Skip to content

Your feature branchIntegrate Firebase CI + Docker Node Setup + Initial Bot Scaffolding #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
xpertforextradeinc wants to merge 12 commits into
base: main
Choose a base branch
from
Open

Your feature branchIntegrate Firebase CI + Docker Node Setup + Initial Bot Scaffolding #30

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
51a3911
Create azure-webapps-node.yml
xpertforextradeinc Aug 15, 2025
34e7eea
Create index-alt.html for alternate landing page layout
xpertforextradeinc Aug 15, 2025
e8c659f
Create dashboard.php
xpertforextradeinc Aug 15, 2025
6f5a626
Update gcp-auth.yml
xpertforextradeinc Aug 15, 2025
63e7e70
Create firebase-deploy.yml
xpertforextradeinc Aug 15, 2025
b96bcb1
Merge branch 'boostlink-creatorh:main' into main
xpertforextradeinc Aug 21, 2025
160acd1
Create .yaml
xpertforextradeinc Aug 22, 2025
9531f28
Merge branch 'boostlink-creatorh:main' into main
xpertforextradeinc Aug 22, 2025
067ccb3
Integrate Node.js setup in Docker CI workflow
xpertforextradeinc Aug 28, 2025
6e49eb4
Add initial bot.py structure and directories
xpertforextradeinc Sep 1, 2025
6192edf
Update .github/workflows/firebase-deploy.yml
xpertforextradeinc Sep 4, 2025
e3d55d4
Update index-alt.html
xpertforextradeinc Sep 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions .github/workflows/azure-webapps-node.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: πŸ”₯ Firebase Hosting Deploy

on:
push:
branches: [main]
workflow_dispatch:

permissions:
id-token: write
contents: read

jobs:
firebase-deploy:
name: πŸš€ Deploy to Firebase Hosting
runs-on: ubuntu-latest

steps:
- name: πŸ“¦ Checkout repo
uses: actions/checkout@v4

- name: πŸ” Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
workload_identity_provider: "projects/491439791457/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
service_account: "[email protected]"

- name: πŸ› οΈ Install Firebase CLI
run: npm install -g firebase-tools

- name: πŸš€ Deploy to Firebase Hosting
run: firebase deploy --only hosting --project xpert-forex-trade
Comment on lines +24 to +31
Copy link

Copilot AI Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hardcoded GCP project details should be moved to GitHub secrets for security. Use ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} and ${{ secrets.GCP_SERVICE_ACCOUNT }} instead of hardcoded values.

Suggested change
workload_identity_provider: "projects/491439791457/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
service_account: "[email protected]"
- name: πŸ› οΈ Install Firebase CLI
run: npm install -g firebase-tools
- name: πŸš€ Deploy to Firebase Hosting
run: firebase deploy --only hosting --project xpert-forex-trade
workload_identity_provider: "${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}"
service_account: "${{ secrets.GCP_SERVICE_ACCOUNT }}"
- name: πŸ› οΈ Install Firebase CLI
run: npm install -g firebase-tools
- name: πŸš€ Deploy to Firebase Hosting
run: firebase deploy --only hosting --project ${{ secrets.GCP_PROJECT_ID }}

Copilot uses AI. Check for mistakes.
24 changes: 24 additions & 0 deletions .github/workflows/docker-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
- name: Setup Node.js environment
uses: actions/[email protected]
with:
# Set always-auth in npmrc.
always-auth: # optional, default is false
# Version Spec of the version to use. Examples: 12.x, 10.15.1, >=10.15.0.
node-version: # optional
# File containing the version Spec of the version to use. Examples: .nvmrc, .node-version, .tool-versions.
node-version-file: # optional
# Target architecture for Node to use. Examples: x86, x64. Will use system architecture by default.
architecture: # optional
# Set this option if you want the action to check for the latest available version that satisfies the version spec.
check-latest: # optional
# Optional registry to set up for auth. Will set the registry in a project level .npmrc and .yarnrc file, and set up auth to read in from env.NODE_AUTH_TOKEN.
registry-url: # optional
# Optional scope for authenticating against scoped registries. Will fall back to the repository owner when using the GitHub Packages registry (https://npm.pkg.github.com/).
scope: # optional
# Used to pull node distributions from node-versions. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting.
token: # optional, default is ${{ github.server_url == 'https://github.com' && github.token || '' }}
# Used to specify a package manager for caching in the default directory. Supported values: npm, yarn, pnpm.
cache: # optional
# Used to specify the path to a dependency file: package-lock.json, yarn.lock, etc. Supports wildcards or a list of file names for caching multiple dependencies.
cache-dependency-path: # optional

