Skip to content

Feature/pipeline #538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Feature/pipeline #538

wants to merge 9 commits into from

Conversation

@pontusab
Copy link
Contributor

@pontusab pontusab commented Jul 17, 2025

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 17, 2025
View reviewed changes
.github/workflows/beta.yml
Comment on lines +29 to +74
name: 🔧 Setup & Cache
runs-on: ubuntu-latest
outputs:
cache-hit: ${{ steps.cache-deps.outputs.cache-hit }}
turbo-cache-hit: ${{ steps.cache-turbo.outputs.cache-hit }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- uses: oven-sh/setup-bun@v1
with:
bun-version: latest

- name: 📦 Cache dependencies (with compression)
uses: actions/cache@v4
id: cache-deps
with:
path: |
node_modules
~/.bun/install/cache
key: deps-${{ runner.os }}-${{ hashFiles('**/bun.lock', '**/package.json') }}
restore-keys: |
deps-${{ runner.os }}-
enableCrossOsArchive: true

- name: 🚀 Cache Turbo (with compression)
uses: actions/cache@v4
id: cache-turbo
with:
path: |
.turbo
**/dist
**/.next/cache
key: turbo-beta-${{ runner.os }}-${{ github.sha }}
restore-keys: |
turbo-beta-${{ runner.os }}-
enableCrossOsArchive: true

- name: 📦 Install dependencies (with parallel installs)
if: steps.cache-deps.outputs.cache-hit != 'true'
run: |
bun install --frozen-lockfile --concurrent=10

# Change detection (fast, separate job)
detect-changes:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To fix the issue, add a permissions block to the root of the workflow file. This block will define the least privileges required for the workflow to function correctly. Based on the provided snippet, the workflow primarily involves reading repository contents for caching and change detection. Therefore, the contents: read permission is sufficient.

The permissions block should be added near the top of the file, after the name field, to apply to all jobs in the workflow that do not have their own permissions block.

Suggested changeset 1
.github/workflows/beta.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/beta.yml b/.github/workflows/beta.yml
--- a/.github/workflows/beta.yml
+++ b/.github/workflows/beta.yml
@@ -1,2 +1,4 @@
 name: Beta Deployment
+permissions:
+  contents: read
 
EOF
@@ -1,2 +1,4 @@
name: Beta Deployment
permissions:
contents: read

Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/beta.yml
Comment on lines +75 to +114
name: 🔍 Detect Changes
runs-on: ubuntu-latest
outputs:
has-api-changes: ${{ steps.changes.outputs.api }}
has-dashboard-changes: ${{ steps.changes.outputs.dashboard }}
has-website-changes: ${{ steps.changes.outputs.website }}
has-engine-changes: ${{ steps.changes.outputs.engine }}
has-email-changes: ${{ steps.changes.outputs.email }}
has-packages-changes: ${{ steps.changes.outputs.packages }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: 🔍 Advanced change detection
uses: dorny/paths-filter@v3
id: changes
with:
filters: |
api:
- 'apps/api/**'
- 'packages/!(email|ui)/**'
dashboard:
- 'apps/dashboard/**'
- 'packages/**'
website:
- 'apps/website/**'
- 'packages/!(email)/**'
engine:
- 'apps/engine/**'
- 'packages/engine-client/**'
email:
- 'packages/email/**'
packages:
- 'packages/**'
- 'turbo.json'
- 'package.json'

# Parallel quality checks (matrix build for speed)
quality-checks:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To fix the issue, we need to add a permissions block to the workflow. This block should be added at the root level of the workflow to apply to all jobs, or it can be added to individual jobs if different permissions are required for each. Based on the workflow's functionality, the minimal permissions required are contents: read, as the jobs primarily read repository contents.

Steps to implement the fix:

  1. Add a permissions block at the root level of the workflow file (.github/workflows/beta.yml) to limit the GITHUB_TOKEN permissions to contents: read.
  2. Ensure that the permissions block is correctly indented and formatted according to YAML syntax.
Suggested changeset 1
.github/workflows/beta.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/beta.yml b/.github/workflows/beta.yml
--- a/.github/workflows/beta.yml
+++ b/.github/workflows/beta.yml
@@ -2,2 +2,5 @@
 
+permissions:
+  contents: read
+
 env:
EOF
@@ -2,2 +2,5 @@

permissions:
contents: read

env:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/beta.yml
Comment on lines +115 to +214
name: ${{ matrix.check-name }}
runs-on: ubuntu-latest
needs: [setup, detect-changes]
strategy:
fail-fast: false
matrix:
include:
- check-name: "🔦 Lint"
check-type: "lint"
- check-name: "🪐 TypeScript"
check-type: "typecheck"
- check-name: "🧪 Tests"
check-type: "test"
- check-name: "🔒 Security"
check-type: "security"
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- uses: oven-sh/setup-bun@v1
with:
bun-version: latest

