Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 11 additions & 2 deletions .github/actions/setup-project-minimal/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,19 @@ name: Setup Novu Monorepo (Minimal)

description: Minimal setup for Nx operations with separate cache from main CI

inputs:
bull_mq_pro_npm_token:
description: 'Auth token for the private @taskforcesh registry'
required: false
default: ''

runs:
using: composite
steps:
- name: Install pnpm
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
with:
version: 11.0.9
version: 11.9.0

- uses: useblacksmith/setup-node@65c6ca86fdeb0ab3d85e78f57e4f6a7e4780b391 # v5
name: ⚙️ Setup Node Version with separate cache
Expand All @@ -20,8 +26,11 @@ runs:

- name: 🚀 Install root dependencies
shell: bash
env:
BULL_MQ_PRO_NPM_TOKEN: ${{ inputs.bull_mq_pro_npm_token }}
run: |
TRUST_FLAG="$(bash scripts/configure-pnpm-private-registry.sh)"
# Install all root dependencies (includes Nx and other tools)
pnpm install --frozen-lockfile --filter=root --ignore-scripts
pnpm install --frozen-lockfile ${TRUST_FLAG} --filter=root --ignore-scripts
# Reset Nx cache
npx nx reset || true
12 changes: 10 additions & 2 deletions .github/actions/setup-project/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ inputs:
description: 'Should link submodules'
required: false
default: 'false'
bull_mq_pro_npm_token:
description: 'Auth token for the private @taskforcesh registry'
required: false
default: ''
outputs:
cypress_cache_hit:
description: 'Did cypress use binary cache'
Expand All @@ -22,7 +26,7 @@ runs:
- name: Install pnpm
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
with:
version: 11.0.9
version: 11.9.0

- uses: useblacksmith/setup-node@65c6ca86fdeb0ab3d85e78f57e4f6a7e4780b391 # v5
name: ⚙️ Setup Node Version
Expand Down Expand Up @@ -50,7 +54,11 @@ runs:

- name: 🛟 Install dependencies
shell: bash
run: pnpm ci
env:
BULL_MQ_PRO_NPM_TOKEN: ${{ inputs.bull_mq_pro_npm_token }}
run: |
TRUST_FLAG="$(bash scripts/configure-pnpm-private-registry.sh)"
pnpm ci ${TRUST_FLAG}

- name: Install wait-on plugin
shell: bash
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/contributor-checks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ jobs:
timeout-minutes: 30
env:
NX_NO_CLOUD: "true"
pnpm_config_trust_lockfile: "true"
steps:
- name: Checkout code
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
Expand All @@ -59,7 +60,7 @@ jobs:
- name: Install pnpm
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
with:
version: 11.0.9
version: 11.9.0

- name: Setup Node.js
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
Expand Down
16 changes: 12 additions & 4 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -291,6 +291,8 @@ jobs:
run-clickhouse-migrations:
needs: prepare-matrix
runs-on: ubuntu-latest
env:
BULL_MQ_PRO_NPM_TOKEN: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}
strategy:
matrix:
env: ${{ fromJson(needs.prepare-matrix.outputs.env_matrix).environment }}
Expand All @@ -316,7 +318,7 @@ jobs:
- name: Install pnpm
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
with:
version: 11.0.9
version: 11.9.0
run_install: false

- name: Setup Node Version
Expand All @@ -327,7 +329,9 @@ jobs:

- name: Install Dependencies
shell: bash
run: pnpm ci
run: |
TRUST_FLAG="$(bash scripts/configure-pnpm-private-registry.sh)"
pnpm ci ${TRUST_FLAG}
- name: Run ClickHouse Migrations
working-directory: apps/api
env:
Expand All @@ -341,6 +345,8 @@ jobs:
needs: [prepare-matrix, run-clickhouse-migrations]
timeout-minutes: 60
runs-on: blacksmith-8vcpu-ubuntu-2404
env:
BULL_MQ_PRO_NPM_TOKEN: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}
environment: ${{ fromJson(needs.prepare-matrix.outputs.env_matrix).environment[0] }}
permissions:
contents: read
Expand All @@ -360,7 +366,7 @@ jobs:
- name: Install pnpm
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
with:
version: 11.0.9
version: 11.9.0
run_install: false

- name: Setup Node Version
Expand All @@ -371,7 +377,9 @@ jobs:

- name: Install Dependencies
shell: bash
run: pnpm ci
run: |
TRUST_FLAG="$(bash scripts/configure-pnpm-private-registry.sh)"
pnpm ci ${TRUST_FLAG}

