till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-15 09:01:09 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

chore(ci): add staging config protection and validation

Browse source 
- Add staging-config-check.yml workflow to validate HTTPS URLs on PRs
- Add CODEOWNERS to require team lead review for critical config files
- Update GIT_WORKFLOW.md with config file protection guidelines

Prevents accidental reversion of staging URLs (HTTP vs HTTPS) during rebases.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Wuesteon 2025-12-10 13:48:45 +01:00
parent dd0199c083
commit 422fcd6b34
3 changed files with 193 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

103
.github/workflows/staging-config-check.yml vendored Normal file
View file

@ -0,0 +1,103 @@
name: Staging Config Check
on:
pull_request:
paths:
- 'docker-compose.staging.yml'
- 'docker/caddy/Caddyfile.staging'
jobs:
check-staging-urls:
name: Validate Staging URLs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check for HTTP IP addresses in _CLIENT URLs
run: |
echo "Checking docker-compose.staging.yml for HTTP IP addresses..."
# Check that no _CLIENT URLs use HTTP IP addresses
if grep -E '_CLIENT:.*http://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' docker-compose.staging.yml; then
echo ""
echo "::error::Found HTTP IP addresses in _CLIENT URLs!"
echo "All _CLIENT URLs must use HTTPS staging domains (e.g., https://auth.staging.manacore.ai)"
exit 1
fi
echo "No HTTP IP addresses found in _CLIENT URLs"
- name: Check for non-HTTPS external URLs
run: |
echo "Checking for non-HTTPS external URLs in _CLIENT variables..."
# Check that _CLIENT URLs use HTTPS (excluding localhost for dev)
VIOLATIONS=$(grep -E '_CLIENT:.*http://' docker-compose.staging.yml | grep -v localhost || true)
if [ -n "$VIOLATIONS" ]; then
echo ""
echo "::error::Found non-HTTPS URLs in _CLIENT variables!"
echo "$VIOLATIONS"
echo ""
echo "All _CLIENT URLs must use HTTPS for staging domains."
exit 1
fi
echo "All _CLIENT URLs use HTTPS"
- name: Verify required HTTPS domains
run: |
echo "Verifying required HTTPS staging domains are configured..."
REQUIRED_DOMAINS=(
"https://auth.staging.manacore.ai"
"https://staging.manacore.ai"
)
MISSING=0
for domain in "${REQUIRED_DOMAINS[@]}"; do
if ! grep -q "$domain" docker-compose.staging.yml; then
echo "::warning::Missing required domain: $domain"
MISSING=1
fi
done
if [ $MISSING -eq 1 ]; then
echo ""
echo "::warning::Some required staging domains are not configured. Please verify this is intentional."
fi
echo "Domain verification complete"
- name: Check CORS origins include HTTPS
run: |
echo "Checking CORS_ORIGINS for HTTPS staging domains..."
# Extract CORS_ORIGINS lines and check they include staging domains
CORS_LINES=$(grep "CORS_ORIGINS:" docker-compose.staging.yml || true)
if [ -n "$CORS_LINES" ]; then
# Check if any CORS line has HTTP staging domains (not localhost)
HTTP_CORS=$(echo "$CORS_LINES" | grep -E 'http://[a-z]+\.staging\.manacore\.ai' || true)
if [ -n "$HTTP_CORS" ]; then
echo ""
echo "::error::Found HTTP (non-HTTPS) staging domains in CORS_ORIGINS!"
echo "$HTTP_CORS"
exit 1
fi
fi
echo "CORS origins are correctly configured"
- name: Summary
run: |
echo ""
echo "======================================"
echo "Staging Configuration Check: PASSED"
echo "======================================"
echo ""
echo "All checks passed:"
echo " - No HTTP IP addresses in _CLIENT URLs"
echo " - All external _CLIENT URLs use HTTPS"
echo " - CORS origins correctly configured"