name: Deploy ROM Mirror Portfolio to overspend.cloud on: push: branches: [main, master] pull_request: branches: [main, master] workflow_dispatch: permissions: contents: read pages: write id-token: write concurrency: group: "pages" cancel-in-progress: false jobs: build: runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: Create secure config file run: | echo "Creating secure configuration..." cat > js/config.js << 'EOF' // ROM Mirror Configuration - Generated by GitHub Actions // This file contains secure credentials and is not committed to git // Deployed to: overspend.cloud window.ROM_MIRROR_CONFIG = { DRIVE_API_KEY: "${{ secrets.DRIVE_API_KEY }}", DRIVE_FOLDER_ID: "${{ secrets.DRIVE_FOLDER_ID }}", // Domain configuration DOMAIN: "overspend.cloud", // Optional configuration MAX_RETRIES: 3, CACHE_DURATION: 300000, // File type icons mapping FILE_ICONS: { "zip": "icon-zip", "img": "icon-image", "iso": "icon-image", "apk": "icon-file", "txt": "icon-file", "md": "icon-file", "rar": "icon-zip", "7z": "icon-zip" }, // User messages MESSAGES: { LOADING: "Loading ROM files from Google Drive...", ERROR: "Failed to connect to Google Drive. Please check your configuration.", NO_FILES: "No ROM files found in this folder.", DOWNLOAD_SUCCESS: "Download started successfully!", SECURITY_OK: "Secure connection to overspend.cloud verified" } }; // Production environment indicator window.ROM_MIRROR_CONFIG.ENVIRONMENT = "production"; window.ROM_MIRROR_CONFIG.BUILD_TIME = "${{ github.run_number }}"; window.ROM_MIRROR_CONFIG.COMMIT_SHA = "${{ github.sha }}"; window.ROM_MIRROR_CONFIG.DEPLOY_DOMAIN = "overspend.cloud"; EOF - name: Verify config file creation run: | echo "Verifying config file exists..." if [ -f "js/config.js" ]; then echo "✅ Config file created successfully" echo "File size: $(wc -c < js/config.js) bytes" else echo "❌ Config file creation failed" exit 1 fi - name: Setup Pages if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' uses: actions/configure-pages@v4 - name: Upload artifact if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' uses: actions/upload-pages-artifact@v3 with: path: "." deploy: if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-latest needs: build steps: - name: Deploy to GitHub Pages id: deployment uses: actions/deploy-pages@v4 security-check: runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: Security audit run: | echo "🔍 Running security checks..." # Check for exposed secrets in code echo "Checking for exposed API keys..." if grep -r "AIzaSy" . --exclude-dir=.git --exclude-dir=.github --exclude="*.md" --exclude="deploy-to-repo.sh"; then echo "❌ Found potential exposed API keys!" exit 1 else echo "✅ No exposed API keys found" fi # Check gitignore echo "Checking .gitignore configuration..." if grep -q "js/config.js" .gitignore; then echo "✅ Config file properly ignored" else echo "⚠️ Warning: config.js not in .gitignore" fi # Check for config template if [ -f "js/config.example.js" ]; then echo "✅ Config template exists" else echo "⚠️ Warning: config.example.js template missing" fi echo "🔐 Security check completed"