- name: 📦 Restore dependencies
uses: actions/cache@v4
with:
path: |
node_modules
~/.bun/install/cache
key: deps-${{ runner.os }}-${{ hashFiles('**/bun.lock', '**/package.json') }}

- name: 🚀 Restore Turbo cache
uses: actions/cache@v4
with:
path: |
.turbo
**/dist
**/.next/cache
key: turbo-beta-${{ runner.os }}-${{ github.sha }}
restore-keys: |
turbo-beta-${{ runner.os }}-

- name: 📦 Install dependencies (if cache miss)
if: needs.setup.outputs.cache-hit != 'true'
run: bun install --frozen-lockfile

- name: 🏗️ Build dependencies (only for typecheck)
if: matrix.check-type == 'typecheck'
run: |
# Build core dependencies that other packages rely on for TypeScript
bunx turbo build --filter='@midday/engine-client' --filter='@midday/engine' --filter='@midday/utils' --filter='@midday/ui' --filter='@midday/tsconfig'

- name: 🔦 Run Lint
if: matrix.check-type == 'lint'
run: |
if [ "${{ github.event.inputs.force_deploy }}" = "true" ]; then
bunx turbo lint
else
bunx turbo lint --filter='[HEAD^1]'
fi

- name: 🪐 Run TypeScript Check
if: matrix.check-type == 'typecheck'
run: |
if [ "${{ github.event.inputs.force_deploy }}" = "true" ]; then
bunx turbo typecheck
else
# Include dependencies in TypeScript check to ensure types are available
bunx turbo typecheck --filter='[HEAD^1]...'
fi

- name: 🧪 Run Tests
if: matrix.check-type == 'test'
run: |
if [ "${{ github.event.inputs.force_deploy }}" = "true" ]; then
bunx turbo test
else
bunx turbo test --filter='[HEAD^1]'
fi

- name: 🔒 Security Checks
if: matrix.check-type == 'security'
run: |
# Security audit
bun audit --audit-level moderate || true
echo "Security audit completed"

- name: 🔍 Secret Scanning
if: matrix.check-type == 'security'
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: main
head: HEAD
extra_args: --debug --only-verified
continue-on-error: true

# Build shared artifacts (parallelized)
build-shared:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To fix the issue, we need to add a permissions block to the quality-checks job to explicitly limit the permissions of the GITHUB_TOKEN. Since the job does not require write access, we can set the permissions to contents: read. This ensures that the job has only the access it needs to perform its tasks.

The changes should be made in the .github/workflows/beta.yml file, specifically within the quality-checks job definition. No additional imports, methods, or definitions are required.

Suggested changeset 1
.github/workflows/beta.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/beta.yml b/.github/workflows/beta.yml
--- a/.github/workflows/beta.yml
+++ b/.github/workflows/beta.yml
@@ -117,2 +117,4 @@
     needs: [setup, detect-changes]
+    permissions:
+      contents: read
     strategy:
EOF
@@ -117,2 +117,4 @@
needs: [setup, detect-changes]
permissions:
contents: read
strategy:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/beta.yml
Comment on lines +215 to +265
name: 🏗️ Build Shared
runs-on: ubuntu-latest
needs: [setup, detect-changes, quality-checks]
if: needs.quality-checks.result == 'success' && (needs.detect-changes.outputs.has-engine-changes == 'true' || needs.detect-changes.outputs.has-packages-changes == 'true' || github.event.inputs.force_deploy == 'true')
steps:
- uses: actions/checkout@v4
- uses: oven-sh/setup-bun@v1
with:
bun-version: latest

- name: 📦 Restore dependencies
uses: actions/cache@v4
with:
path: |
node_modules
~/.bun/install/cache
key: deps-${{ runner.os }}-${{ hashFiles('**/bun.lock', '**/package.json') }}

- name: 🚀 Restore Turbo cache
uses: actions/cache@v4
with:
path: |
.turbo
**/dist
**/.next/cache
key: turbo-beta-${{ runner.os }}-${{ github.sha }}
restore-keys: |
turbo-beta-${{ runner.os }}-

- name: 🏗️ Build Engine and Dependencies (parallel)
run: |
# Build all core packages in parallel with optimal concurrency
bunx turbo build --filter=@midday/engine --filter=@midday/engine-client --filter=@midday/utils --filter=@midday/ui --concurrency=50%

- name: 📦 Cache Engine build
uses: actions/cache@v4
with:
path: apps/engine/dist
key: engine-build-beta-${{ github.sha }}

- name: 📦 Cache Core Packages
uses: actions/cache@v4
with:
path: |
packages/engine-client/dist
packages/utils/dist
packages/ui/dist
key: core-packages-beta-${{ github.sha }}

# Deploy Engine first (dependency for other apps)
deploy-engine:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To fix the issue, add a permissions block to the Build Shared job to explicitly limit the permissions of the GITHUB_TOKEN. Since the job primarily interacts with repository contents (e.g., checking out code and caching dependencies), the contents: read permission is sufficient. This ensures the job has only the minimal permissions required to complete its tasks.

