fix: replace wildcard CORS subdomain check with explicit allowlist (a… #403
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy to Azure | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| concurrency: | |
| group: deploy-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| build-api: | |
| name: Build API | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Setup .NET | |
| uses: actions/setup-dotnet@v5 | |
| with: | |
| dotnet-version: '10.0.x' | |
| - name: Restore dependencies | |
| run: dotnet restore PatchNotes.slnx | |
| - name: Build | |
| run: dotnet build PatchNotes.slnx --no-restore --configuration Release | |
| - name: Test | |
| run: dotnet test PatchNotes.slnx --no-build --configuration Release --verbosity normal | |
| - name: Publish API | |
| run: dotnet publish PatchNotes.Api/PatchNotes.Api.csproj --configuration Release --output ./publish/api | |
| - name: Upload API artifact | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: api | |
| path: ./publish/api | |
| - name: Publish Sync Function | |
| run: dotnet publish PatchNotes.Functions/PatchNotes.Functions.csproj --no-build --configuration Release --output ./publish/functions | |
| - name: Upload Sync Function artifact | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: functions | |
| path: ./publish/functions | |
| include-hidden-files: true | |
| build-email-function: | |
| name: Build Email Function | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: patchnotes-email | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '22' | |
| cache: 'pnpm' | |
| cache-dependency-path: pnpm-lock.yaml | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile --dir ${{ github.workspace }} | |
| - name: Build | |
| run: pnpm build | |
| - name: Prepare deployment package | |
| working-directory: ${{ github.workspace }} | |
| run: | | |
| pnpm --filter patchnotes-email deploy publish/email-function --prod | |
| cp patchnotes-email/host.json publish/email-function/ | |
| # Re-install with hoisted layout so Azure Functions can resolve all deps | |
| # (pnpm's symlinked node_modules breaks when deployed to Azure) | |
| cd publish/email-function | |
| echo "node-linker=hoisted" > .npmrc | |
| echo "" > pnpm-workspace.yaml | |
| pnpm install --prod --no-frozen-lockfile | |
| rm .npmrc pnpm-workspace.yaml | |
| - name: Upload Email Function artifact | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: email-function | |
| path: publish/email-function | |
| build-frontend: | |
| name: Build Frontend | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: patchnotes-web | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '22' | |
| cache: 'pnpm' | |
| cache-dependency-path: pnpm-lock.yaml | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile --dir ${{ github.workspace }} | |
| - name: Lint | |
| run: pnpm lint | |
| - name: Format check | |
| run: pnpm format:check | |
| - name: Run tests | |
| run: pnpm test:run | |
| - name: Build | |
| run: pnpm build | |
| env: | |
| VITE_API_URL: ${{ vars.VITE_API_URL }} | |
| VITE_STYTCH_PUBLIC_TOKEN: ${{ secrets.VITE_STYTCH_PUBLIC_TOKEN }} | |
| - name: Upload frontend artifact | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: frontend | |
| path: patchnotes-web/dist | |
| migrate-database: | |
| name: Migrate Database | |
| needs: build-api | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: production | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Setup .NET | |
| uses: actions/setup-dotnet@v5 | |
| with: | |
| dotnet-version: '10.0.x' | |
| - name: Restore dependencies | |
| run: dotnet restore PatchNotes.slnx | |
| - name: Build | |
| run: dotnet build PatchNotes.slnx --no-restore --configuration Release | |
| - name: Install EF Core tools | |
| run: dotnet tool install --global dotnet-ef | |
| - name: Apply migrations | |
| run: dotnet ef database update --context SqlServerContext --project PatchNotes.Data/PatchNotes.Data.csproj --startup-project PatchNotes.Api/PatchNotes.Api.csproj --configuration Release --no-build | |
| env: | |
| ConnectionStrings__PatchNotes: ${{ secrets.DATABASE_CONNECTION_STRING }} | |
| deploy-api: | |
| name: Deploy API to App Service | |
| needs: [build-api, migrate-database] | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: production | |
| url: https://api.myreleasenotes.ai | |
| steps: | |
| - name: Download API artifact | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: api | |
| path: ./api | |
| - name: Login to Azure | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Deploy to Azure App Service | |
| uses: azure/webapps-deploy@v3 | |
| with: | |
| app-name: api-myreleasenotes-ai | |
| package: ./api | |
| startup-command: dotnet PatchNotes.Api.dll | |
| deploy-frontend: | |
| name: Deploy Frontend to Static Web Apps | |
| needs: build-frontend | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: production | |
| url: https://app.myreleasenotes.ai | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Download frontend artifact | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: frontend | |
| path: patchnotes-web/dist | |
| - name: Deploy to Azure Static Web Apps | |
| uses: azure/static-web-apps-deploy@v1 | |
| with: | |
| azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| action: upload | |
| app_location: patchnotes-web/dist | |
| api_location: "" | |
| output_location: "" | |
| skip_app_build: true | |
| deploy-sync-function: | |
| name: Deploy Sync Function | |
| needs: [build-api, migrate-database] | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: production | |
| steps: | |
| - name: Download Sync Function artifact | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: functions | |
| path: ./functions | |
| - name: Login to Azure | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Deploy to Azure Functions | |
| uses: azure/functions-action@v1 | |
| with: | |
| app-name: fn-patchnotes-sync | |
| package: ./functions | |
| deploy-email-function: | |
| name: Deploy Email Function | |
| needs: build-email-function | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: production | |
| steps: | |
| - name: Download Email Function artifact | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: email-function | |
| path: ./email-function | |
| - name: Login to Azure | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Deploy to Azure Functions | |
| uses: azure/functions-action@v1 | |
| with: | |
| app-name: fn-patchnotes-email | |
| package: ./email-function |