fix(security): hardens auth, XSS, rate limiting, and repo posture #117
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| permissions: | |
| contents: read | |
| jobs: | |
| ci: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5 | |
| - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 | |
| with: | |
| node-version: 24 | |
| cache: pnpm | |
| - run: pnpm install --frozen-lockfile | |
| - name: Verify CSP inline script hash | |
| run: | | |
| SCRIPT=$(sed -n 's/.*<script>\(.*\)<\/script>.*/\1/p' index.html) | |
| HASH=$(printf '%s' "$SCRIPT" | openssl dgst -sha256 -binary | base64) | |
| if ! grep -q "sha256-$HASH" public/_headers; then | |
| echo "::error::CSP hash mismatch! Inline script hash 'sha256-$HASH' not found in public/_headers" | |
| echo "Update the sha256 hash in public/_headers to match the inline script in index.html" | |
| exit 1 | |
| fi | |
| echo "CSP hash verified: sha256-$HASH" | |
| - run: pnpm run typecheck | |
| - run: pnpm test | |
| - name: Install Playwright browsers | |
| run: npx playwright install chromium --with-deps | |
| - name: Run E2E tests | |
| run: pnpm test:e2e | |
| env: | |
| VITE_GITHUB_CLIENT_ID: ${{ vars.VITE_GITHUB_CLIENT_ID }} |