The permissions block should be added under the build-shared job definition, ensuring it applies only to this job.

Suggested changeset 1
.github/workflows/beta.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/beta.yml b/.github/workflows/beta.yml
--- a/.github/workflows/beta.yml
+++ b/.github/workflows/beta.yml
@@ -218,2 +218,4 @@
     if: needs.quality-checks.result == 'success' && (needs.detect-changes.outputs.has-engine-changes == 'true' || needs.detect-changes.outputs.has-packages-changes == 'true' || github.event.inputs.force_deploy == 'true')
+    permissions:
+      contents: read
     steps:
EOF
@@ -218,2 +218,4 @@
if: needs.quality-checks.result == 'success' && (needs.detect-changes.outputs.has-engine-changes == 'true' || needs.detect-changes.outputs.has-packages-changes == 'true' || github.event.inputs.force_deploy == 'true')
permissions:
contents: read
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/beta.yml
Comment on lines 266 to 327
name: 🚀 Deploy Engine (Beta)
runs-on: ubuntu-latest
needs: [detect-changes, quality-checks, build-shared]
if: needs.quality-checks.result == 'success' && (needs.detect-changes.outputs.has-engine-changes == 'true' || github.event.inputs.force_deploy == 'true') && (needs.build-shared.result == 'success' || needs.build-shared.result == 'skipped')
environment: beta
outputs:
deployment-url: ${{ steps.deploy.outputs.deployment-url }}
steps:
- uses: actions/checkout@v4
- uses: oven-sh/setup-bun@v1
with:
bun-version: latest

- name: 📦 Restore Engine build
uses: actions/cache@v4
with:
path: apps/engine/dist
key: engine-build-beta-${{ github.sha }}

- name: 📦 Restore Core Packages
uses: actions/cache@v4
with:
path: |
packages/engine-client/dist
packages/utils/dist
packages/ui/dist
key: core-packages-beta-${{ github.sha }}

- name: 📦 Restore dependencies
uses: actions/cache@v4
with:
path: |
node_modules
~/.bun/install/cache
key: deps-${{ runner.os }}-${{ hashFiles('**/bun.lock', '**/package.json') }}

- name: 🚀 Deploy to Cloudflare (Staging)
id: deploy
uses: cloudflare/wrangler-action@v3
with:
packageManager: bun
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
workingDirectory: "apps/engine"
wranglerVersion: "3.93.0"
command: deploy --minify src/index.ts --env staging

- name: 🏥 Health check
run: |
sleep 30
curl -f https://staging-engine.midday.ai/health || echo "Health check failed, but continuing..."

- name: 📢 Deployment notification
if: always()
uses: 8398a7/action-slack@v3
with:
status: ${{ job.status }}
channel: '#deployments'
webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
continue-on-error: true

# Deploy API second (dependency for dashboard)
deploy-api:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To fix the issue, add an explicit permissions block to the deploy-engine job. This block should specify the minimal permissions required for the job to function correctly. Based on the operations performed in the job, the contents: read permission is sufficient for most steps, while additional permissions (e.g., deployments: write) may be required for deployment-related tasks.

The permissions block should be added directly under the deploy-engine job definition, ensuring it applies only to this job. This approach avoids affecting other jobs in the workflow.

Suggested changeset 1
.github/workflows/beta.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/beta.yml b/.github/workflows/beta.yml
--- a/.github/workflows/beta.yml
+++ b/.github/workflows/beta.yml
@@ -270,2 +270,5 @@
     environment: beta
+    permissions:
+      contents: read
+      deployments: write
     outputs:
EOF
@@ -270,2 +270,5 @@
environment: beta
permissions:
contents: read
deployments: write
outputs:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/production.yml
Comment on lines 349 to 414
name: 🚀 Deploy Dashboard
runs-on: ubuntu-latest
needs: [security-quality, deploy-api]
if: needs.security-quality.result == 'success' && (needs.security-quality.outputs.has-dashboard-changes == 'true' || github.event.inputs.force_deploy == 'true') && (needs.deploy-api.result == 'success' || needs.deploy-api.result == 'skipped')
environment: production
env:
VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID_DASHBOARD }}
outputs:
deployment-url: ${{ steps.deploy.outputs.deployment-url }}
steps:
- uses: actions/checkout@v4
- uses: oven-sh/setup-bun@v1
with:
bun-version: latest

- name: 📦 Restore dependencies
uses: actions/cache@v4
with:
path: |
node_modules
~/.bun/install/cache
key: deps-${{ runner.os }}-${{ hashFiles('**/bun.lock', '**/package.json') }}

- name: 📦 Restore Engine build
uses: actions/cache@v4
with:
path: apps/engine/dist
key: engine-build-${{ github.sha }}

- name: 📤 Pull Vercel Environment
run: bunx vercel pull --yes --environment=production --token=${{ secrets.VERCEL_TOKEN }}

- name: 🏗️ Build Dashboard
run: bunx vercel build --prod --token=${{ secrets.VERCEL_TOKEN }}

