Skip to content

feat: add Cloudflare Pages deploy pipeline for UI #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chitcommit merged 5 commits into from
Mar 16, 2026
Merged

feat: add Cloudflare Pages deploy pipeline for UI #33

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f569c9f
feat: add Cloudflare Pages deploy pipeline for UI
Mar 16, 2026
7b84dd9
chore: consolidate wrangler config — remove env splits, update compat…
Mar 16, 2026
6275450
fix: use ChittyConnect for Pages deploy credentials
Mar 16, 2026
2ca1ceb
fix: resolve hono prototype pollution vulnerability (npm audit fix)
Mar 16, 2026
da96fa8
fix: resolve npm audit high-severity vulnerabilities
Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,3 +82,22 @@
run: bash scripts/pressure-test-governance.sh
- name: Lint (skipped)
run: echo "no linter configured"

build-ui:
runs-on: ubuntu-latest
needs:
- workflow-secret-policy
- secret-scan
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
cache-dependency-path: ui/package-lock.json
- name: Install
run: npm ci
working-directory: ui
- name: Build (includes typecheck)
run: npm run build
working-directory: ui
Comment on lines +87 to +103

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 days ago

In general, the fix is to define explicit permissions: for the workflow or individual jobs, granting only the scopes and access levels actually required. For simple CI workflows that only check out code and run tests, contents: read is usually sufficient. Since all jobs here are pure CI (secret policy check, secret scan, build, and UI build), they only need read access to repository contents.

The most straightforward fix without changing functionality is to add a top‑level permissions: block applying to all jobs, directly under the name: CI (or before on:). This will restrict GITHUB_TOKEN to read-only on repository contents for every job, satisfying CodeQL and aligning with least-privilege. No other code needs to change, and no job appears to need broader permissions like pull-requests: write or contents: write.

Concretely, in .github/workflows/ci.yml, insert:

permissions:
  contents: read

after line 1 (name: CI) and before the on: block. No imports or additional methods are needed; it’s purely a YAML configuration change.

Suggested changeset 1
.github/workflows/ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
 name: CI
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   push:
EOF
@@ -1,5 +1,8 @@
name: CI

permissions:
contents: read

on:
pull_request:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
61 changes: 61 additions & 0 deletions .github/workflows/deploy-pages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
name: Deploy Pages

on:
workflow_dispatch:
push:
branches: [main]
paths:
- 'ui/**'
- '.github/workflows/deploy-pages.yml'

jobs:
get-credentials:
runs-on: ubuntu-latest
outputs:
cloudflare_token: ${{ steps.creds.outputs.cloudflare_token }}
account_id: ${{ steps.creds.outputs.account_id }}
steps:
- uses: actions/checkout@v4
with:
repository: CHITTYOS/chittyops
sparse-checkout: .github/actions/getchitty-creds
path: .chittyops

- name: Fetch ephemeral credentials
id: creds
uses: ./.chittyops/.github/actions/getchitty-creds
with:
api_key: ${{ secrets.CHITTYCONNECT_API_KEY }}
purpose: 'pages-deploy'
service: 'chittycommand-ui'

deploy:
Comment on lines +13 to +32

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 days ago

To fix this, explicitly set the GITHUB_TOKEN permissions for the get-credentials job instead of relying on the default repository/organization settings. This documents the intended permissions and ensures the job won’t accidentally gain broader access if defaults change.

The best minimal fix without changing existing functionality is to add a permissions block to the get-credentials job with contents: read, which is sufficient for actions/checkout and does not grant write privileges. The deploy job already has an appropriate permissions block, so it should remain unchanged.

Concretely, in .github/workflows/deploy-pages.yml, under jobs:, in the get-credentials job definition, add:

    permissions:
      contents: read

directly beneath runs-on: ubuntu-latest. No imports or other definitions are needed, as this is purely a workflow configuration change.

Suggested changeset 1
.github/workflows/deploy-pages.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/deploy-pages.yml b/.github/workflows/deploy-pages.yml
--- a/.github/workflows/deploy-pages.yml
+++ b/.github/workflows/deploy-pages.yml
@@ -11,6 +11,8 @@
 jobs:
   get-credentials:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       cloudflare_token: ${{ steps.creds.outputs.cloudflare_token }}
       account_id: ${{ steps.creds.outputs.account_id }}
EOF
@@ -11,6 +11,8 @@
jobs:
get-credentials:
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
cloudflare_token: ${{ steps.creds.outputs.cloudflare_token }}
account_id: ${{ steps.creds.outputs.account_id }}
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
needs: get-credentials
runs-on: ubuntu-latest
permissions:
contents: read
deployments: write
steps:
- uses: actions/checkout@v4

- uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
cache-dependency-path: ui/package-lock.json

- name: Install dependencies
run: npm ci
working-directory: ui

- name: Build
run: npm run build
working-directory: ui

- name: Deploy to Cloudflare Pages
uses: cloudflare/wrangler-action@v3

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Deploy Pages' step
Uses Step
Loading
uses 'cloudflare/wrangler-action' with ref 'v3', not a pinned commit hash
with:
apiToken: ${{ needs.get-credentials.outputs.cloudflare_token }}
accountId: ${{ needs.get-credentials.outputs.account_id }}
command: pages deploy dist --project-name=chittycommand-ui
workingDirectory: ui
106 changes: 53 additions & 53 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,5 +33,10 @@
"typescript": "^5.5.0",
"vitest": "^4.0.18",
"wrangler": "^4.60.0"
},
"overrides": {
"miniflare": {
"undici": "^7.24.0"
}
}
}
2 changes: 2 additions & 0 deletions ui/.env.production
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
VITE_API_URL=https://command.chitty.cc/api
VITE_AUTH_URL=https://command.chitty.cc/auth
3 changes: 3 additions & 0 deletions ui/wrangler.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
name = "chittycommand-ui"
pages_build_output_dir = "dist"
compatibility_date = "2026-01-15"
5 changes: 1 addition & 4 deletions wrangler.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ CHITTYLEDGER_URL = "https://ledger.chitty.cc"
CHITTYFINANCE_URL = "https://finance.chitty.cc"
CHITTYCHARGE_URL = "https://charge.chitty.cc"
CHITTYCONNECT_URL = "https://connect.chitty.cc"
PLAID_ENV = "sandbox"
PLAID_ENV = "production"
CHITTYBOOKS_URL = "https://chittybooks.chitty.cc"
CHITTYASSETS_URL = "https://chittyassets.chitty.cc"
CHITTYSCRAPE_URL = "https://scrape.chitty.cc"
Expand Down Expand Up @@ -60,6 +60,3 @@ crons = [
"0 15 1 * *" # Monthly 1st 9 AM CT: Mortgage, property tax
]

# Production overrides
[env.production.vars]
PLAID_ENV = "production"
Loading