website publish flow security

visgl · Apr 25, 2024 · 21a8903 · 21a8903
1 parent 144b969
commit 21a8903
Showing 1 changed file with 27 additions and 23 deletions.
diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml
@@ -6,44 +6,48 @@ on:
       - '*-release'
 
 jobs:
-  publish-website:
+  check_branch:
     runs-on: ubuntu-latest
+    outputs:
+      should_deploy: ${{ endsWith(github.ref, steps.get_version.outputs.latest) }}
 
-    if: github.repository_owner == 'visgl'
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Get version
+        id: get_version
+        run: |
+          LATEST=$(npm show react-map-gl version | grep -o -E "^[0-9]+\.[0-9]+")
+          echo "latest=${LATEST}-release" >> "$GITHUB_OUTPUT"
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: check_branch
 
-    env:
-      MapboxAccessToken: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
+    if: ${{ github.repository_owner == 'visgl' && needs.check_branch.outputs.should_deploy }}
 
     steps:
-      - uses: actions/checkout@v2.1.1
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Use Node.js
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
         with:
-          node-version: '16.x'
+          node-version: '18.x'
 
-      - name: Get version
-        id: get-version
-        run: LATEST=$(npm show react-map-gl version | grep -o -E "^[0-9]+\.[0-9]+") && echo "::set-output name=latest::/${LATEST}-release"
-
-      - name: Check version
-        if: ${{ !endsWith(github.ref, steps.get-version.outputs.latest) }}
+      - name: Install dependencies
         run: |
-          echo "Website is only published from the latest release branch"
+          yarn bootstrap
+          (cd website && yarn)
 
       - name: Build website
-        if: ${{ endsWith(github.ref, steps.get-version.outputs.latest) }}
-        run: |
-          yarn bootstrap
-          cd website
-          yarn
-          yarn build
+        env:
+          MapboxAccessToken: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
+        run: (cd website && yarn build)
 
       - name: Deploy
-        if: ${{ endsWith(github.ref, steps.get-version.outputs.latest) }}
-        uses: JamesIves/github-pages-deploy-action@3.7.1
+        uses: JamesIves/github-pages-deploy-action@132898c54c57c7cc6b80eb3a89968de8fc283505 # 3.7.1
         with:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.WEBSITE_DEPLOY_TOKEN }}
           BRANCH: gh-pages
           FOLDER: website/build
           CLEAN: true