Deploy website #18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy website | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - 'website/**' | |
| workflow_dispatch: | |
| jobs: | |
| deploy: | |
| environment: release | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| deployments: write | |
| statuses: write | |
| pull-requests: write | |
| steps: | |
| - name: Checkout main branch | |
| uses: actions/checkout@v4 | |
| - name: Deploy website directory to website branch | |
| uses: peaceiris/actions-gh-pages@v4 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| publish_dir: ./website | |
| publish_branch: website | |
| keep_files: true | |
| destination_dir: api | |
| user_name: 'github-actions[bot]' | |
| user_email: 'github-actions[bot]@users.noreply.github.com' | |
| commit_message: ${{ github.event.head_commit.message }} | |
| - name: Set up Python 3.12 | |
| uses: actions/setup-python@v3 | |
| with: | |
| python-version: "3.12" | |
| - name: Install Python deps | |
| run: | | |
| python -m pip install --upgrade pip | |
| if [ -f requirements.txt ]; then pip install -r requirements.txt; fi | |
| pip install cryptography scratchattach | |
| - name: Checkout website branch | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: 'website' | |
| # New single-step secure deploy: | |
| - name: Generate Vercel token and deploy (keeps secrets in-step only) | |
| env: | |
| FERNET_KEY: ${{ secrets.FERNET_KEY }} | |
| run: | | |
| set -euo pipefail | |
| # run token generator and capture output into variables WITHOUT printing | |
| # Adjust this read pattern if `python -m util vercel` emits a different format. | |
| cd tests | |
| IFS=$'\n' read -r VERCEL_TOKEN ORG_ID PROJECT_ID < <(python -m util vercel) | |
| cd .. | |
| # Mask the values so accidental prints later are redacted | |
| echo "::add-mask::$VERCEL_TOKEN" | |
| echo "::add-mask::$ORG_ID" | |
| echo "::add-mask::$PROJECT_ID" | |
| # Install node / vercel CLI (no global logs of the token) | |
| curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - | |
| sudo apt-get install -y nodejs | |
| npm install -g vercel | |
| # Run Vercel deploy using the token only in this step (no exporting) | |
| # Use --confirm so it won't prompt; adapt flags for your project. | |
| cd website | |
| vercel --token "$VERCEL_TOKEN" --prod --confirm --org "$ORG_ID" --scope "$ORG_ID" --force --local-config ./vercel.json -- --project "$PROJECT_ID" | |
| shell: bash |