- name: Set Up Docker Buildx
uses: useblacksmith/setup-docker-builder@a592b831ebb20e68f7cf47329cf2c3c67b8a7655 # v1
Expand Down
9 changes: 9 additions & 0 deletions .github/workflows/on-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,8 @@ jobs:
run: |
git fetch origin ${{ github.event.pull_request.base.ref }} --depth=50
- uses: ./.github/actions/setup-project-minimal
with:
bull_mq_pro_npm_token: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}
# Configure Nx to be able to detect changes between branches when we are in a PR
- name: Derive appropriate SHAs for base and head for `nx affected` commands
uses: nrwl/nx-set-shas@59075b03c42ae79986d96d761eeb15094df7a76e # v2
Expand Down Expand Up @@ -128,6 +130,7 @@ jobs:
- uses: ./.github/actions/setup-project
with:
slim: 'true'
bull_mq_pro_npm_token: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}
- uses: mansagroup/nrwl-nx-action@a531870269e0c1eeb7af6247c4a206c31cae82cc # v3
env:
NX_NO_CLOUD: ${{ secrets.NX_CLOUD_ACCESS_TOKEN == '' && 'true' || 'false' }}
Expand Down Expand Up @@ -156,6 +159,7 @@ jobs:
- uses: ./.github/actions/setup-project
with:
slim: 'true'
bull_mq_pro_npm_token: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}

- name: Build
uses: mansagroup/nrwl-nx-action@a531870269e0c1eeb7af6247c4a206c31cae82cc # v3
Expand Down Expand Up @@ -187,6 +191,8 @@ jobs:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5

- uses: ./.github/actions/setup-project
with:
bull_mq_pro_npm_token: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}

- name: Run Lint, Build, Test
uses: mansagroup/nrwl-nx-action@a531870269e0c1eeb7af6247c4a206c31cae82cc # v3
Expand Down Expand Up @@ -223,6 +229,7 @@ jobs:
with:
# Don't run redis and etc... for other unit tests
slim: ${{ !contains(matrix.projectName, '@novu/api-service') && !contains(matrix.projectName, '@novu/worker') && !contains(matrix.projectName, '@novu/ws') && !contains(matrix.projectName, '@novu/inbound-mail')}}
bull_mq_pro_npm_token: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}

- uses: ./.github/actions/setup-redis-cluster
- uses: mansagroup/nrwl-nx-action@a531870269e0c1eeb7af6247c4a206c31cae82cc # v3
Expand Down Expand Up @@ -257,6 +264,8 @@ jobs:
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- uses: ./.github/actions/setup-project
with:
bull_mq_pro_npm_token: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}
- uses: ./.github/actions/setup-redis-cluster
- uses: ./.github/actions/run-api
with:
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/prepare-enterprise-self-hosted-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,8 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 90
environment: novu-ee
env:
BULL_MQ_PRO_NPM_TOKEN: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}
strategy:
fail-fast: false
matrix:
Expand Down Expand Up @@ -212,7 +214,7 @@ jobs:
- name: Install pnpm
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
with:
version: 11.0.9
version: 11.9.0
run_install: false

- name: Setup Node Version
Expand All @@ -223,7 +225,9 @@ jobs:

- name: Install Dependencies
shell: bash
run: pnpm ci
run: |
TRUST_FLAG="$(bash scripts/configure-pnpm-private-registry.sh)"
pnpm ci ${TRUST_FLAG}

- name: Symlink Enterprise Packages
shell: bash
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/prepare-self-hosted-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,8 @@ jobs:
needs: setup_matrix
runs-on: ubuntu-latest
timeout-minutes: 90
env:
BULL_MQ_PRO_NPM_TOKEN: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}
strategy:
fail-fast: false
matrix:
Expand Down Expand Up @@ -158,7 +160,9 @@ jobs:
cache: "pnpm"

- name: Install dependencies
run: pnpm ci
run: |
TRUST_FLAG="$(bash scripts/configure-pnpm-private-registry.sh)"
pnpm ci ${TRUST_FLAG}

- name: Setup Docker
uses: crazy-max/ghaction-setup-docker@69b561f709cbd934060981d481ccfc316cfb77b7 # v2
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/preview-packages.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ name: Publish NPM Packages Previews

env:
NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
BULL_MQ_PRO_NPM_TOKEN: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Secret exposed workflow-wide
BULL_MQ_PRO_NPM_TOKEN is defined at workflow scope, so every step/action in this workflow receives the private registry token even though only the install command needs it. The same broad env pattern was added to release/deploy workflows and exposes the credential to unrelated third-party actions; pass it only on the dependency-install step instead.

Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/preview-packages.yml
Line: 5

Comment:
**Secret exposed workflow-wide**
`BULL_MQ_PRO_NPM_TOKEN` is defined at workflow scope, so every step/action in this workflow receives the private registry token even though only the install command needs it. The same broad `env` pattern was added to release/deploy workflows and exposes the credential to unrelated third-party actions; pass it only on the dependency-install step instead.

How can I resolve this? If you propose a fix, please make it concise.

Fix in Cursor


on:
workflow_dispatch:
Expand Down Expand Up @@ -35,7 +36,9 @@ jobs:
run: corepack enable

- name: Install dependencies
run: pnpm ci
run: |
TRUST_FLAG="$(bash scripts/configure-pnpm-private-registry.sh)"
pnpm ci ${TRUST_FLAG}

- name: Teach Novu preview packages to work with latest dependencies
run: pnpm run packages:set-latest
Expand Down
11 changes: 7 additions & 4 deletions .github/workflows/release-packages.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ on:

env:
NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
BULL_MQ_PRO_NPM_TOKEN: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}

jobs:
release:
Expand All @@ -59,7 +60,7 @@ jobs:
- name: Install pnpm
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
with:
version: 11.0.9
version: 11.9.0
run_install: false

- name: Setup Node Version
Expand All @@ -76,7 +77,8 @@ jobs:
- name: Install Dependencies
shell: bash
run: |
pnpm ci
TRUST_FLAG="$(bash scripts/configure-pnpm-private-registry.sh)"
pnpm ci ${TRUST_FLAG}
pnpm nx --version
pnpm list nx

Expand Down Expand Up @@ -218,7 +220,7 @@ jobs:
- name: Install pnpm
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
with:
version: 11.0.9
version: 11.9.0
run_install: false

- name: Setup Node Version
Expand All @@ -235,7 +237,8 @@ jobs:
- name: Install Dependencies
shell: bash
run: |
pnpm ci
TRUST_FLAG="$(bash scripts/configure-pnpm-private-registry.sh)"
pnpm ci ${TRUST_FLAG}

- name: Build packages
env:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/reusable-api-e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ jobs:
name: Setup project
with:
submodules: ${{ inputs.ee }}
bull_mq_pro_npm_token: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}

- uses: ./.github/actions/start-localstack
name: Start localstack
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/reusable-dashboard-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ jobs:
with:
slim: 'true'
submodules: true
bull_mq_pro_npm_token: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}

- name: Build
env:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/reusable-dashboard-e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ jobs:
- uses: ./.github/actions/setup-project
with:
submodules: true
bull_mq_pro_npm_token: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}

- name: Create .env file for the Dashboard app
working-directory: apps/dashboard
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/reusable-inbound-mail-e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ jobs:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
if: steps.setup.outputs.has_token != 'true'
- uses: ./.github/actions/setup-project
with:
bull_mq_pro_npm_token: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}
- uses: ./.github/actions/setup-redis-cluster

# Runs a single command using the runners shell
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/reusable-web-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ jobs:
with:
slim: "true"
submodules: true
bull_mq_pro_npm_token: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}

- name: Create env file
working-directory: apps/web
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/reusable-web-e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ jobs:
- uses: ./.github/actions/setup-project
with:
submodules: true
bull_mq_pro_npm_token: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}

- uses: mansagroup/nrwl-nx-action@a531870269e0c1eeb7af6247c4a206c31cae82cc # v3
with:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/reusable-webhook-e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ jobs:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5

- uses: ./.github/actions/setup-project
with:
bull_mq_pro_npm_token: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}

- uses: ./.github/actions/start-localstack

Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/reusable-worker-e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ jobs:
if: steps.setup.outputs.has_token != 'true'

- uses: ./.github/actions/setup-project
with:
bull_mq_pro_npm_token: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}

- uses: ./.github/actions/setup-redis-cluster

Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/reusable-ws-e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ jobs:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
if: steps.setup.outputs.has_token != 'true'
- uses: ./.github/actions/setup-project
with:
bull_mq_pro_npm_token: ${{ secrets.BULL_MQ_PRO_NPM_TOKEN }}

# Runs a single command using the runners shell
- name: Build WS
Expand Down
3 changes: 1 addition & 2 deletions .npmrc-cloud
Original file line number Diff line number Diff line change
@@ -1,3 +1,2 @@
@taskforcesh:registry=https://npm.taskforce.sh/
//npm.taskforce.sh/:_authToken=${BULL_MQ_PRO_NPM_TOKEN}
always-auth=true
always-auth=true
Loading
Loading