- name: 🔄 Deploy Background Jobs
env:
TRIGGER_ACCESS_TOKEN: ${{ secrets.TRIGGER_ACCESS_TOKEN }}
run: |
TRIGGER_PROJECT_ID=${{ secrets.TRIGGER_PROJECT_ID }} bunx [email protected] deploy
working-directory: packages/jobs

- name: 🚀 Deploy to Vercel
id: deploy
run: |
url=$(bunx vercel deploy --prebuilt --prod --archive=tgz --token=${{ secrets.VERCEL_TOKEN }})
bunx vercel alias --scope=${{ secrets.VERCEL_ORG_ID }} --token=${{ secrets.VERCEL_TOKEN }} set $url app.midday.ai
echo "deployment-url=https://app.midday.ai" >> $GITHUB_OUTPUT

- name: 🏥 Health check
run: |
sleep 30
curl -f https://app.midday.ai/api/health || exit 1

- name: 📢 Deployment notification
if: always()
uses: 8398a7/action-slack@v3
with:
status: ${{ job.status }}
channel: '#deployments'
webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
continue-on-error: true

# Deploy Website (parallel with Dashboard)
deploy-website:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To fix the issue, we will add an explicit permissions block to the deploy-dashboard job. This block will define the minimal permissions required for the job to function correctly. Based on the job's steps, it primarily interacts with the repository contents and uses secrets for deployment. Therefore, we will set contents: read to allow read-only access to the repository contents. If additional permissions are required (e.g., pull-requests: write), they can be added as needed.

The permissions block will be added under the deploy-dashboard job definition, ensuring it applies only to this job.

Suggested changeset 1
.github/workflows/production.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
--- a/.github/workflows/production.yml
+++ b/.github/workflows/production.yml
@@ -341,2 +341,4 @@
     needs: [security-quality, deploy-api]
+    permissions:
+      contents: read
     if: needs.security-quality.result == 'success' && (needs.security-quality.outputs.has-dashboard-changes == 'true' || github.event.inputs.force_deploy == 'true') && (needs.deploy-api.result == 'success' || needs.deploy-api.result == 'skipped')
EOF
@@ -341,2 +341,4 @@
needs: [security-quality, deploy-api]
permissions:
contents: read
if: needs.security-quality.result == 'success' && (needs.security-quality.outputs.has-dashboard-changes == 'true' || github.event.inputs.force_deploy == 'true') && (needs.deploy-api.result == 'success' || needs.deploy-api.result == 'skipped')
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/production.yml
Comment on lines 415 to 470
name: 🚀 Deploy Website
runs-on: ubuntu-latest
needs: security-quality
if: needs.security-quality.result == 'success' && (needs.security-quality.outputs.has-website-changes == 'true' || github.event.inputs.force_deploy == 'true')
environment: production
env:
VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID_WEBSITE }}
outputs:
deployment-url: ${{ steps.deploy.outputs.deployment-url }}
steps:
- uses: actions/checkout@v4
- uses: oven-sh/setup-bun@v1
with:
bun-version: latest

- name: 📦 Restore dependencies
uses: actions/cache@v4
with:
path: |
node_modules
~/.bun/install/cache
key: deps-${{ runner.os }}-${{ hashFiles('**/bun.lock', '**/package.json') }}

- name: 📤 Pull Vercel Environment
run: bunx vercel env pull .env --yes --environment=production --token=${{ secrets.VERCEL_TOKEN }}

- name: 📤 Pull Vercel Project Config
run: bunx vercel pull --yes --environment=production --token=${{ secrets.VERCEL_TOKEN }}

- name: 🏗️ Build Website
run: bunx vercel build --prod --token=${{ secrets.VERCEL_TOKEN }}

- name: 🚀 Deploy to Vercel
id: deploy
run: |
url=$(bunx vercel deploy --prebuilt --prod --archive=tgz --token=${{ secrets.VERCEL_TOKEN }})
bunx vercel alias --scope=${{ secrets.VERCEL_ORG_ID }} --token=${{ secrets.VERCEL_TOKEN }} set $url midday.ai
echo "deployment-url=https://midday.ai" >> $GITHUB_OUTPUT

- name: 🏥 Health check
run: |
sleep 30
curl -f https://midday.ai || exit 1

- name: 📢 Deployment notification
if: always()
uses: 8398a7/action-slack@v3
with:
status: ${{ job.status }}
channel: '#deployments'
webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
continue-on-error: true

# Deploy Email (parallel with other apps)
deploy-email:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To fix the issue, we will add a permissions block to the deploy-website job in the workflow file. This block will explicitly define the minimal permissions required for the job. Based on the job's steps, it primarily interacts with the repository contents and does not appear to require write access. Therefore, we will set contents: read as the permission. If additional permissions are required for specific actions, they can be added as needed.

