Skip to content

Harden Vercel production deploy path#2

Open
prophetto1 wants to merge 1 commit intomasterfrom
codex/vercel-deploy-hardening
Open

Harden Vercel production deploy path#2
prophetto1 wants to merge 1 commit intomasterfrom
codex/vercel-deploy-hardening

Conversation

@prophetto1
Copy link
Copy Markdown
Owner

@prophetto1 prophetto1 commented Apr 18, 2026
edited by coderabbitai Bot
Loading

Summary

  • disable direct Vercel Git deployments for master in web/vercel.json
  • make the production deploy workflow capture the deployment URL and smoke-check both the deployment and https://blockdata.run
  • extend the workflow contract test so this topology cannot be silently removed

Verification

ode --test scripts/tests/vercel-web-deploy-workflow.test.mjs

Why this matters

This forces production to flow through the repo-owned GitHub Actions path instead of letting Vercel auto-build master directly.

Summary by CodeRabbit

  • Chores
    • Enhanced deployment workflow with automated smoke checks that verify production environment health and detect deployment failures.
    • Updated deployment configuration to ensure master branch deployments are controlled through the CI/CD pipeline rather than automatic Git-triggered deployments.
    • Expanded test coverage to validate deployment workflow behavior and configuration integrity.

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 18, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
blockdata Error Error Apr 18, 2026 10:05pm

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 18, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The pull request enhances the Vercel deployment workflow by capturing deployment output and adding automated smoke-checks to verify both the deployment URL and a fixed production URL return valid responses with expected content. Vercel configuration is updated to disable direct Git deployments on the master branch, enforcing use of the custom workflow instead. Tests are added to validate the new workflow behavior.

Changes

Cohort / File(s) Summary
Deployment Workflow
.github/workflows/vercel-web-deploy.yml		 Updated deployment step to capture output URL into steps.deploy.outputs.deployment_url. Added new smoke-check step that fetches both the deployment URL and fixed production URL (https://blockdata.run), verifies HTTP OK responses, and confirms returned HTML contains <title>BlockData</title>.
Workflow Tests
scripts/tests/vercel-web-deploy-workflow.test.mjs		 Added test assertions to validate workflow captures deploy step output, sets PRODUCTION_URL, and verifies the production shell marker. Added contract test for web/vercel.json to confirm git.deploymentEnabled.master is false.
Vercel Configuration
web/vercel.json		 Added OpenAPI schema declaration. Introduced git.deploymentEnabled setting to disable deployments for master branch while preserving existing build output and routing configuration.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Hippity-hop, deployments now checked!
URLs verified, no reqs left unchecked,
With smoke and with schemas, the master's now tame,
BlockData deploys with production's grand name!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: hardening the Vercel production deployment path by disabling direct Git deployments, adding smoke-checks, and establishing workflow contracts.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/vercel-deploy-hardening

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
.github/workflows/vercel-web-deploy.yml (1)

74-79: Add an explicit network timeout in smoke checks.

Line 74 currently relies on default fetch behavior. Adding a per-request timeout makes CI failures faster and more deterministic during external network stalls.

Suggested resilience tweak 
-            const response = await fetch(url, { redirect: 'follow' });
+            const response = await fetch(url, {
+              redirect: 'follow',
+              signal: AbortSignal.timeout(15_000),
+            });
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/vercel-web-deploy.yml around lines 74 - 79, The smoke
check uses fetch(url) without a timeout; add an AbortController-based
per-request timeout (e.g., 10s) and pass its signal into fetch so stalled
network calls get aborted; ensure you clear the timeout on success, and when
catching an abort/timeout convert it into a clear error (using label and url)
before throwing so CI fails fast and deterministically in the smoke check code
that references response, fetch, html, label, and url.
scripts/tests/vercel-web-deploy-workflow.test.mjs (1)

45-47: Tighten workflow contract assertions to prevent false positives.

Line 47 currently matches any BlockData token. Consider asserting the exact deploy-output wiring and exact HTML marker to make this contract harder to bypass accidentally.

Proposed test assertion hardening 
   assert.match(workflow, /vercel@latest deploy --prebuilt --prod/, 'workflow must deploy the prebuilt output');
   assert.match(workflow, /id:\s*deploy/, 'workflow must capture the production deploy step output');
+  assert.match(
+    workflow,
+    /DEPLOYMENT_URL:\s*\$\{\{\s*steps\.deploy\.outputs\.deployment_url\s*\}\}/,
+    'workflow must wire deploy output into smoke-check env',
+  );
   assert.match(workflow, /PRODUCTION_URL:\s*https:\/\/blockdata\.run/, 'workflow must smoke-check the official production domain');
-  assert.match(workflow, /BlockData/, 'workflow smoke verification must assert the production shell marker');
+  assert.match(
+    workflow,
+    /<title>BlockData<\/title>/,
+    'workflow smoke verification must assert the production HTML title marker',
+  );
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@scripts/tests/vercel-web-deploy-workflow.test.mjs` around lines 45 - 47, The
current loose assertion /BlockData/ can match many unintended places; tighten
the workflow assertions by making the deploy id and production output wiring
explicit and matching the exact HTML marker: in the test where you assert
against the workflow string (the three assert.match lines operating on the
workflow variable), change the deploy assertion to ensure the step id is exactly
"deploy" (e.g., match /id:\s*deploy\b/), assert the production output wiring by
matching the exact PRODUCTION_URL assignment or output key (e.g., match
/PRODUCTION_URL:\s*https:\/\/blockdata\.run\b/ or include the outputs key name
used in the workflow), and replace the loose /BlockData/ with an exact HTML
marker match such as /<div[^>]*>\s*BlockData\s*<\/div>/ so the test only passes
when the precise deploy output and page marker are present.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/vercel-web-deploy.yml:
- Around line 74-79: The smoke check uses fetch(url) without a timeout; add an
AbortController-based per-request timeout (e.g., 10s) and pass its signal into
fetch so stalled network calls get aborted; ensure you clear the timeout on
success, and when catching an abort/timeout convert it into a clear error (using
label and url) before throwing so CI fails fast and deterministically in the
smoke check code that references response, fetch, html, label, and url.

In `@scripts/tests/vercel-web-deploy-workflow.test.mjs`:
- Around line 45-47: The current loose assertion /BlockData/ can match many
unintended places; tighten the workflow assertions by making the deploy id and
production output wiring explicit and matching the exact HTML marker: in the
test where you assert against the workflow string (the three assert.match lines
operating on the workflow variable), change the deploy assertion to ensure the
step id is exactly "deploy" (e.g., match /id:\s*deploy\b/), assert the
production output wiring by matching the exact PRODUCTION_URL assignment or
output key (e.g., match /PRODUCTION_URL:\s*https:\/\/blockdata\.run\b/ or
include the outputs key name used in the workflow), and replace the loose
/BlockData/ with an exact HTML marker match such as
/<div[^>]*>\s*BlockData\s*<\/div>/ so the test only passes when the precise
deploy output and page marker are present.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 195da3a4-a1f6-45bf-896c-da46209ac404

📥 Commits

Reviewing files that changed from the base of the PR and between 5c68fe5 and 4e156c4.

📒 Files selected for processing (3)
  • .github/workflows/vercel-web-deploy.yml
  • scripts/tests/vercel-web-deploy-workflow.test.mjs
  • web/vercel.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@prophetto1