Test and run#89
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| workflow_dispatch: | ||
|
|
||
| env: | ||
| AZURE_WEBAPP_NAME: your-app-name # set this to your application's name |
There was a problem hiding this comment.
Unconfigured placeholder app name in deployment workflow
High Severity
AZURE_WEBAPP_NAME is set to the template placeholder your-app-name rather than an actual Azure Web App name. This workflow triggers on every push to main and on workflow_dispatch, so it will attempt a real deployment to a non-existent app, causing the deploy job to fail every time. This appears to be a GitHub-provided starter template committed without being configured.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit e923e07. Configure here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
There are 4 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit f989537. Configure here.
| - name: Use .env file | ||
| run: | | ||
| source .env | ||
| echo "Environment: $NODE_ENV" |
There was a problem hiding this comment.
README.md overwritten with workflow YAML content
High Severity
The entire README.md has been replaced with a GitHub Actions workflow YAML definition (name: Build and Test, on: push, jobs:, etc.) instead of Markdown documentation. This content won't execute as a workflow from README.md — workflows must live under .github/workflows/. The previous README documentation is now lost, and visitors to the repo will see raw YAML instead of project docs.
Reviewed by Cursor Bugbot for commit f989537. Configure here.
| - name: Create .env file | ||
| run: | | ||
| echo "NODE_ENV=production" >> .env | ||
| echo "DATABASE_URL=postgresql://localhost:5432/mydb" >> .env |
There was a problem hiding this comment.
Hardcoded database URL exposed in README
Medium Severity
A hardcoded DATABASE_URL=postgresql://localhost:5432/mydb is committed in README.md. While this appears to be a localhost development URL, committing database connection strings (even local ones) sets a bad precedent and could leak infrastructure details. Unlike API_KEY on the next line which correctly uses secrets, this connection string is in plaintext in a public-facing file.
Reviewed by Cursor Bugbot for commit f989537. Configure here.
| node-version: ${{ steps.nvm.outputs.NODE_VERSION }} | ||
| - uses: MetaMask/action-publish-release@v1 | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Workflow is exact duplicate of template file
Low Severity
.github/workflows/publish-release.yml is a byte-for-byte copy of workflow-templates/publish-release.yml. In a .github organization template repository, the workflow-templates/ directory provides templates for other repos to adopt. Placing the same content in .github/workflows/ activates it as a live workflow for this repo, which is likely unintentional and makes it an active duplicate of the template it's meant to distribute.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit f989537. Configure here.
1 participant
Note
Medium Risk
Introduces new CI/CD workflows that can deploy to Azure and publish GitHub releases, so misconfiguration of secrets/branch filters could trigger unintended deployments or releases.
Overview
Adds a new GitHub Actions pipeline (
azure-webapps-node.yml) that builds/tests a Node.js app on pushes tomain, uploads an artifact, and deploys it to an Azure Web App usingAZURE_WEBAPP_PUBLISH_PROFILE.Adds a
publish-release.ymlworkflow that publishes a GitHub release automatically when arelease/*pull request is merged.Updates
README.mdto include an example GitHub Actions workflow that writes and sources a.envfile during CI.Reviewed by Cursor Bugbot for commit f989537. Bugbot is set up for automated code reviews on this repo. Configure here.