From 186f43ebd4fa1fecd4541deda775dc3245d17a17 Mon Sep 17 00:00:00 2001
From: adrienne-deriv <103016120+adrienne-deriv@users.noreply.github.com>
Date: Tue, 26 Sep 2023 11:30:16 +0800
Subject: [PATCH] adrienne/fix: cloudflare deployment security (#5667)

* refactor: sanitized email input from html element symbols

* chore: added pre-flow workflow for cloudflare pages

* chore: reverted prettier changes

* Revert "chore: reverted prettier changes"

This reverts commit a40129876bd472de0eccb30e41fe39e82c696351.

* chore: reverted prettier changes again

* chore: reverted pretiter changes againn

* Update messages.json

* Update messages.json

* chore: change secrets name
---
 .github/workflows/generate-preview-link.yml   | 134 ++++++++++++++++++
 .../workflows/pre-generate-preview-link.yml   |  28 ++++
 crowdin/messages.json                         |   2 +-
 3 files changed, 163 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/generate-preview-link.yml
 create mode 100644 .github/workflows/pre-generate-preview-link.yml

diff --git a/.github/workflows/generate-preview-link.yml b/.github/workflows/generate-preview-link.yml
new file mode 100644
index 00000000000..b908cec998e
--- /dev/null
+++ b/.github/workflows/generate-preview-link.yml
@@ -0,0 +1,134 @@
+name: Generate preview link
+
+permissions:
+    actions: write
+    checks: write
+    contents: write
+    deployments: write
+    pull-requests: write
+    statuses: write
+
+on:
+    workflow_run:
+        workflows: ['Pre-generate preview link']
+        types:
+            - completed
+
+env:
+    NODE_OPTIONS: '--max-old-space-size=8192'
+
+concurrency:
+    group: cloudflare-pages-build-${{ github.event.workflow_run.head_branch }}
+    cancel-in-progress: true
+
+jobs:
+    build_to_cloudflare_pages:
+        runs-on: Ubuntu-latest
+        if: >
+            github.event.workflow_run.event == 'pull_request' &&
+            github.event.workflow_run.conclusion == 'success'
+        steps:
+            - name: Download artifact
+              id: download-artifact
+              uses: dawidd6/action-download-artifact@v2
+              with:
+                  workflow_conclusion: success
+                  run_id: ${{ github.event.workflow_run.id }}
+                  name: 'pr-${{ github.event.workflow_run.id }}'
+
+            - name: Retrieve and verify user organization
+              id: pr_information
+              run: |
+                  echo "Verifying user's organization..."
+                  user=$(cat ./USERNAME)
+                  response=$(curl -s -L \
+                      -w "%{http_code}" \
+                     -o /dev/null -H "Accept: application/vnd.github+json" \
+                     -H "Authorization: Bearer ${{ secrets.PERSONAL_ACCESS_TOKEN }}" \
+                     -H "X-GitHub-Api-Version: 2022-11-28" \
+                     "https://api.github.com/orgs/binary-com/memberships/$user")
+                     
+                  if [ $response != "200" ]; then
+                      echo "User is not a member of binary-com organization."
+                      exit 1
+                  else
+                      echo "User is a member of binary-com organization."
+                      echo "issue_number=$(cat ./NR)" > $GITHUB_OUTPUT
+                  fi
+            - name: Checkout to repo
+              uses: actions/checkout@v3
+              with:
+                  ref: ${{ github.event.workflow_run.head_sha }}
+
+            - name: Setup node
+              uses: actions/setup-node@v2
+
+            - name: Get build output from master cache
+              uses: actions/cache/restore@v3
+              with:
+                  key: master-cache-public
+                  restore-keys: |
+                      master-cache-public-replica
+                  path: |
+                      .cache
+                      public
+            - name: Get cached dependencies
+              id: cache-npm
+              uses: actions/cache/restore@v3
+              with:
+                  path: node_modules
