Merge dev-release-ci to Dev#162
Conversation
| runs-on: self-hosted # REQUIRES SOME SUDO EXECUTION PRIVILEGES WITHOUT A PASSWORD PROMPT | ||
|
|
||
| steps: | ||
| - name: Stopping systemd service | ||
| run: sudo systemctl stop discordbot | ||
|
|
||
| - name: Pulling latest changes | ||
| working-directory: /home/vb2007/prod/discordbot | ||
| run: | | ||
| BRANCH="${{ github.event.inputs.branch || 'main' }}" | ||
| echo "Deploying branch: $BRANCH" | ||
| git fetch origin | ||
| git reset --hard origin/$BRANCH | ||
| git clean -fd | ||
| echo "Successfully pulled latest changes from $BRANCH" | ||
|
|
||
| - name: Intalling Node.js dependencies | ||
| working-directory: /home/vb2007/prod/discordbot | ||
| run: | | ||
| # Clean install to ensure fresh dependencies | ||
| rm -rf node_modules package-lock.json | ||
| npm install | ||
| echo "Dependencies installed successfully" | ||
|
|
||
| # - name: Build the application # for now we run without building | ||
| # working-directory: /home/vb2007/prod/discordbot | ||
| # run: | | ||
| # npm run build | ||
| # echo "Application built successfully" | ||
|
|
||
| - name: Deploying possible new commands | ||
| working-directory: /home/vb2007/prod/discordbot | ||
| run: | | ||
| echo "Starting command deployment..." | ||
| output=$(npm run deploy 2>&1) | ||
| echo "$output" | ||
|
|
||
| if echo "$output" | grep -q "Registered .* slash (/) commands at Discord"; then | ||
| echo "✅ Command deployment successful" | ||
| else | ||
| echo "❌ Command deployment failed" | ||
| exit 1 | ||
| fi | ||
| sleep 8 | ||
|
|
||
| - name: Updating command data | ||
| working-directory: /home/vb2007/prod/discordbot | ||
| run: | | ||
| echo "Starting table creation and command data update..." | ||
| output=$(npm run create-tables 2>&1) | ||
| echo "$output" | ||
|
|
||
| if echo "$output" | grep -q "All queries are executed & all tables are processed." && echo "$table_output" | grep -q "Command data has been updated successfully."; then | ||
| echo "✅ Table creation and command data update successful" | ||
| else | ||
| echo "❌ Table creation or command data update failed" | ||
| exit 1 | ||
| fi | ||
| sleep 5 | ||
|
|
||
| - name: Starting systemd service | ||
| run: | | ||
| sudo systemctl start discordbot | ||
| sleep 5 | ||
| sudo systemctl status discordbot --no-pager | ||
| echo "Systemd service started" | ||
|
|
||
| - name: Verifying deployment outcome | ||
| run: | | ||
| echo "Waiting for the service to start" | ||
| sleep 10 | ||
|
|
||
| if sudo systemctl is-active --quiet discordbot.service; then | ||
| echo "✅ Deployment successful - service is running" | ||
| else | ||
| echo "❌ Deployment failed - service is not running" | ||
| sudo systemctl status discordbot.service --no-pager | ||
| exit 1 | ||
| fi |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
The best way to address this is to explicitly set the minimal possible permissions at the workflow or job level. Since this workflow does not interact with the GitHub API (e.g., does not push, create issues/PRs, etc.), it likely does not require any permissions, so we can set permissions: {} (no permissions). For maximum clarity and compatibility, and to make explicit the restricted policy, we add at the top-level of the workflow (after the name key and before on:) a permissions: {} block. If in future the workflow is extended to perform any GitHub API operations, only the minimum required permissions should be added.
Edits required:
Insert the permissions: {} line after name: Build and Deploy, i.e., between lines 1 and 2.
| @@ -1,4 +1,5 @@ | ||
| name: Build and Deploy | ||
| permissions: {} | ||
|
|
||
| on: | ||
| push: |
mainbranch