fix: unify fetch calls to use authedFetch for protected routes #707
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Build Dispatch Image | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - "v*" | |
| pull_request: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| IMAGE_NAME: ghcr.io/${{ github.repository }} | |
| jobs: | |
| docker: | |
| name: Docker Build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| - name: Setup Docker Buildx | |
| uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4 | |
| - name: Log in to GHCR | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6 | |
| with: | |
| images: ${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=sha,prefix=sha- | |
| - name: Build Docker image | |
| id: build | |
| uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7 | |
| with: | |
| context: . | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| DATABASE_URL=postgresql://localhost:5432/dispatch | |
| - name: Validate Prisma CLI runtime | |
| run: | | |
| IMAGE="dispatch:prisma-cli-runtime" | |
| docker build -t "$IMAGE" . | |
| echo "Validating Prisma CLI in image: $IMAGE" | |
| # Pass DATABASE_URL at runtime so prisma validate can load prisma.config.ts. | |
| # The builder stage ENV is only for npm run build (Next.js static generation). | |
| docker run --rm --env DATABASE_URL=postgresql://localhost:5432/dispatch --entrypoint ./node_modules/.bin/prisma "$IMAGE" --version | |
| docker run --rm --env DATABASE_URL=postgresql://localhost:5432/dispatch --entrypoint ./node_modules/.bin/prisma "$IMAGE" validate | |
| - name: Run Trivy vulnerability scanner | |
| if: github.event_name != 'pull_request' | |
| uses: aquasecurity/trivy-action@master | |
| continue-on-error: true | |
| with: | |
| image-ref: ${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} | |
| format: sarif | |
| output: trivy-results.sarif | |
| severity: CRITICAL,HIGH | |
| exit-code: "0" | |
| - name: Upload Trivy results | |
| if: github.event_name != 'pull_request' && hashFiles('trivy-results.sarif') != '' | |
| uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 | |
| with: | |
| sarif_file: trivy-results.sarif |