Suggested changeset 1
.github/workflows/production.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
--- a/.github/workflows/production.yml
+++ b/.github/workflows/production.yml
@@ -402,2 +402,4 @@
     needs: security-quality
+    permissions:
+      contents: read
     if: needs.security-quality.result == 'success' && (needs.security-quality.outputs.has-website-changes == 'true' || github.event.inputs.force_deploy == 'true')
EOF
@@ -402,2 +402,4 @@
needs: security-quality
permissions:
contents: read
if: needs.security-quality.result == 'success' && (needs.security-quality.outputs.has-website-changes == 'true' || github.event.inputs.force_deploy == 'true')
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/production.yml
Comment on lines 471 to 526
name: 🚀 Deploy Email
runs-on: ubuntu-latest
needs: security-quality
if: needs.security-quality.result == 'success' && (needs.security-quality.outputs.has-email-changes == 'true' || github.event.inputs.force_deploy == 'true')
environment: production
env:
VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID_EMAIL }}
outputs:
deployment-url: ${{ steps.deploy.outputs.deployment-url }}
steps:
- uses: actions/checkout@v4
- uses: oven-sh/setup-bun@v1
with:
bun-version: latest

- name: 📦 Restore dependencies
uses: actions/cache@v4
with:
path: |
node_modules
~/.bun/install/cache
key: deps-${{ runner.os }}-${{ hashFiles('**/bun.lock', '**/package.json') }}

- name: 📤 Pull Vercel Environment
run: bunx vercel env pull .env --yes --environment=production --token=${{ secrets.VERCEL_TOKEN }}

- name: 📤 Pull Vercel Project Config
run: bunx vercel pull --yes --environment=production --token=${{ secrets.VERCEL_TOKEN }}

- name: 🏗️ Build Email
run: bunx vercel build --prod --token=${{ secrets.VERCEL_TOKEN }}

- name: 🚀 Deploy to Vercel
id: deploy
run: |
url=$(bunx vercel deploy --prebuilt --prod --archive=tgz --token=${{ secrets.VERCEL_TOKEN }})
bunx vercel alias --scope=${{ secrets.VERCEL_ORG_ID }} --token=${{ secrets.VERCEL_TOKEN }} set $url email.midday.ai
echo "deployment-url=https://email.midday.ai" >> $GITHUB_OUTPUT

- name: 🏥 Health check
run: |
sleep 30
curl -f https://email.midday.ai || exit 1

- name: 📢 Deployment notification
if: always()
uses: 8398a7/action-slack@v3
with:
status: ${{ job.status }}
channel: '#deployments'
webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
continue-on-error: true

# Post-deployment validation and monitoring
post-deployment:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To fix the issue, we will add a permissions block to the Deploy Email job. This block will explicitly define the minimal permissions required for the job. Based on the job's steps, it appears that the job does not require write access to the repository contents. Therefore, we will set contents: read as the permission. If additional permissions are required in the future, they can be added explicitly.

Suggested changeset 1
.github/workflows/production.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
--- a/.github/workflows/production.yml
+++ b/.github/workflows/production.yml
@@ -453,2 +453,4 @@
     needs: security-quality
+    permissions:
+      contents: read
     if: needs.security-quality.result == 'success' && (needs.security-quality.outputs.has-email-changes == 'true' || github.event.inputs.force_deploy == 'true')
EOF
@@ -453,2 +453,4 @@
needs: security-quality
permissions:
contents: read
if: needs.security-quality.result == 'success' && (needs.security-quality.outputs.has-email-changes == 'true' || github.event.inputs.force_deploy == 'true')
Copilot is powered by AI and may make mistakes. Always verify output.
cursor[bot]

This comment was marked as outdated.

Sign in to view

github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 17, 2025
View reviewed changes
.github/workflows/beta.yml
Comment on lines +550 to +591
name: 📊 Post-Deployment
runs-on: ubuntu-latest
needs: [deploy-engine, deploy-api, deploy-dashboard]
if: always()
steps:
- name: 🔍 Integration tests
run: |
echo "Running integration tests..."
# Add integration test commands here

- name: 📊 Performance monitoring
run: |
echo "Setting up performance monitoring..."
# Add performance monitoring setup

- name: 📈 Deployment metrics
run: |
echo "## Beta Deployment Summary" >> $GITHUB_STEP_SUMMARY
echo "| Service | Status | URL | Changes |" >> $GITHUB_STEP_SUMMARY
echo "|---------|--------|-----|---------|" >> $GITHUB_STEP_SUMMARY
echo "| Engine | ${{ needs.deploy-engine.result || 'Skipped' }} | ${{ needs.deploy-engine.outputs.deployment-url || 'N/A' }} | ${{ needs.detect-changes.outputs.has-engine-changes }} |" >> $GITHUB_STEP_SUMMARY
echo "| API | ${{ needs.deploy-api.result || 'Skipped' }} | ${{ needs.deploy-api.outputs.deployment-url || 'N/A' }} | ${{ needs.detect-changes.outputs.has-api-changes }} |" >> $GITHUB_STEP_SUMMARY
echo "| Dashboard | ${{ needs.deploy-dashboard.result || 'Skipped' }} | ${{ needs.deploy-dashboard.outputs.deployment-url || 'N/A' }} | ${{ needs.detect-changes.outputs.has-dashboard-changes }} |" >> $GITHUB_STEP_SUMMARY
echo "| Website | ${{ needs.deploy-website.result || 'Skipped' }} | ${{ needs.deploy-website.outputs.deployment-url || 'N/A' }} | ${{ needs.detect-changes.outputs.has-website-changes }} |" >> $GITHUB_STEP_SUMMARY
echo "| Email | ${{ needs.deploy-email.result || 'Skipped' }} | ${{ needs.deploy-email.outputs.deployment-url || 'N/A' }} | ${{ needs.detect-changes.outputs.has-email-changes }} |" >> $GITHUB_STEP_SUMMARY

