Skip to content

build(deps): bump babel-plugin-react-compiler beta → 1.0.0 stable #335

build(deps): bump babel-plugin-react-compiler beta → 1.0.0 stable

build(deps): bump babel-plugin-react-compiler beta → 1.0.0 stable #335

Workflow file for this run

name: Deploy Pages
on:
push:
branches: [master]
workflow_dispatch:
permissions:
contents: read
pages: write
id-token: write
attestations: write # required by actions/attest-build-provenance
concurrency:
group: pages
cancel-in-progress: true
jobs:
deploy:
runs-on: ubuntu-latest
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
env:
APP_BASE_PATH: /${{ github.event.repository.name }}/
VITE_SUPABASE_URL: ${{ vars.VITE_SUPABASE_URL || secrets.VITE_SUPABASE_URL }}
VITE_SUPABASE_ANON_KEY: ${{ vars.VITE_SUPABASE_ANON_KEY || secrets.VITE_SUPABASE_ANON_KEY }}
VITE_POWERSYNC_URL: ${{ vars.VITE_POWERSYNC_URL || secrets.VITE_POWERSYNC_URL }}
# Vite inlines this into the client bundle, so the key is
# effectively public — protection comes from the HTTP-referrer
# restriction on the GCP key itself (see docs/domain-onboarding.md).
VITE_GOOGLE_MAPS_API_KEY: ${{ vars.VITE_GOOGLE_MAPS_API_KEY || secrets.VITE_GOOGLE_MAPS_API_KEY }}
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up Node.js
uses: actions/setup-node@v6
with:
node-version: 24
cache: yarn
- name: Enable Corepack
run: corepack enable
- name: Validate build variables
run: |
test -n "$VITE_SUPABASE_URL"
test -n "$VITE_SUPABASE_ANON_KEY"
test -n "$VITE_POWERSYNC_URL"
test -n "$VITE_GOOGLE_MAPS_API_KEY"
- name: Install dependencies
run: yarn install --frozen-lockfile
- name: Build
run: yarn run build
# Build provenance / tamper-evidence for the deployed client build.
# This is a transparency/detection mitigation only: it lets anyone
# verify a served file matches what this workflow built from this
# commit. It does NOT prevent a targeted backdoor (that needs a
# runtime verifier, which is out of scope here).
#
# SHA256SUMS lists the sha256 of every file shipped to Pages and is
# itself published at /<repo>/SHA256SUMS. The provenance attestation
# below signs just this manifest; because the manifest commits to
# every file's hash, the signature transitively covers the whole
# build (the standard "signed sums" pattern).
#
# Verify, given a deployed site:
# 1. Fetch the served files and SHA256SUMS, then `sha256sum -c
# SHA256SUMS` to confirm served bytes match the manifest.
# 2. Confirm the manifest's provenance (signed Sigstore attestation
# logged to the public Rekor transparency log):
# gh attestation verify SHA256SUMS --owner Stvad
# which binds the manifest digest -> this workflow -> this commit.
- name: Generate SHA256SUMS manifest
run: cd dist && find . -type f ! -name SHA256SUMS -exec sha256sum {} \; | sort -k2 > SHA256SUMS
- name: Attest build provenance
uses: actions/attest-build-provenance@v2
with:
subject-path: dist/SHA256SUMS
- name: Set up Pages
uses: actions/configure-pages@v6
- name: Upload artifact
uses: actions/upload-pages-artifact@v5
with:
path: dist
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v5