+                  key: npm-${{ hashFiles('**/package-lock.json') }}
+
+            - name: Install dependencies
+              if: ${{ steps.cache-npm.outputs.cache-hit != 'true' }}
+              run: npm ci
+
+            - name: Build project
+              id: build-project
+              run: npm run build
+
+            - name: Publish to Cloudflare Pages
+              id: publish-to-pages
+              env:
+                  CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_TEST_LINKS_API_TOKEN }}
+                  CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_TEST_LINKS_ACCOUNT_ID }}
+              run: |
+                  echo "Installing Wrangler CLI"
+                  npm i -g wrangler
+                  echo "Deploying build to Cloudflare Pages"
+                  directory='public'
+                  projectName='deriv-com-preview-links'
+                  branch=${{github.event.workflow_run.head_branch}}
+                  preview_url=$(wrangler pages deploy $directory --project-name=$projectName --branch=$branch > log.txt 2>&1; echo $?)
+                  echo "------"
+                  cat log.txt
+                  branchName=$(echo $branch | sed 's/[\/_]/-/g')
+                  if grep -q "Deployment complete" log.txt; then
+                    echo "preview_url=https://$branchName.deriv-com-preview-links.pages.dev" > "$GITHUB_OUTPUT"
+                  else
+                    echo "Deployment to Cloudflare Pages failed."
+                    exit 1
+                  fi
+            - name: 'Generate preview link comment'
+              id: generate_preview_url
+              uses: actions/github-script@v3
+              with:
+                  github-token: ${{ github.token }}
+                  script: |
+                      const preview_url = `https://${{github.event.workflow_run.head_branch}}.deriv-com-preview-links.pages.dev`
+                      const comment = [
+                          `**Preview Link**: ${preview_url}`,
+                          '| Name | Result |',
+                          '| :--- | :------ |',
+                          `| **Build status**  | Completed ✅ |`,
+                          `| **Preview URL**  | [Visit Preview](${preview_url}) |`,
+                          ''
+                        ].join('\n')
+                      core.setOutput("comment", comment);
+            - name: Post Cloudflare Pages Preview comment
+              uses: marocchino/sticky-pull-request-comment@v2
+              with:
+                  header: Cloudflare Pages Preview Comment
+                  number: ${{steps.pr_information.outputs.issue_number}}
+                  message: ${{steps.generate_preview_url.outputs.comment}}
+                  recreate: true
diff --git a/.github/workflows/pre-generate-preview-link.yml b/.github/workflows/pre-generate-preview-link.yml
new file mode 100644
index 00000000000..39dcb6a8197
--- /dev/null
+++ b/.github/workflows/pre-generate-preview-link.yml
@@ -0,0 +1,28 @@
+name: Pre-generate preview link
+
+permissions:
+    pull-requests: write
+
+on:
+    pull_request:
+        types: [opened, synchronize]
+
+concurrency:
+    group: cloudflare-pages-verify-${{ github.head_ref }}
+    cancel-in-progress: true
+
+jobs:
+    verify_pull_request:
+        runs-on: Ubuntu-latest
+        steps:
+            - name: Retrieve PR information
+              run: |
+                  mkdir -p ./pr
+                  echo ${{ github.event.number }} > ./pr/NR
+                  echo ${{ github.event.pull_request.user.login }} > ./pr/USERNAME
+
+            - name: Upload PR information to artifact
+              uses: actions/upload-artifact@v2
+              with:
+                  name: 'pr-${{github.run_id}}'
+                  path: pr/
diff --git a/crowdin/messages.json b/crowdin/messages.json
index 0e1dcf1a76b..f846340f1d7 100644
--- a/crowdin/messages.json
+++ b/crowdin/messages.json
@@ -4565,4 +4565,4 @@
   "-1165835520": "employees",
   "-651384976": "nationalities",
   "-1033881248": "See our open positions"
-}
\ No newline at end of file
+}