Skip to content

[ENG-3641] Adds amplify support #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dnehl wants to merge 1 commit into
base: main
Choose a base branch
from
+113 −17
Open

[ENG-3641] Adds amplify support #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 21 additions & 6 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,25 +7,40 @@ on:
- reopened
- synchronize

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true

jobs:
check:
name: Lint, build and test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Comment on lines +22 to +23

@coderabbitai coderabbitai Bot Jun 25, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files .github/workflows/ci.yml
echo '---'
cat -n .github/workflows/ci.yml | sed -n '1,220p'

Repository: stakekit/perps-widget

Length of output: 1610

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show workflow structure and any later steps that might rely on git credentials.
ast-grep outline .github/workflows/ci.yml --view expanded || true
echo '---'
rg -n "checkout|persist-credentials|git config|push|fetch|submodule|npm|pnpm|yarn|cargo|go test|pip|install" .github/workflows/ci.yml

Repository: stakekit/perps-widget

Length of output: 507

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "File:"
git ls-files .github/workflows/ci.yml

echo
echo "Content:"
cat -n .github/workflows/ci.yml | sed -n '1,220p'

echo
echo "Relevant matches:"
rg -n "checkout|persist-credentials|git config|push|fetch|submodule|npm|pnpm|yarn|cargo|go test|pip|install" .github/workflows/ci.yml || true

Repository: stakekit/perps-widget

Length of output: 1946

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "File:"
git ls-files .github/workflows/ci.yml

echo
echo "Content:"
cat -n .github/workflows/ci.yml | sed -n '1,220p'

echo
echo "Relevant matches:"
rg -n "checkout|persist-credentials|git config|push|fetch|submodule|npm|pnpm|yarn|cargo|go test|pip|install" .github/workflows/ci.yml || true

Repository: stakekit/perps-widget

Length of output: 1946

🌐 Web query:

actions/checkout persist-credentials default true documentation

💡 Result:

In the GitHub actions/checkout action, the persist-credentials input is enabled by default (default: true) [1][2]. When set to true (the default), the action configures the authentication token or SSH key with the local Git configuration [3][1]. This allows subsequent steps in your workflow to execute authenticated Git commands (such as git fetch or git push) without requiring additional configuration [3][4]. The action automatically removes these credentials during the post-job cleanup process [3][5]. If you wish to prevent the action from configuring these credentials, you can set persist-credentials to false [3][6]: - with: persist-credentials: false Recent updates have improved the security of this feature by storing credentials in a file under $RUNNER_TEMP rather than directly within.git/config, while maintaining the same default behavior and functionality [3][7].

Citations:

Disable persisted checkout credentials. This workflow only reads the repo, so persist-credentials: false avoids leaving the checkout token available to later install/build steps.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 22-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 22 - 23, The Checkout step in the CI
workflow should disable persisted Git credentials. Update the actions/checkout
usage in the Checkout job to set persist-credentials to false so later
install/build steps cannot reuse the checkout token.

Source: Linters/SAST tools


- uses: jdx/mise-action@v2
- name: Install mise
run: |
curl https://mise.run | MISE_VERSION=v2026.5.6 sh
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
echo "$HOME/.local/share/mise/shims" >> "$GITHUB_PATH"
export PATH="$HOME/.local/bin:$HOME/.local/share/mise/shims:$PATH"
mise install

- run: pnpm install --frozen-lockfile
- name: Install dependencies
run: pnpm install --frozen-lockfile

- name: Install Playwright Browsers
run: pnpm exec playwright install --with-deps

- run: pnpm run lint
- name: Lint
run: pnpm run lint

- run: pnpm run build
- name: Build
run: pnpm run build

- run: pnpm run test
- name: Test
run: pnpm run test
1 change: 1 addition & 0 deletions .npmrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
node-linker=hoisted
52 changes: 52 additions & 0 deletions amplify.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
version: 1
applications:
- appRoot: packages/widget
frontend:
buildPath: "/" # install and build from the monorepo root
phases:
preBuild:
commands:
- curl https://mise.run | MISE_VERSION=v2026.5.6 sh
- export PATH="$HOME/.local/bin:$PATH"
- export PATH="$HOME/.local/share/mise/shims:$PATH"
- mise install
- pnpm install --frozen-lockfile
- echo "VITE_PERPS_BASE_URL=$VITE_PERPS_BASE_URL" >> packages/widget/.env
- echo "VITE_PERPS_API_KEY=$VITE_PERPS_API_KEY" >> packages/widget/.env
- echo "VITE_REOWN_PROJECT_ID=$VITE_REOWN_PROJECT_ID" >> packages/widget/.env
- echo "VITE_MORALIS_API_KEY=$VITE_MORALIS_API_KEY" >> packages/widget/.env
build:
commands:
- pnpm build:widget
artifacts:
baseDirectory: packages/widget/dist
files:
- "**/*"
cache:
paths:
- node_modules/**/*
- appRoot: packages/dashboard
frontend:
buildPath: "/" # install and build from the monorepo root
phases:
preBuild:
commands:
- curl https://mise.run | MISE_VERSION=v2026.5.6 sh
- export PATH="$HOME/.local/bin:$PATH"
- export PATH="$HOME/.local/share/mise/shims:$PATH"
- mise install
- pnpm install --frozen-lockfile
- echo "VITE_PERPS_BASE_URL=$VITE_PERPS_BASE_URL" >> packages/dashboard/.env
- echo "VITE_PERPS_API_KEY=$VITE_PERPS_API_KEY" >> packages/dashboard/.env
- echo "VITE_REOWN_PROJECT_ID=$VITE_REOWN_PROJECT_ID" >> packages/dashboard/.env
- echo "VITE_MORALIS_API_KEY=$VITE_MORALIS_API_KEY" >> packages/dashboard/.env
build:
commands:
- pnpm build:dashboard
artifacts:
baseDirectory: packages/dashboard/dist
files:
- "**/*"
cache:
paths:
- node_modules/**/*
37 changes: 37 additions & 0 deletions mise.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 2 additions & 3 deletions mise.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
[tools]

node="24"
pnpm="10"
node = "24.15.0"
"npm:pnpm" = "10.33.2"
8 changes: 0 additions & 8 deletions vercel.json
View file
Open in desktop

This file was deleted.