Deploy hosted web app from release workflow#2507
Deploy hosted web app from release workflow#2507juliusmarminge wants to merge 4 commits intomainfrom
Conversation
- Add Vercel release deployment and channel aliasing - Route app.t3.codes through middleware-based channel selection - Document hosted web release setup
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
github-actions
Bot
added
vouch:trusted
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
ApprovabilityVerdict: Needs human review This PR introduces a new feature with Vercel edge middleware for channel-based routing, new UI for channel switching, and new CI/CD deployment logic. New middleware handling request routing and cookie management represents significant new runtime behavior warranting human review. An unresolved comment also identifies a potential issue with URL path validation. You can customize Macroscope's approvability policy. Learn more. |
- Pass release version and hosted channel into the web build - Display the hosted update track in About for latest/nightly releases - Refresh release package versions before deployment
- Route channel changes through the hosted router so the cookie updates - Add URL-building coverage and document the release flow
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Autofix Details
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Exported constant never used in production code
- Updated SettingsPanels.tsx to import and use HOSTED_APP_CHANNEL_LABEL instead of deriving the label inline, giving the exported constant actual production usage.
Or push these changes by commenting:
@cursor push e243d403ad
Preview (e243d403ad)
diff --git a/apps/web/src/components/settings/SettingsPanels.tsx b/apps/web/src/components/settings/SettingsPanels.tsx
--- a/apps/web/src/components/settings/SettingsPanels.tsx
+++ b/apps/web/src/components/settings/SettingsPanels.tsx
@@ -13,7 +13,7 @@
import { DEFAULT_UNIFIED_SETTINGS } from "@t3tools/contracts/settings";
import { createModelSelection } from "@t3tools/shared/model";
import { Equal } from "effect";
-import { APP_VERSION, HOSTED_APP_CHANNEL } from "../../branding";
+import { APP_VERSION, HOSTED_APP_CHANNEL, HOSTED_APP_CHANNEL_LABEL } from "../../branding";
import {
canCheckForUpdate,
getDesktopUpdateButtonTooltip,
@@ -356,9 +356,7 @@
}}
>
<SelectTrigger className="w-full sm:w-40" aria-label="Update track">
- <SelectValue>
- {selectedHostedAppChannel === "nightly" ? "Nightly" : "Latest"}
- </SelectValue>
+ <SelectValue>{HOSTED_APP_CHANNEL_LABEL}</SelectValue>
</SelectTrigger>
<SelectPopup align="end" alignItemWithTrigger={false}>
<SelectItem hideIndicator value="latest">You can send follow-ups to the cloud agent here.
- Normalize router host comparisons with and without ports - Reject unsafe `next` values containing backslashes, colons, or control chars - Reuse the hosted channel label in settings
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Client URL builder produces paths middleware rejects
- Removed the redundant
value.includes(":")check fromsafeNextPathsince the existingstartsWith("/")andstartsWith("//")guards already prevent protocol-based attacks, and the colon check was incorrectly rejecting legitimate query strings and hash fragments.
- Removed the redundant
Or push these changes by commenting:
@cursor push 1d8e4354e3
Preview (1d8e4354e3)
diff --git a/apps/web/middleware.ts b/apps/web/middleware.ts
--- a/apps/web/middleware.ts
+++ b/apps/web/middleware.ts
@@ -79,7 +79,6 @@
!value?.startsWith("/") ||
value.startsWith("//") ||
value.includes("\\") ||
- value.includes(":") ||
hasControlCharacter(value)
) {
return "/";You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit ad418ab. Configure here.
| readonly currentUrl?: URL | undefined; | ||
| }): string { | ||
| const currentUrl = input.currentUrl ?? new URL(window.location.href); | ||
| const nextPath = `${currentUrl.pathname}${currentUrl.search}${currentUrl.hash}` || "/"; |
There was a problem hiding this comment.
Client URL builder produces paths middleware rejects
Low Severity
buildHostedChannelSelectionUrl constructs nextPath by concatenating currentUrl.pathname, currentUrl.search, and currentUrl.hash. The middleware's safeNextPath rejects any value containing :. Since query strings and hash fragments can legitimately contain colons (e.g., a ?host=http://x:3773 param), the middleware will silently discard the return path and redirect to / instead of the user's current page. The colon check is redundant given the existing startsWith("/") and startsWith("//") guards which already prevent protocol-based attacks.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit ad418ab. Configure here.
1 participant
Summary
app.t3.codestraffic to the correct hosted channel based on a cookie or channel opt-in URL.apps/weband documents the release/deploy process and required environment setup.Testing
bun run test apps/web/middleware.test.tsbun fmtbun lintbun typecheckNote
Medium Risk
Adds a new release-time Vercel deployment job and Edge middleware-based request routing, which can affect production release automation and hosted web traffic routing/redirect behavior. Risk is mitigated by explicit env validation and added unit tests, but misconfiguration could break hosted channel access or announcements.
Overview
Automates hosted web deployments as part of releases. The release workflow now runs a
deploy_webjob after a successful GitHub Release to deployapps/webvia Vercel CLI, set build-time env (version + hosted channel), and alias the deployment to thelatest(stable) ornightlydomain; Discord announcements are gated on this deploy succeeding.Introduces hosted channel routing/switching for
app.t3.codes. Adds Vercel Edgemiddleware.tsthat rewrites router-host traffic to per-channel origins based on at3code_web_channelcookie and a/__t3code/channelopt-in endpoint (with safe internal-onlynextredirects), plus UI support to switch channels from the About panel and associated tests.Disables Vercel Git auto-deploy for the web app and documents the process.
apps/web/vercel.jsonturns off Git deployments,viteenv typing/config gainsVITE_HOSTED_APP_CHANNEL/APP_VERSIONwiring, anddocs/release.mddocuments required secrets/domains and the new deployment flow.Reviewed by Cursor Bugbot for commit ad418ab. Bugbot is set up for automated code reviews on this repo. Configure here.
Note
Deploy hosted web app to Vercel from the release workflow with channel routing
deploy_webjob to release.yml that runs after a successful release, buildsapps/web, and deploys to Vercel, aliasing the result to either thelatestornightlydomain based on release channel./\_\_t3code/channelsets a long-lived cookie and redirects, while all other paths are rewritten to the selected channel's origin (defaulting tolatest).HOSTED_APP_CHANNELandHOSTED_APP_CHANNEL_LABELfrom the branding module and adds a channel selector to the About panel in the hosted web app that navigates to the channel selection URL.deploy_webto succeed before firing.Macroscope summarized ad418ab.