrangler-action@v4 has a regression where non-ASCII | |
| # characters in the message (e.g. em-dash, arrow) get rejected by | |
| # the Cloudflare Pages API as "Invalid commit message, it must be | |
| # a valid UTF-8 string". Passing the bare SHA sidesteps it — the | |
| # dashboard still links back to the commit via --commit-hash which | |
| # wrangler also auto-fills. | |
| command: >- | |
| pages deploy out | |
| --project-name=cockpit-website | |
| --branch=${{ steps.branch.outputs.name }} | |
| --commit-message=${{ github.sha }} | |
| - name: Summary | |
| env: | |
| BRANCH_NAME: ${{ github.head_ref || github.ref_name }} | |
| DEPLOY_URL: ${{ steps.deploy.outputs.deployment-url }} | |
| run: | | |
| { | |
| echo "### 🚀 Deployment" | |
| echo "" | |
| echo "- Branch: \`$BRANCH_NAME\`" | |
| echo "- URL: $DEPLOY_URL" | |
| } >> "$GITHUB_STEP_SUMMARY" |