- name: 📢 Final deployment notification
uses: 8398a7/action-slack@v3
with:
status: ${{ job.status }}
channel: '#deployments'
webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
text: |
🚀 Beta deployment completed!

**Deployed Services:**
${{ needs.deploy-engine.result == 'success' && '✅ Engine' || '❌ Engine' }}
${{ needs.deploy-api.result == 'success' && '✅ API' || '❌ API' }}
${{ needs.deploy-dashboard.result == 'success' && '✅ Dashboard' || '❌ Dashboard' }}
${{ needs.deploy-website.result == 'success' && '✅ Website' || '❌ Website' }}
${{ needs.deploy-email.result == 'success' && '✅ Email' || '❌ Email' }}
continue-on-error: true No newline at end of file

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 months ago

To fix the issue, we need to add a permissions block to the workflow. This block should specify the minimal permissions required for the GITHUB_TOKEN to perform its tasks. Since the post-deployment job primarily involves notifications and summary generation, it likely only requires contents: read permissions.

The permissions block can be added at the root level of the workflow to apply to all jobs or specifically to the post-deployment job. For this fix, we will add the permissions block to the post-deployment job to limit its scope.

Suggested changeset 1
.github/workflows/beta.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/beta.yml b/.github/workflows/beta.yml
--- a/.github/workflows/beta.yml
+++ b/.github/workflows/beta.yml
@@ -553,2 +553,4 @@
     if: always()
+    permissions:
+      contents: read
     steps:
EOF
@@ -553,2 +553,4 @@
if: always()
permissions:
contents: read
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/production.yml
Comment on lines +502 to +546
name: 📊 Post-Deployment
runs-on: ubuntu-latest
needs: [deploy-engine, deploy-api, deploy-dashboard]
if: always()
steps:
- name: 🔍 Integration tests
run: |
echo "Running integration tests..."
# Add integration test commands here

- name: 📊 Performance monitoring
run: |
echo "Setting up performance monitoring..."
# Add performance monitoring setup

- name: 📈 Deployment metrics
run: |
echo "## Production Deployment Summary" >> $GITHUB_STEP_SUMMARY
echo "| Service | Status | URL | Changes |" >> $GITHUB_STEP_SUMMARY
echo "|---------|--------|-----|---------|" >> $GITHUB_STEP_SUMMARY
echo "| Engine | ${{ needs.deploy-engine.result || 'Skipped' }} | ${{ needs.deploy-engine.outputs.deployment-url || 'N/A' }} | ${{ needs.security-quality.outputs.has-engine-changes }} |" >> $GITHUB_STEP_SUMMARY
echo "| API | ${{ needs.deploy-api.result || 'Skipped' }} | ${{ needs.deploy-api.outputs.deployment-url || 'N/A' }} | ${{ needs.security-quality.outputs.has-api-changes }} |" >> $GITHUB_STEP_SUMMARY
echo "| Dashboard | ${{ needs.deploy-dashboard.result || 'Skipped' }} | ${{ needs.deploy-dashboard.outputs.deployment-url || 'N/A' }} | ${{ needs.security-quality.outputs.has-dashboard-changes }} |" >> $GITHUB_STEP_SUMMARY
echo "| Website | ${{ needs.deploy-website.result || 'Skipped' }} | ${{ needs.deploy-website.outputs.deployment-url || 'N/A' }} | ${{ needs.security-quality.outputs.has-website-changes }} |" >> $GITHUB_STEP_SUMMARY
echo "| Email | ${{ needs.deploy-email.result || 'Skipped' }} | ${{ needs.deploy-email.outputs.deployment-url || 'N/A' }} | ${{ needs.security-quality.outputs.has-email-changes }} |" >> $GITHUB_STEP_SUMMARY

- name: 📢 Final deployment notification
uses: 8398a7/action-slack@v3
with:
status: ${{ job.status }}
channel: '#deployments'
webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
text: |
🎉 Production deployment completed!

