Integrate Firebase Hosting for automated deployment (#45)#60
Integrate Firebase Hosting for automated deployment (#45)#60devin-ai-integration[bot] wants to merge 1 commit into
Conversation
- Add firebase.json with SPA rewrites and cache headers for Vite dist/ output - Add .firebaserc with default project configuration - Add GitHub Actions workflow for production deploy on main branch push - Add GitHub Actions workflow for PR preview deployments - Add deploy and deploy:preview npm scripts - Add .firebase/ to .gitignore - Update README with deployment instructions and required secrets Closes #45 Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
📝 WalkthroughWalkthroughFirebase Hosting is configured via new ChangesFirebase Hosting Deployment Setup
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/firebase-deploy.yml:
- Around line 21-23: Pin the GitHub Actions to specific commit hashes instead of
version tags for supply-chain security. Replace the version tags (such as `@v4` in
actions/checkout and `@v0` in other actions) with their corresponding full commit
hashes throughout the workflow file. Look up the exact commit hash for each
action version from the respective action repositories on GitHub, then update
each uses statement to reference the immutable commit hash instead of the
mutable version tag to ensure reproducible and auditable CI/CD deployments.
- Around line 21-23: The checkout action using `actions/checkout@v4` is missing
the `persist-credentials: false` configuration which leaves Git credentials in
the workflow's git config. Add `persist-credentials: false` as a parameter to
the checkout action to prevent credentials from being persisted and potentially
exposed in logs or artifacts if a later workflow step is compromised.
In @.github/workflows/firebase-preview.yml:
- Around line 22-23: Pin the GitHub Actions in the firebase-preview.yml workflow
to specific commit hashes instead of version tags for supply-chain security.
Replace the unpinned action references (actions/checkout@v4 and any other
actions in the sections spanning lines 25-29 and 46-50) with their corresponding
full commit hash format (e.g., actions/checkout@<hash>). Use the same commit
hashes that are already applied in the production workflow to maintain
consistency across all CI/CD workflows.
- Around line 22-23: The Checkout step using actions/checkout@v4 is missing the
persist-credentials: false parameter, which leaves Git credentials in the git
config after checkout completes. Add the persist-credentials: false input
parameter to the checkout action to prevent credentials from being persisted in
the git configuration, mitigating the security risk of credential leakage in the
workflow.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 45aa5808-8af0-427f-821f-7ad61ada378a
📒 Files selected for processing (7)
.firebaserc.github/workflows/firebase-deploy.yml.github/workflows/firebase-preview.yml.gitignoreREADME.mdfirebase.jsonpackage.json
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
There was a problem hiding this comment.
Pin GitHub Actions to specific commit hashes for supply-chain security.
Three actions are unpinned (@v4 and @v0 tags). Tags can be moved or compromised; pin to immutable commit hashes to ensure reproducible, auditable CI/CD.
🔒 Proposed fixes for pinned action hashes
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@a5ac7e51b41094c7f3ba2a8547355d5e79c575f7 # v4.1.6 - name: Set up Node.js
- uses: actions/setup-node@v4
+ uses: actions/setup-node@60edb5dd545a775178fac7f3e464e8ff4f5296be # v4.0.2 - name: Deploy to Firebase Hosting
- uses: FirebaseExtended/action-hosting-deploy@v0
+ uses: FirebaseExtended/action-hosting-deploy@16cfa59e21b9e3a2e23a41e4f0420a42a1c6ef30 # v0.8.1Note: Verify these are the latest compatible versions by checking the action repositories before merging. Use the @actions/ or Firebase release tags to find the exact commit hash for each version.
Also applies to: 25-28, 45-50
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 21-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/firebase-deploy.yml around lines 21 - 23, Pin the GitHub
Actions to specific commit hashes instead of version tags for supply-chain
security. Replace the version tags (such as `@v4` in actions/checkout and `@v0` in
other actions) with their corresponding full commit hashes throughout the
workflow file. Look up the exact commit hash for each action version from the
respective action repositories on GitHub, then update each uses statement to
reference the immutable commit hash instead of the mutable version tag to ensure
reproducible and auditable CI/CD deployments.