Comment on lines +1 to +24
Copy link

Copilot AI Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow file contains only a single action step without proper YAML structure. It's missing the workflow name, trigger events, and job definition. Consider restructuring as a complete workflow or removing if it's meant to be a template.

Suggested change
- name: Setup Node.js environment
uses: actions/[email protected]
with:
# Set always-auth in npmrc.
always-auth: # optional, default is false
# Version Spec of the version to use. Examples: 12.x, 10.15.1, >=10.15.0.
node-version: # optional
# File containing the version Spec of the version to use. Examples: .nvmrc, .node-version, .tool-versions.
node-version-file: # optional
# Target architecture for Node to use. Examples: x86, x64. Will use system architecture by default.
architecture: # optional
# Set this option if you want the action to check for the latest available version that satisfies the version spec.
check-latest: # optional
# Optional registry to set up for auth. Will set the registry in a project level .npmrc and .yarnrc file, and set up auth to read in from env.NODE_AUTH_TOKEN.
registry-url: # optional
# Optional scope for authenticating against scoped registries. Will fall back to the repository owner when using the GitHub Packages registry (https://npm.pkg.github.com/).
scope: # optional
# Used to pull node distributions from node-versions. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting.
token: # optional, default is ${{ github.server_url == 'https://github.com' && github.token || '' }}
# Used to specify a package manager for caching in the default directory. Supported values: npm, yarn, pnpm.
cache: # optional
# Used to specify the path to a dependency file: package-lock.json, yarn.lock, etc. Supports wildcards or a list of file names for caching multiple dependencies.
cache-dependency-path: # optional
name: Build and Setup Node.js
on:
push:
branches:
- main
pull_request:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Setup Node.js environment
uses: actions/[email protected]
with:
# Set always-auth in npmrc.
always-auth: # optional, default is false
# Version Spec of the version to use. Examples: 12.x, 10.15.1, >=10.15.0.
node-version: # optional
# File containing the version Spec of the version to use. Examples: .nvmrc, .node-version, .tool-versions.
node-version-file: # optional
# Target architecture for Node to use. Examples: x86, x64. Will use system architecture by default.
architecture: # optional
# Set this option if you want the action to check for the latest available version that satisfies the version spec.
check-latest: # optional
# Optional registry to set up for auth. Will set the registry in a project level .npmrc and .yarnrc file, and set up auth to read in from env.NODE_AUTH_TOKEN.
registry-url: # optional
# Optional scope for authenticating against scoped registries. Will fall back to the repository owner when using the GitHub Packages registry (https://npm.pkg.github.com/).
scope: # optional
# Used to pull node distributions from node-versions. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting.
token: # optional, default is ${{ github.server_url == 'https://github.com' && github.token || '' }}
# Used to specify a package manager for caching in the default directory. Supported values: npm, yarn, pnpm.
cache: # optional
# Used to specify the path to a dependency file: package-lock.json, yarn.lock, etc. Supports wildcards or a list of file names for caching multiple dependencies.
cache-dependency-path: # optional

