Fix an issue where attackers could use the Nextjs image endpoint to redirect to any URL. #263
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| deploy: | |
| name: Deploy to Cloudflare Pages | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| deployments: write | |
| outputs: | |
| deployment_url: ${{ steps.cloudflare.outputs.url }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup bun | |
| uses: oven-sh/setup-bun@v1 | |
| with: | |
| bun-version: 1.0.33 | |
| - name: Install dependencies | |
| run: bun install --frozen-lockfile | |
| env: | |
| PUPPETEER_SKIP_DOWNLOAD: 1 | |
| - name: Cache Next.js build | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ${{ github.workspace }}/.next/cache | |
| # Generate a new cache whenever packages or source files change. | |
| key: ${{ runner.os }}-nextjs-${{ hashFiles('**/bun.lockb') }}-${{ hashFiles('**/*.js', '**/*.jsx', '**/*.ts', '**/*.tsx') }} | |
| # If source files changed but packages didn't, rebuild from a prior cache. | |
| restore-keys: | | |
| ${{ runner.os }}-nextjs-${{ hashFiles('**/bun.lockb') }}- | |
| - name: Sets env vars for production | |
| run: | | |
| echo "SENTRY_ENVIRONMENT=production" >> $GITHUB_ENV | |
| echo "GITBOOK_ASSETS_PREFIX=https://static.gitbook.com" >> $GITHUB_ENV | |
| if: startsWith(github.ref, 'refs/heads/main') | |
| - name: Sets env vars for preview | |
| run: | | |
| echo "SENTRY_ENVIRONMENT=preview" >> $GITHUB_ENV | |
| if: 1 && !startsWith(github.ref, 'refs/heads/main') | |
| - name: Build Next.js with next-on-pages | |
| run: bun run build:cloudflare | |
| env: | |
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
| SENTRY_ORG: ${{ vars.SENTRY_ORG }} | |
| SENTRY_PROJECT: ${{ vars.SENTRY_PROJECT }} | |
| SENTRY_DSN: ${{ vars.SENTRY_DSN }} | |
| - id: cloudflare | |
| name: Publish to Cloudflare Pages | |
| uses: cloudflare/pages-action@v1 | |
| with: | |
| apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
| accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} | |
| projectName: ${{ vars.CLOUDFLARE_PROJECT_NAME }} | |
| directory: ./.vercel/output/static | |
| gitHubToken: ${{ secrets.GITHUB_TOKEN }} | |
| workingDirectory: ./ | |
| - name: Outputs | |
| run: | | |
| echo "ID: ${{ steps.cloudflare.outputs.id }}" | |
| echo "URL: ${{ steps.cloudflare.outputs.url }}" | |
| echo "Environment: ${{ steps.cloudflare.outputs.environment }}" | |
| echo "Alias: ${{ steps.cloudflare.outputs.alias }}" | |
| - name: Archive build output | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-output | |
| path: .vercel/ | |
| visual-testing: | |
| runs-on: ubuntu-latest | |
| name: Visual Testing | |
| needs: deploy | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup bun | |
| uses: oven-sh/setup-bun@v1 | |
| with: | |
| bun-version: 1.0.33 | |
| - name: Install dependencies | |
| run: bun install --frozen-lockfile | |
| - name: Setup Playwright | |
| uses: ./.github/actions/setup-playwright | |
| - name: Run Playwright tests | |
| run: bun e2e | |
| env: | |
| BASE_URL: ${{needs.deploy.outputs.deployment_url}} | |
| ARGOS_TOKEN: ${{ secrets.ARGOS_TOKEN }} | |
| pagespeed-testing: | |
| runs-on: ubuntu-latest | |
| name: PageSpeed Testing | |
| needs: deploy | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup bun | |
| uses: oven-sh/setup-bun@v1 | |
| with: | |
| bun-version: 1.0.33 | |
| - name: Install dependencies | |
| run: bun install --frozen-lockfile | |
| env: | |
| PUPPETEER_SKIP_DOWNLOAD: 1 | |
| - name: Run pagespeed tests | |
| run: bun ./tests/pagespeed-testing.ts $DEPLOYMENT_URL | |
| env: | |
| DEPLOYMENT_URL: ${{needs.deploy.outputs.deployment_url}} | |
| PAGESPEED_API_KEY: ${{ secrets.PAGESPEED_API_KEY }} | |
| format: | |
| runs-on: ubuntu-latest | |
| name: Format | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup bun | |
| uses: oven-sh/setup-bun@v1 | |
| with: | |
| bun-version: 1.0.33 | |
| - name: Install dependencies | |
| run: bun install --frozen-lockfile | |
| env: | |
| PUPPETEER_SKIP_DOWNLOAD: 1 | |
| - run: bun format --check . | |
| lint: | |
| runs-on: ubuntu-latest | |
| name: Lint | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup bun | |
| uses: oven-sh/setup-bun@v1 | |
| with: | |
| bun-version: 1.0.33 | |
| - name: Install dependencies | |
| run: bun install --frozen-lockfile | |
| env: | |
| PUPPETEER_SKIP_DOWNLOAD: 1 | |
| - run: bun lint --no-cache | |
| test: | |
| runs-on: ubuntu-latest | |
| name: Test | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup bun | |
| uses: oven-sh/setup-bun@v1 | |
| with: | |
| bun-version: 1.0.33 | |
| - name: Install dependencies | |
| run: bun install --frozen-lockfile | |
| env: | |
| PUPPETEER_SKIP_DOWNLOAD: 1 | |
| - run: bun unit | |
| typecheck: | |
| runs-on: ubuntu-latest | |
| name: Typecheck | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup bun | |
| uses: oven-sh/setup-bun@v1 | |
| with: | |
| bun-version: 1.0.33 | |
| - name: Install dependencies | |
| run: bun install --frozen-lockfile | |
| env: | |
| PUPPETEER_SKIP_DOWNLOAD: 1 | |
| - run: bun typecheck |