Source: Linters/SAST tools
Add persist-credentials: false to prevent credential leakage.
The checkout action leaves Git credentials in the workflow's git config, which could be exposed in logs or artifacts if a later step is compromised.
🔐 Proposed fix
- name: Checkout
uses: actions/checkout@v4
+ with:
+ persist-credentials: false🧰 Tools
🪛 zizmor (1.25.2)
[warning] 21-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/firebase-deploy.yml around lines 21 - 23, The checkout
action using `actions/checkout@v4` is missing the `persist-credentials: false`
configuration which leaves Git credentials in the workflow's git config. Add
`persist-credentials: false` as a parameter to the checkout action to prevent
credentials from being persisted and potentially exposed in logs or artifacts if
a later workflow step is compromised.
| - name: Checkout | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
Pin GitHub Actions to specific commit hashes for supply-chain security.
Same unpinned action issue as the production workflow. Apply the same hashes to ensure consistency across workflows.
🔒 Proposed fixes for pinned action hashes
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@a5ac7e51b41094c7f3ba2a8547355d5e79c575f7 # v4.1.6 - name: Set up Node.js
- uses: actions/setup-node@v4
+ uses: actions/setup-node@60edb5dd545a775178fac7f3ba2a8547355d5e79c575f7 # v4.0.2 - name: Deploy Preview to Firebase Hosting
- uses: FirebaseExtended/action-hosting-deploy@v0
+ uses: FirebaseExtended/action-hosting-deploy@16cfa59e21b9e3a2e23a41e4f0420a42a1c6ef30 # v0.8.1Note: Use the same pinned versions as the production workflow to keep CI/CD consistent.
Also applies to: 25-29, 46-50
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 22-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/firebase-preview.yml around lines 22 - 23, Pin the GitHub
Actions in the firebase-preview.yml workflow to specific commit hashes instead
of version tags for supply-chain security. Replace the unpinned action
references (actions/checkout@v4 and any other actions in the sections spanning
lines 25-29 and 46-50) with their corresponding full commit hash format (e.g.,
actions/checkout@<hash>). Use the same commit hashes that are already applied in
the production workflow to maintain consistency across all CI/CD workflows.
Source: Linters/SAST tools
Add persist-credentials: false to prevent credential leakage.
Same security concern as production workflow: checkout leaves Git credentials in git config.
🔐 Proposed fix
- name: Checkout
uses: actions/checkout@v4
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 22-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/firebase-preview.yml around lines 22 - 23, The Checkout
step using actions/checkout@v4 is missing the persist-credentials: false
parameter, which leaves Git credentials in the git config after checkout
completes. Add the persist-credentials: false input parameter to the checkout
action to prevent credentials from being persisted in the git configuration,
mitigating the security risk of credential leakage in the workflow.
|
Superseded by new PR with fix for deploy step condition. Branch protection rules prevent pushing additional commits to this branch. |
1 participant
Summary
Adds Firebase Hosting configuration and CI/CD workflows so the app can be deployed to Firebase automatically.
New files:
firebase.json— serves Vite'sdist/directory, SPA rewrite (** → /index.html), and long-lived cache headers on/assets/**and*.js|css.firebaserc— default project alias (placeholderservio-app, update to your actual project ID).github/workflows/firebase-deploy.yml— builds and deploys to the live channel on every push tomain, usingFirebaseExtended/action-hosting-deploy@v0.github/workflows/firebase-preview.yml— builds and deploys a preview channel on every PR (URL posted as a PR comment), scoped to same-repo PRs onlyModified files:
package.json— addeddeployanddeploy:previewscripts for manual deployment via Firebase CLI.gitignore— added.firebase/cache directoryREADME.md— added full deployment section: prerequisites, env vars, manual deploy, CI/CD setup, and required GitHub secrets tableRequired setup after merge:
FIREBASE_SERVICE_ACCOUNTandVITE_FIREBASE_*secrets in GitHub repo settings.firebasercto match the actual Firebase projectCloses #45
Link to Devin session: https://app.devin.ai/sessions/ee17ee110bd04a2296d7047fe7c01b0d
Requested by: @hrx01-dev
Summary by CodeRabbit