Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file removed .cursor/hooks/__pycache__/_common.cpython-313.pyc
Binary file not shown.
12 changes: 6 additions & 6 deletions .github/workflows/cd-promote-production.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ jobs:
SKIP_ENV_VALIDATION: "1"
steps:
- name: Checkout
uses: actions/checkout@v7.0.0
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Validate inputs
env:
Expand All @@ -59,18 +59,18 @@ jobs:

- name: Setup Node (Vercel prebuilt)
if: ${{ github.event.inputs.deploy_vercel == 'true' }}
uses: actions/setup-node@v6
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: "22"
cache: npm

- name: Install dependencies
if: ${{ github.event.inputs.deploy_vercel == 'true' }}
run: npm ci
run: npx npm@10.9.2 ci

- name: Install Vercel CLI
if: ${{ github.event.inputs.deploy_vercel == 'true' }}
run: npm install --global vercel@latest
run: npm install --global vercel@55.0.0

- name: Pull Vercel env (production)
if: ${{ github.event.inputs.deploy_vercel == 'true' }}
Expand Down Expand Up @@ -98,14 +98,14 @@ jobs:

- name: Configure AWS credentials (OIDC)
if: ${{ github.event.inputs.rollout_eks == 'true' }}
uses: aws-actions/configure-aws-credentials@v6
uses: aws-actions/configure-aws-credentials@517a711dbcd0e402f90c77e7e2f81e849156e31d # v6
with:
role-to-assume: ${{ vars.AWS_DEPLOY_ROLE_ARN }}
aws-region: ${{ vars.AWS_REGION }}

- name: Install kubectl
if: ${{ github.event.inputs.rollout_eks == 'true' }}
uses: azure/setup-kubectl@v5
uses: azure/setup-kubectl@829323503d1be3d00ca8346e5391ca0b07a9ab0d # v5

- name: kubeconfig (EKS)
if: ${{ github.event.inputs.rollout_eks == 'true' }}
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,12 @@ jobs:
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
with:
languages: ${{ matrix.language }}

- name: Autobuild
uses: github/codeql-action/autobuild@v4
uses: github/codeql-action/autobuild@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
13 changes: 8 additions & 5 deletions .github/workflows/docker-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,17 +27,20 @@ on:

permissions:
contents: read
packages: write
id-token: write
attestations: write
artifact-metadata: write

env:
IMAGE_NAME: ehs-web

jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
attestations: write
artifact-metadata: write
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # GHCR requires lowercase org/repo in image URL paths.
- name: Image coordinates
Expand All @@ -56,7 +59,7 @@ jobs:

- name: Build and push
id: push
uses: docker/build-push-action@v7
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7
with:
context: .
push: true
Expand All @@ -69,7 +72,7 @@ jobs:
cache-to: type=gha,mode=max

- name: Attest provenance (SLSA-aligned)
uses: actions/attest-build-provenance@v4
uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4
with:
subject-name: ${{ steps.image.outputs.registry }}
subject-digest: ${{ steps.push.outputs.digest }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/docs-link-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ jobs:
link-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Markdown link check
uses: lycheeverse/lychee-action@v2
uses: lycheeverse/lychee-action@e7477775783ea5526144ba13e8db5eec57747ce8 # v2
with:
args: >-
--no-progress
Expand Down
9 changes: 5 additions & 4 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,15 @@ concurrency:
group: semantic-release-${{ github.repository }}
cancel-in-progress: false

permissions:
contents: write
issues: write
pull-requests: write
permissions: read-all

jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
issues: write
pull-requests: write
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ jobs:
publish_results: true

- if: always()
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
with:
sarif_file: results.sarif
category: scorecard
4 changes: 3 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,10 @@
/playwright-report/
/blob-report/

# Cursor (keep skills/rules tracked; omit local logs)
# Cursor (keep skills/rules tracked; omit local logs and bytecode)
.cursor/*.log
.cursor/**/__pycache__/
*.pyc

# next.js
/.next/
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
# env at runtime → ConfigMap + Secret (never commit raw Secret YAML with data)
# =============================================================================

FROM node:22-bookworm-slim AS base
FROM node:22-bookworm-slim@sha256:53ada149d435c38b14476cb57e4a7da73c15595aba79bd6971b547ceb6d018bf AS base
WORKDIR /app
# Disable Next telemetry in CI/images unless org policy wants it.
ENV NEXT_TELEMETRY_DISABLED=1
Expand Down
Loading