**Deployed Services:**
${{ needs.deploy-engine.result == 'success' && '✅ Engine' || '❌ Engine' }}
${{ needs.deploy-api.result == 'success' && '✅ API' || '❌ API' }}
${{ needs.deploy-dashboard.result == 'success' && '✅ Dashboard' || '❌ Dashboard' }}
${{ needs.deploy-website.result == 'success' && '✅ Website' || '❌ Website' }}
${{ needs.deploy-email.result == 'success' && '✅ Email' || '❌ Email' }}
continue-on-error: true

# Rollback job (runs on failure)
rollback:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 months ago

To fix the issue, we will add a permissions block at the root of the workflow file. This block will define the minimal permissions required for the workflow to function correctly. Based on the workflow's operations, such as checking out code, caching dependencies, and deploying to Vercel, the contents: read permission is sufficient for most steps. If specific steps require additional permissions (e.g., pull-requests: write), they can be added explicitly.

Suggested changeset 1
.github/workflows/production.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
--- a/.github/workflows/production.yml
+++ b/.github/workflows/production.yml
@@ -2,2 +2,5 @@
 
+permissions:
+  contents: read
+
 env:
EOF
@@ -2,2 +2,5 @@

permissions:
contents: read

env:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/production.yml
Comment on lines +547 to +565
name: 🔄 Rollback
runs-on: ubuntu-latest
needs: [deploy-engine, deploy-api, deploy-dashboard]
if: failure()
environment: production
steps:
- name: 🔄 Initiate rollback
run: |
echo "⚠️ Deployment failed. Initiating rollback..."
# Add rollback commands here

- name: 📢 Rollback notification
uses: 8398a7/action-slack@v3
with:
status: 'warning'
channel: '#deployments'
webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
text: "🔄 Production deployment failed. Rollback initiated."
continue-on-error: true No newline at end of file

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 months ago

To fix the issue, we will add a permissions block at the root of the workflow file. This block will define the minimal permissions required for the workflow to function correctly. Based on the provided workflow, it appears that the workflow primarily interacts with deployment-related secrets and sends notifications. Therefore, we will set contents: read and statuses: write as the minimal permissions required. If additional permissions are needed for specific jobs, they can be defined within those jobs.

Suggested changeset 1
.github/workflows/production.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
--- a/.github/workflows/production.yml
+++ b/.github/workflows/production.yml
@@ -2,2 +2,6 @@
 
+permissions:
+  contents: read
+  statuses: write
+
 env:
EOF
@@ -2,2 +2,6 @@

permissions:
contents: read
statuses: write

env:
Copilot is powered by AI and may make mistakes. Always verify output.
cursor[bot]
cursor bot reviewed Jul 17, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Missing Job Dependencies Cause Workflow Failures

The post-deployment job in both beta.yml and production.yml attempts to access outputs from change detection, deploy-website, and deploy-email jobs. However, these jobs are not declared in its needs array, leading to workflow failures or inaccurate deployment summaries and notifications.

.github/workflows/beta.yml#L551-L575

midday/.github/workflows/beta.yml

Lines 551 to 575 in ec6c9ed

runs-on: ubuntu-latest
needs: [deploy-engine, deploy-api, deploy-dashboard]
if: always()
steps:
- name: 🔍 Integration tests
run: |
echo "Running integration tests..."
# Add integration test commands here
- name: 📊 Performance monitoring
run: |
echo "Setting up performance monitoring..."
# Add performance monitoring setup
- name: 📈 Deployment metrics
run: |
echo "## Beta Deployment Summary" >> $GITHUB_STEP_SUMMARY
echo "| Service | Status | URL | Changes |" >> $GITHUB_STEP_SUMMARY
echo "|---------|--------|-----|---------|" >> $GITHUB_STEP_SUMMARY
echo "| Engine | ${{ needs.deploy-engine.result || 'Skipped' }} | ${{ needs.deploy-engine.outputs.deployment-url || 'N/A' }} | ${{ needs.detect-changes.outputs.has-engine-changes }} |" >> $GITHUB_STEP_SUMMARY
echo "| API | ${{ needs.deploy-api.result || 'Skipped' }} | ${{ needs.deploy-api.outputs.deployment-url || 'N/A' }} | ${{ needs.detect-changes.outputs.has-api-changes }} |" >> $GITHUB_STEP_SUMMARY
echo "| Dashboard | ${{ needs.deploy-dashboard.result || 'Skipped' }} | ${{ needs.deploy-dashboard.outputs.deployment-url || 'N/A' }} | ${{ needs.detect-changes.outputs.has-dashboard-changes }} |" >> $GITHUB_STEP_SUMMARY
echo "| Website | ${{ needs.deploy-website.result || 'Skipped' }} | ${{ needs.deploy-website.outputs.deployment-url || 'N/A' }} | ${{ needs.detect-changes.outputs.has-website-changes }} |" >> $GITHUB_STEP_SUMMARY
echo "| Email | ${{ needs.deploy-email.result || 'Skipped' }} | ${{ needs.deploy-email.outputs.deployment-url || 'N/A' }} | ${{ needs.detect-changes.outputs.has-email-changes }} |" >> $GITHUB_STEP_SUMMARY

