fix(review): address #175 audit findings (#177) #199
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy arena UI to Cloudflare Pages | |
| # Auto-deploys the React Router SPA at `arena/` to Cloudflare Pages | |
| # (project: trading-arena → https://trading-arena.blueprint.tangle.tools). | |
| # | |
| # Before this existed the project was wired as "direct upload" in Cloudflare | |
| # with no git source, so every CSP / dapp-host / runtime-backend change had to | |
| # be deployed by a human running `wrangler pages deploy` locally — which | |
| # silently broke when nobody noticed an old commit on main hadn't shipped. | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - 'arena/**' | |
| - '.github/workflows/deploy-arena.yml' | |
| workflow_dispatch: | |
| concurrency: | |
| group: deploy-arena-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| deploy: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| deployments: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: pnpm/action-setup@v6 | |
| with: | |
| version: 10 | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: 22 | |
| cache: pnpm | |
| # The pnpm workspace lives at arena/, not repo root, so point | |
| # setup-node at the right lockfile for caching. | |
| cache-dependency-path: arena/pnpm-lock.yaml | |
| - name: Install dependencies | |
| working-directory: arena | |
| run: pnpm install --frozen-lockfile | |
| - name: Build arena UI | |
| working-directory: arena | |
| # The build runs HERE (not in CF Pages' build system), so Vite only sees | |
| # env from this step — CF Pages dashboard vars do NOT apply. Bake the live | |
| # operator backend URL in so the deployed arena fetches bots/leaderboard | |
| # from the operator instead of falling back to the empty-state card. | |
| # Single canonical operator plus optional comma/JSON list of public | |
| # operator endpoints for fleet-wide homepage volume. The operator's | |
| # CORS_ALLOWED_ORIGINS must include this arena origin. | |
| env: | |
| VITE_OPERATOR_API_URL: ${{ vars.TRADING_OPERATOR_API_URL || 'https://178.104.232.124.sslip.io' }} | |
| VITE_TRADING_OPERATOR_API_URLS: ${{ vars.TRADING_OPERATOR_API_URLS || vars.TRADING_OPERATOR_API_URL || 'https://178.104.232.124.sslip.io' }} | |
| VITE_ADDITIONAL_TRADING_OPERATOR_API_URLS: ${{ vars.ADDITIONAL_TRADING_OPERATOR_API_URLS || '' }} | |
| VITE_BLUEPRINT_ID: ${{ vars.VITE_BLUEPRINT_ID || '1' }} | |
| VITE_INSTANCE_BLUEPRINT_ID: ${{ vars.VITE_INSTANCE_BLUEPRINT_ID || '2' }} | |
| VITE_TEE_BLUEPRINT_ID: ${{ vars.VITE_TEE_BLUEPRINT_ID || '3' }} | |
| VITE_SERVICE_IDS: ${{ vars.VITE_SERVICE_IDS || '1,2,3' }} | |
| VITE_HYPEREVM_TESTNET_ENABLED: ${{ vars.VITE_HYPEREVM_TESTNET_ENABLED || 'true' }} | |
| VITE_HYPEREVM_TESTNET_CHAIN_ID: ${{ vars.VITE_HYPEREVM_TESTNET_CHAIN_ID || '998' }} | |
| VITE_HYPEREVM_TESTNET_RPC_URL: ${{ vars.VITE_HYPEREVM_TESTNET_RPC_URL || 'https://rpc.hyperliquid-testnet.xyz/evm' }} | |
| VITE_HYPEREVM_TESTNET_USDC_ASSET_TOKEN: ${{ vars.VITE_HYPEREVM_TESTNET_USDC_ASSET_TOKEN || '0x2B3370eE501B4a559b57D449569354196457D8Ab' }} | |
| VITE_HYPEREVM_TESTNET_VAULT_FACTORY_ADDRESS: ${{ vars.VITE_HYPEREVM_TESTNET_VAULT_FACTORY_ADDRESS || '0x7df00f20efbc59e2b978c0bcc10a16e5ff1070c3' }} | |
| VITE_HYPEREVM_TESTNET_VAULT_ADDRESS: ${{ vars.VITE_HYPEREVM_TESTNET_VAULT_ADDRESS || '' }} | |
| VITE_HYPEREVM_TESTNET_PAPER_TRADE: ${{ vars.VITE_HYPEREVM_TESTNET_PAPER_TRADE || 'false' }} | |
| VITE_HYPEREVM_MAINNET_ENABLED: ${{ vars.VITE_HYPEREVM_MAINNET_ENABLED || 'false' }} | |
| VITE_HYPEREVM_MAINNET_CHAIN_ID: ${{ vars.VITE_HYPEREVM_MAINNET_CHAIN_ID || '999' }} | |
| VITE_HYPEREVM_MAINNET_RPC_URL: ${{ vars.VITE_HYPEREVM_MAINNET_RPC_URL || '' }} | |
| VITE_HYPEREVM_MAINNET_USDC_ASSET_TOKEN: ${{ vars.VITE_HYPEREVM_MAINNET_USDC_ASSET_TOKEN || '' }} | |
| VITE_HYPEREVM_MAINNET_VAULT_FACTORY_ADDRESS: ${{ vars.VITE_HYPEREVM_MAINNET_VAULT_FACTORY_ADDRESS || '' }} | |
| VITE_HYPEREVM_MAINNET_VAULT_ADDRESS: ${{ vars.VITE_HYPEREVM_MAINNET_VAULT_ADDRESS || '' }} | |
| VITE_HYPEREVM_MAINNET_PAPER_TRADE: ${{ vars.VITE_HYPEREVM_MAINNET_PAPER_TRADE || 'false' }} | |
| run: pnpm run build | |
| # `cloudflare/wrangler-action` tries to install wrangler via `pnpm add` | |
| # which fails on workspace-root repos (`ERR_PNPM_ADDING_TO_ROOT`). Install | |
| # it ourselves via npm and shell out directly. | |
| - name: Install wrangler | |
| run: npm i -g wrangler@^3 | |
| - name: Deploy to Cloudflare Pages | |
| env: | |
| CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
| CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} | |
| run: | | |
| wrangler pages deploy arena/build/client \ | |
| --project-name=trading-arena \ | |
| --branch=main \ | |
| --commit-hash=${{ github.sha }} |