Skip to content

Add GitHub Actions workflow for Pages deployment #1038

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nuoomnoy02 wants to merge 1 commit into
base: main
Choose a base branch
from
+43 −0
Open

Add GitHub Actions workflow for Pages deployment #1038

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions .github/workflows/static.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# Simple workflow for deploying static content to GitHub Pages
name: Deploy static content to Pages

on:
# Runs on pushes targeting the default branch
push:
branches: ["main"]

# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:

# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
permissions:
contents: read
pages: write
id-token: write

# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
concurrency:
group: "pages"
cancel-in-progress: false

jobs:
# Single deploy job since we're just deploying
deploy:
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Pages
uses: actions/configure-pages@v5
- name: Upload artifact
uses: actions/upload-pages-artifact@v3
with:
# Upload entire repository
path: '.'
Comment on lines +36 to +40
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Security risk: Uploading entire repository exposes sensitive files.

Using path: '.' deploys the entire repository contents to GitHub Pages, including:

  • .git directory (full commit history, potentially containing secrets from past commits)
  • Configuration files (.env, .gitignore, etc.)
  • Any sensitive or unintended files

Typically, you should deploy only the build output directory (e.g., dist, build, public). If this project has a build step, add it before the upload and specify the output directory.

🛡️ Proposed fix to specify a dedicated output directory 
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v3
         with:
-          # Upload entire repository
-          path: '.'
+          # Upload only the build output directory
+          path: './dist'

If a build step is required, add it before the upload:

      - name: Build
        run: npm ci && npm run build
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Upload artifact
uses: actions/upload-pages-artifact@v3
with:
# Upload entire repository
path: '.'
- name: Upload artifact
uses: actions/upload-pages-artifact@v3
with:
# Upload only the build output directory
path: './dist'
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/static.yml around lines 36 - 40, Replace the insecure
upload of the entire repo (the upload step using
actions/upload-pages-artifact@v3 with path: '.') so only the build output is
published: add/ensure a build step (e.g., run npm ci && npm run build) that
emits a known output directory (e.g., dist or public), and change the Upload
artifact step (name: Upload artifact / uses: actions/upload-pages-artifact@v3)
to point to that output directory instead of '.' to avoid exposing .git and
other sensitive files.

- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4
Comment on lines +33 to +43
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the latest release tags for the GitHub Actions used in the workflow

echo "=== Checking actions/checkout ==="
gh api repos/actions/checkout/releases/latest --jq '.tag_name' 2>/dev/null || echo "Failed to fetch"

echo "=== Checking actions/configure-pages ==="
gh api repos/actions/configure-pages/releases/latest --jq '.tag_name' 2>/dev/null || echo "Failed to fetch"

echo "=== Checking actions/upload-pages-artifact ==="
gh api repos/actions/upload-pages-artifact/releases/latest --jq '.tag_name' 2>/dev/null || echo "Failed to fetch"

echo "=== Checking actions/deploy-pages ==="
gh api repos/actions/deploy-pages/releases/latest --jq '.tag_name' 2>/dev/null || echo "Failed to fetch"

Repository: f/prompts.chat

Length of output: 729

🌐 Web query:

latest release actions/checkout GitHub Action v4 v5

💡 Result:

  • Latest actions/checkout v5.x release: v5.0.1 (released Nov 17, 15:57 UTC) [1]
  • Latest actions/checkout v4.x release: v4.3.1 (released Nov 17, 16:06 UTC) [2]

Also note: actions/checkout has moved beyond v5—the current latest major is v6 (latest tag shown: v6.0.2). [3]

🌐 Web query:

latest release actions/configure-pages GitHub Action v5 v6

💡 Result:

As of February 26, 2026, the latest release of actions/configure-pages is v5.0.0 (released March 30, 2024). The floating major tag v5 points to that same release. There is no v6 release/tag published for this action. [1][2]

🌐 Web query:

latest release actions/upload-pages-artifact GitHub Action v3 v4

💡 Result:

  • actions/upload-pages-artifact@v4 (latest v4 major tag): v4.0.0 — released Aug 14, 2025. [1]
  • actions/upload-pages-artifact@v3 (latest v3 major tag): v3.0.1 — released Feb 7, 2024. [1]

Sources: GitHub tags list for the repository (shows both the major tags v3/v4 and the latest corresponding semver releases). [1]

References
[1] https://github.com/actions/upload-pages-artifact/tags

🌐 Web query:

latest release actions/deploy-pages GitHub Action v4 v5

💡 Result:

  • Latest actions/deploy-pages major: v4 (major tag v4 currently points to v4.0.5). (github.com)
  • Latest v4.x release: v4.0.5 (released March 18, 2024). (github.com)
  • v5 status: There is no v5 tag/release in the repository’s releases/tags as of today. (github.com)

Citations:

Update actions/checkout to v5 or v6 and actions/upload-pages-artifact to v4.

The workflow uses outdated action versions:

  • actions/checkout@v4: Latest is v6.0.2; v4.3.1 is the latest v4.x release
  • actions/upload-pages-artifact@v3: Latest is v4.0.0 (released Aug 14, 2025); v3.0.1 is the latest v3.x release
  • actions/configure-pages@v5: Already on the latest release (v5.0.0)
  • actions/deploy-pages@v4: Already on the latest release (v4.0.5)

Update checkout and upload-pages-artifact to benefit from bug fixes and improvements in newer versions.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/static.yml around lines 33 - 43, Update the GitHub Actions
workflow to use the newer action versions: change the step using
actions/checkout@v4 to the current major (actions/checkout@v6 or a specific
v6.0.2 tag) and change the step using actions/upload-pages-artifact@v3 to the
newer v4 (actions/upload-pages-artifact@v4 or v4.0.0); leave
actions/configure-pages@v5 and actions/deploy-pages@v4 as-is. Locate the steps
referring to actions/checkout and actions/upload-pages-artifact in the
static.yml workflow and update their version references accordingly, then
run/validate the workflow to ensure no breaking changes affect checkout or
artifact upload behavior.