.github/workflows/production.yml#L503-L526

midday/.github/workflows/production.yml

Lines 503 to 526 in ec6c9ed

runs-on: ubuntu-latest
needs: [deploy-engine, deploy-api, deploy-dashboard]
if: always()
steps:
- name: 🔍 Integration tests
run: |
echo "Running integration tests..."
# Add integration test commands here
- name: 📊 Performance monitoring
run: |
echo "Setting up performance monitoring..."
# Add performance monitoring setup
- name: 📈 Deployment metrics
run: |
echo "## Production Deployment Summary" >> $GITHUB_STEP_SUMMARY
echo "| Service | Status | URL | Changes |" >> $GITHUB_STEP_SUMMARY
echo "|---------|--------|-----|---------|" >> $GITHUB_STEP_SUMMARY
echo "| Engine | ${{ needs.deploy-engine.result || 'Skipped' }} | ${{ needs.deploy-engine.outputs.deployment-url || 'N/A' }} | ${{ needs.security-quality.outputs.has-engine-changes }} |" >> $GITHUB_STEP_SUMMARY
echo "| API | ${{ needs.deploy-api.result || 'Skipped' }} | ${{ needs.deploy-api.outputs.deployment-url || 'N/A' }} | ${{ needs.security-quality.outputs.has-api-changes }} |" >> $GITHUB_STEP_SUMMARY
echo "| Dashboard | ${{ needs.deploy-dashboard.result || 'Skipped' }} | ${{ needs.deploy-dashboard.outputs.deployment-url || 'N/A' }} | ${{ needs.security-quality.outputs.has-dashboard-changes }} |" >> $GITHUB_STEP_SUMMARY
echo "| Website | ${{ needs.deploy-website.result || 'Skipped' }} | ${{ needs.deploy-website.outputs.deployment-url || 'N/A' }} | ${{ needs.security-quality.outputs.has-website-changes }} |" >> $GITHUB_STEP_SUMMARY
echo "| Email | ${{ needs.deploy-email.result || 'Skipped' }} | ${{ needs.deploy-email.outputs.deployment-url || 'N/A' }} | ${{ needs.security-quality.outputs.has-email-changes }} |" >> $GITHUB_STEP_SUMMARY

.github/workflows/beta.yml#L585-L590

midday/.github/workflows/beta.yml

Lines 585 to 590 in ec6c9ed

**Deployed Services:**
${{ needs.deploy-engine.result == 'success' && '✅ Engine' || '❌ Engine' }}
${{ needs.deploy-api.result == 'success' && '✅ API' || '❌ API' }}
${{ needs.deploy-dashboard.result == 'success' && '✅ Dashboard' || '❌ Dashboard' }}
${{ needs.deploy-website.result == 'success' && '✅ Website' || '❌ Website' }}
${{ needs.deploy-email.result == 'success' && '✅ Email' || '❌ Email' }}

.github/workflows/production.yml#L537-L542

midday/.github/workflows/production.yml

Lines 537 to 542 in ec6c9ed

**Deployed Services:**
${{ needs.deploy-engine.result == 'success' && '✅ Engine' || '❌ Engine' }}
${{ needs.deploy-api.result == 'success' && '✅ API' || '❌ API' }}
${{ needs.deploy-dashboard.result == 'success' && '✅ Dashboard' || '❌ Dashboard' }}
${{ needs.deploy-website.result == 'success' && '✅ Website' || '❌ Website' }}
${{ needs.deploy-email.result == 'success' && '✅ Email' || '❌ Email' }}

Fix in CursorFix in Web

Bug: Redundant `always()` Usage in Conditional Logic

The always() function is incorrectly used within a boolean expression in the if conditions of the deploy-engine jobs in both beta.yml and production.yml. When used as (always() && ...), it is redundant as always() evaluates to true, making the entire sub-expression equivalent to just (...). always() should be used as a standalone condition, not as part of a logical AND.

.github/workflows/production.yml#L244-L245

midday/.github/workflows/production.yml

Lines 244 to 245 in ec6c9ed

needs: [security-quality, build-shared]
if: needs.security-quality.result == 'success' && (needs.security-quality.outputs.has-engine-changes == 'true' || github.event.inputs.force_deploy == 'true') && (always() && (needs.build-shared.result == 'success' || needs.build-shared.result == 'skipped' || !needs.build-shared.result))

.github/workflows/beta.yml#L268-L269

midday/.github/workflows/beta.yml

Lines 268 to 269 in ec6c9ed

needs: [detect-changes, quality-checks, build-shared]
if: needs.quality-checks.result == 'success' && (needs.detect-changes.outputs.has-engine-changes == 'true' || github.event.inputs.force_deploy == 'true') && (always() && (needs.build-shared.result == 'success' || needs.build-shared.result == 'skipped' || !needs.build-shared.result))

Fix in CursorFix in Web

Was this report helpful? Give feedback by reacting with 👍 or 👎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pontusab