npm - cistack - Versions diffs - 5.2.0 → 5.3.0 - Mend

cistack 5.2.0 → 5.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +1 -1
package/src/generators/workflow.js +13 -4
package/tests/run.js +61 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cistack",
-  "version": "5.2.0",
+  "version": "5.3.0",
   "description": "Automatically generate GitHub Actions CI/CD pipelines by analysing your codebase",
   "main": "src/index.js",
   "types": "index.d.ts",

package/src/generators/workflow.js CHANGED Viewed

@@ -422,7 +422,7 @@ class WorkflowGenerator {
     if (previewSteps.length > 0) {
       jobs.preview = {
         name: `✨ Deploy → ${h.name} (Preview)`,
-        if: "github.event_name == 'pull_request'",
+        if: "github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository",
         'runs-on': 'ubuntu-latest',
         environment: 'preview',
         steps: [
@@ -883,20 +883,29 @@ class WorkflowGenerator {
         };
         steps.push(
           { name: 'Install Vercel CLI', run: 'npm install -g vercel' },
+          {
+            name: 'Validate Vercel credentials',
+            run: [
+              'test -n "$VERCEL_TOKEN" || (echo "Missing VERCEL_TOKEN secret. Add it in GitHub Actions secrets." && exit 1)',
+              'test -n "$VERCEL_ORG_ID" || (echo "Missing VERCEL_ORG_ID secret. Add it in GitHub Actions secrets." && exit 1)',
+              'test -n "$VERCEL_PROJECT_ID" || (echo "Missing VERCEL_PROJECT_ID secret. Add it in GitHub Actions secrets." && exit 1)',
+            ].join('\n'),
+            env: vercelEnv,
+          },
           {
             name: 'Pull Vercel environment',
-            run: `vercel pull --yes --environment=${isPreview ? 'preview' : 'production'} --token=\${{ secrets.VERCEL_TOKEN }}`,
+            run: `vercel pull --yes --environment=${isPreview ? 'preview' : 'production'} --token="$VERCEL_TOKEN"`,
             env: vercelEnv,
           },
           {
             name: 'Build project',
-            run: `vercel build${prodFlag ? ' ' + prodFlag : ''} --token=\${{ secrets.VERCEL_TOKEN }}`,
+            run: `vercel build${prodFlag ? ' ' + prodFlag : ''} --token="$VERCEL_TOKEN"`,
             env: vercelEnv,
           },
           {
             name: 'Deploy to Vercel',
             id: 'deploy',
-            run: `vercel deploy --prebuilt${prodFlag ? ' ' + prodFlag : ''} --token=\${{ secrets.VERCEL_TOKEN }} > deployment_url.txt && echo "DEPLOYMENT_URL=$(cat deployment_url.txt)" >> $GITHUB_ENV`,
+            run: `vercel deploy --prebuilt${prodFlag ? ' ' + prodFlag : ''} --token="$VERCEL_TOKEN" > deployment_url.txt && echo "DEPLOYMENT_URL=$(cat deployment_url.txt)" >> $GITHUB_ENV`,
             env: vercelEnv,
           },
         );

package/tests/run.js CHANGED Viewed

@@ -414,6 +414,38 @@ test('combineWorkflows preserves workflow-specific trigger scoping in the unifie
   assert(!combined.jobs.deploy_deploy.if.includes("github.ref_name == 'develop'"));
 });
+test('Vercel deploy workflows validate secrets before running vercel pull', () => {
+  const projectDir = makeTempDir();
+  writeFiles(projectDir, {
+    'package.json': json({
+      name: 'vercel-secrets-app',
+      version: '1.0.0',
+      scripts: {
+        build: 'next build',
+      },
+    }),
+  });
+  const workflows = new WorkflowGenerator(
+    makeJsProject({
+      hosting: [{ name: 'Vercel', secrets: ['VERCEL_TOKEN', 'VERCEL_ORG_ID', 'VERCEL_PROJECT_ID'] }],
+      frameworks: [{ name: 'Next.js', confidence: 1, buildDir: '.next' }],
+    }),
+    projectDir
+  ).generate();
+  const deploy = parseWorkflow(workflows.find((workflow) => workflow.filename === 'deploy.yml').content);
+  const deploySteps = deploy.jobs.deploy.steps;
+  const validateStep = deploySteps.find((step) => step.name === 'Validate Vercel credentials');
+  const pullStep = deploySteps.find((step) => step.name === 'Pull Vercel environment');
+  assert(validateStep);
+  assert(validateStep.run.includes('Missing VERCEL_TOKEN secret'));
+  assert(validateStep.run.includes('Missing VERCEL_ORG_ID secret'));
+  assert(validateStep.run.includes('Missing VERCEL_PROJECT_ID secret'));
+  assert.equal(pullStep.run, 'vercel pull --yes --environment=production --token="$VERCEL_TOKEN"');
+});
 test('Single-layout monorepos still generate the root workspace matrix CI', () => {
   const projectDir = makeTempDir();
   const packages = [
@@ -528,6 +560,35 @@ test('Netlify preview configuration uses the detected production branch instead
   assert.equal(previewStep.with['production-branch'], 'release');
 });
+test('Preview deploy jobs only run for same-repo pull requests with secrets access', () => {
+  const projectDir = makeTempDir();
+  writeFiles(projectDir, {
+    'package.json': json({
+      name: 'preview-guard-app',
+      version: '1.0.0',
+      scripts: {
+        build: 'next build',
+      },
+    }),
+  });
+  const generator = new WorkflowGenerator(
+    makeJsProject({
+      hosting: [{ name: 'Vercel', secrets: ['VERCEL_TOKEN', 'VERCEL_ORG_ID', 'VERCEL_PROJECT_ID'] }],
+      frameworks: [{ name: 'Next.js', confidence: 1, buildDir: '.next' }],
+    }),
+    projectDir
+  );
+  const deploy = generator.generate().find((workflow) => workflow.filename === 'deploy.yml');
+  const parsed = parseWorkflow(deploy.content);
+  assert.equal(
+    parsed.jobs.preview.if,
+    "github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository"
+  );
+});
 test('Generic JavaScript builds no longer upload a fake dist artifact when no build directory is known', () => {
   const projectDir = makeTempDir();
   writeFiles(projectDir, {