build(deps): bump babel-plugin-react-compiler beta → 1.0.0 stable #335
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy Pages | |
| on: | |
| push: | |
| branches: [master] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| pages: write | |
| id-token: write | |
| attestations: write # required by actions/attest-build-provenance | |
| concurrency: | |
| group: pages | |
| cancel-in-progress: true | |
| jobs: | |
| deploy: | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: github-pages | |
| url: ${{ steps.deployment.outputs.page_url }} | |
| env: | |
| APP_BASE_PATH: /${{ github.event.repository.name }}/ | |
| VITE_SUPABASE_URL: ${{ vars.VITE_SUPABASE_URL || secrets.VITE_SUPABASE_URL }} | |
| VITE_SUPABASE_ANON_KEY: ${{ vars.VITE_SUPABASE_ANON_KEY || secrets.VITE_SUPABASE_ANON_KEY }} | |
| VITE_POWERSYNC_URL: ${{ vars.VITE_POWERSYNC_URL || secrets.VITE_POWERSYNC_URL }} | |
| # Vite inlines this into the client bundle, so the key is | |
| # effectively public — protection comes from the HTTP-referrer | |
| # restriction on the GCP key itself (see docs/domain-onboarding.md). | |
| VITE_GOOGLE_MAPS_API_KEY: ${{ vars.VITE_GOOGLE_MAPS_API_KEY || secrets.VITE_GOOGLE_MAPS_API_KEY }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: 24 | |
| cache: yarn | |
| - name: Enable Corepack | |
| run: corepack enable | |
| - name: Validate build variables | |
| run: | | |
| test -n "$VITE_SUPABASE_URL" | |
| test -n "$VITE_SUPABASE_ANON_KEY" | |
| test -n "$VITE_POWERSYNC_URL" | |
| test -n "$VITE_GOOGLE_MAPS_API_KEY" | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| - name: Build | |
| run: yarn run build | |
| # Build provenance / tamper-evidence for the deployed client build. | |
| # This is a transparency/detection mitigation only: it lets anyone | |
| # verify a served file matches what this workflow built from this | |
| # commit. It does NOT prevent a targeted backdoor (that needs a | |
| # runtime verifier, which is out of scope here). | |
| # | |
| # SHA256SUMS lists the sha256 of every file shipped to Pages and is | |
| # itself published at /<repo>/SHA256SUMS. The provenance attestation | |
| # below signs just this manifest; because the manifest commits to | |
| # every file's hash, the signature transitively covers the whole | |
| # build (the standard "signed sums" pattern). | |
| # | |
| # Verify, given a deployed site: | |
| # 1. Fetch the served files and SHA256SUMS, then `sha256sum -c | |
| # SHA256SUMS` to confirm served bytes match the manifest. | |
| # 2. Confirm the manifest's provenance (signed Sigstore attestation | |
| # logged to the public Rekor transparency log): | |
| # gh attestation verify SHA256SUMS --owner Stvad | |
| # which binds the manifest digest -> this workflow -> this commit. | |
| - name: Generate SHA256SUMS manifest | |
| run: cd dist && find . -type f ! -name SHA256SUMS -exec sha256sum {} \; | sort -k2 > SHA256SUMS | |
| - name: Attest build provenance | |
| uses: actions/attest-build-provenance@v2 | |
| with: | |
| subject-path: dist/SHA256SUMS | |
| - name: Set up Pages | |
| uses: actions/configure-pages@v6 | |
| - name: Upload artifact | |
| uses: actions/upload-pages-artifact@v5 | |
| with: | |
| path: dist | |
| - name: Deploy to GitHub Pages | |
| id: deployment | |
| uses: actions/deploy-pages@v5 |