name: Deploy frontend to GitHub Pages on: push: branches: [main] paths: - "frontend/**" - ".github/workflows/deploy.yml" workflow_dispatch: permissions: contents: read pages: write id-token: write concurrency: group: pages cancel-in-progress: true jobs: build: runs-on: ubuntu-latest defaults: run: working-directory: frontend steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: "20" cache: npm cache-dependency-path: frontend/package-lock.json - name: Install run: npm ci - name: Secret-leak self-check run: node scripts/check-no-secrets.mjs - name: Build env: # Set in repo Settings → Secrets and variables → Actions → Variables VITE_API_BASE: ${{ vars.VITE_API_BASE }} VITE_BASE_PATH: ${{ vars.VITE_BASE_PATH || '/Fin-EvalOps/' }} run: npm run build - name: Copy 404 fallback (React Router on Pages) run: cp dist/index.html dist/404.html - name: Verify no secret leaked into bundle run: | set -e if grep -rE '117\.50\.195\.94|sk-[a-zA-Z0-9]{20,}|sk-ant-' dist; then echo "::error::Secret-looking string found in dist!" exit 1 fi - uses: actions/upload-pages-artifact@v3 with: path: frontend/dist deploy: needs: build runs-on: ubuntu-latest environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} steps: - id: deployment uses: actions/deploy-pages@v4