Skip to content
Hotfix Pipeline

fix(deps): upgrade vulnerable packages and pin all versions to exact #112

Sign in to view logs

fix(deps): upgrade vulnerable packages and pin all versions to exact

fix(deps): upgrade vulnerable packages and pin all versions to exact #112

Workflow file for this run

.github/workflows/hotfix.yml at 2435cee
name: Hotfix Pipeline
on:
push:
branches:
- 'hotfix/**'
- 'main' # When main receives hotfix merge
workflow_dispatch:
concurrency:
group: hotfix-${{ github.ref }}
cancel-in-progress: false
env:
DOTNET_VERSION: '10.x'
NODE_VERSION: '20'
jobs:
hotfix-validation:
name: Hotfix Validation
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Validate hotfix branch name
run: |
BRANCH_NAME=${GITHUB_REF#refs/heads/}
if ! echo "$BRANCH_NAME" | grep -qE '^hotfix/.+$'; then
echo "ERROR: Invalid hotfix branch name: $BRANCH_NAME"
echo "Expected format: hotfix/<description>"
exit 1
fi
echo "Hotfix branch: $BRANCH_NAME"
echo "HOTFIX_DESCRIPTION=$BRANCH_NAME" >> $GITHUB_ENV
- name: Verify base is main
run: |
# Hotfix should only come from main
if [ "$GITHUB_REF" == "refs/heads/main" ]; then
echo "Merging hotfix to main - expected"
fi
build-test:
name: Build & Test (Hotfix)
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Restore & Build
run: |
dotnet restore src/apps/ums.api/Ums.sln
dotnet build src/apps/ums.api/Ums.sln --configuration Release --no-restore
- name: Run hotfix-related tests
run: |
dotnet test src/apps/ums.api/Ums.sln \
--configuration Release --no-build \
--logger "console;verbosity=minimal" \
--filter "Category=Hotfix"
- name: Run all tests
run: |
dotnet test src/apps/ums.api/Ums.sln --configuration Release --no-build --logger "console;verbosity=minimal"
npm ci
npx nx run-many --target=test --configuration=release
security-hotfix:
name: Security Scan (Hotfix)
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Quick security scan
run: |
# Run critical security checks only
echo "Running critical security checks..."
# Secrets scan
echo "Checking for secrets..."
if grep -rE "(password|secret|api.?key)\s*[=:]\s*['\"][A-Za-z0-9]{20,}" src/ --include="*.cs" --include="*.ts" 2>/dev/null; then
echo "WARNING: Potential secret detected"
fi
- name: Run critical CodeQL checks
uses: github/codeql-action/init@v3
with:
languages: 'csharp,javascript-typescript'
queries: security-extended
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/hotfix:critical"
rollback-plan:
name: Rollback Plan
runs-on: ubuntu-latest
steps:
- name: Create rollback plan
run: |
echo "# Hotfix Rollback Plan" > rollback-plan.md
echo "" >> rollback-plan.md
echo "Hotfix: $HOTFIX_DESCRIPTION" >> rollback-plan.md
echo "Date: $(date -u)" >> rollback-plan.md
echo "Commit: $GITHUB_SHA" >> rollback-plan.md
echo "" >> rollback-plan.md
echo "## If Issues Detected After Merge" >> rollback-plan.md
echo "" >> rollback-plan.md
echo "### Option 1: Revert Commit" >> rollback-plan.md
echo "```bash" >> rollback-plan.md
echo "git revert $GITHUB_SHA" >> rollback-plan.md
echo "git push origin main" >> rollback-plan.md
echo "```" >> rollback-plan.md
echo "" >> rollback-plan.md
echo "### Option 2: Rollback to Previous Tag" >> rollback-plan.md
echo "```bash" >> rollback-plan.md
echo "git checkout main~1" >> rollback-plan.md
echo "git checkout -b rollback-branch" >> rollback-plan.md
echo "# fix issues" >> rollback-plan.md
echo "# merge back to main" >> rollback-plan.md
echo "```" >> rollback-plan.md
- name: Upload rollback plan
uses: actions/upload-artifact@v4
with:
name: hotfix-rollback-plan
path: rollback-plan.md
retention-days: 90
hotfix-gate:
name: Hotfix Approval Gate
runs-on: ubuntu-latest
needs: [hotfix-validation, build-test, security-hotfix]
if: always()
steps:
- name: Evaluate hotfix gates
run: |
FAILED=0
if [ "${{ needs.hotfix-validation.result }}" == "failure" ]; then
echo "❌ Hotfix validation failed"
FAILED=1
fi
if [ "${{ needs.build-test.result }}" == "failure" ]; then
echo "❌ Build or tests failed"
FAILED=1
fi
if [ "${{ needs.security-hotfix.result }}" == "failure" ]; then
echo "❌ Security scan failed"
FAILED=1
fi
if [ $FAILED -eq 1 ]; then
echo "Hotfix gates FAILED"
exit 1
fi
echo "✅ All hotfix gates passed"
echo ""
echo "Hotfix is ready to be merged to main and synced to develop"
merge-notification:
name: Merge Notification
runs-on: ubuntu-latest
needs: [hotfix-gate]
if: success()
steps:
- name: Display merge instructions
run: |
echo "# Hotfix Ready for Merge"
echo ""
echo "## Next Steps"
echo ""
echo "1. **Merge to main** (fast-forward if possible):"
echo " \`\`\`bash"
echo " git checkout main"
echo " git merge hotfix/$HOTFIX_DESCRIPTION"
echo " git push origin main"
echo " \`\`\`"
echo ""
echo "2. **Sync to develop**:"
echo " \`\`\`bash"
echo " git checkout develop"
echo " git merge main # or cherry-pick specific commits"
echo " git push origin develop"
echo " \`\`\`"
echo ""
echo "3. **Create Git tag if needed**:"
echo " \`\`\`bash"
echo " git tag -a v.patch -m 'Hotfix: $HOTFIX_DESCRIPTION'"
echo " git push origin v.patch"
echo " \`\`\`"