Copilot uses AI. Check for mistakes.
19 changes: 19 additions & 0 deletions .github/workflows/firebase-deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: Firebase Deploy

on:
push:
branches:
- main

jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: google-github-actions/auth@v1
with:
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
- run: npm ci
- run: npm run build
- run: npx firebase deploy --only hosting
24 changes: 6 additions & 18 deletions .github/workflows/gcp-auth.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,14 @@
name: GCP Auth Test
name: GCP Auth Setup

on:
workflow_dispatch:

permissions:
id-token: write
contents: read

jobs:
auth:
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
workload_identity_provider: "projects/491439791457/locations/global/workloadIdentityPools/ci-pool-github-actions/providers/github"
service_account: "github-action-xpert-forex-trad@xpert-forex-trade.iam.gserviceaccount.com"

- name: Verify identity
run: |
gcloud auth list
- name: Authenticate with GCP
uses: google-github-actions/auth@v1
with:
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
18 changes: 18 additions & 0 deletions .yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
## Cloudflare Endpoint Schema Upload

**Location**: `intlhub.org β†’ Security β†’ Web Assets β†’ Endpoint Management β†’ Upload Schema`

**Accepted Formats**: `.yml`, `.yaml`, `.json`

**Schema Requirements**:
- OpenAPI or Swagger spec
- Define paths, methods, parameters, responses

**Security Behavior**:
- Matches traffic to schema
- Blocks or logs non-compliant requests

**Recommended**:
- Include contributor metadata in schema comments
- Version your schema for audit clarity
- Validate with PITR enabled for rollback protection
Comment on lines +1 to +18
Copy link

@gemini-code-assist gemini-code-assist bot Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This file is named with a .yaml extension, but its content is formatted as Markdown documentation, not as valid YAML. This can be misleading for developers and any tools that might try to parse it. Please consider renaming this file to something like cloudflare_schema_guide.md to accurately reflect its content and purpose.

29 changes: 29 additions & 0 deletions app/Views/dashboard.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<?php include 'header.php'; ?>
<div class="container mt-5">
<h2 class="mb-4">Welcome, <?= $_SESSION['username']; ?>!</h2>
Copy link

@gemini-code-assist gemini-code-assist bot Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The user's name is directly rendered from the session without any output escaping. This is a critical Cross-Site Scripting (XSS) vulnerability. If a username contains malicious HTML or JavaScript, it will be executed in the browser. You should always escape dynamic data rendered in HTML. The PR description mentions this is pending, but it's crucial to address it before merging.1

  <h2 class="mb-4">Welcome, <?= htmlspecialchars($_SESSION['username'], ENT_QUOTES, 'UTF-8'); ?>!</h2>

Style Guide References

Footnotes

  1. OWASP Top 10 recommends sanitizing all user-controllable data to prevent XSS attacks. Using functions like htmlspecialchars() is a standard practice in PHP for this purpose. ↩


<div class="row">
<div class="col-md-6">
<h4>Open Trades</h4>
<ul class="list-group">
<?php foreach ($openTrades as $trade): ?>
<li class="list-group-item">
<?= $trade['pair']; ?> - <?= $trade['direction']; ?> - $<?= $trade['amount']; ?>
Copy link

@gemini-code-assist gemini-code-assist bot Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The data for open trades is rendered without escaping, which poses a Cross-Site Scripting (XSS) risk. Any data that originates from the database and could have been influenced by user input should be treated as untrusted. Please escape all variables before outputting them to the page.1

            <?= htmlspecialchars($trade['pair'], ENT_QUOTES, 'UTF-8'); ?> - <?= htmlspecialchars($trade['direction'], ENT_QUOTES, 'UTF-8'); ?> - $<?= htmlspecialchars($trade['amount'], ENT_QUOTES, 'UTF-8'); ?>

Style Guide References

Footnotes

  1. OWASP Top 10 recommends sanitizing all user-controllable data to prevent XSS attacks. Using functions like htmlspecialchars() is a standard practice in PHP for this purpose. ↩

Copy link

Copilot AI Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

User data is being output without proper escaping, creating potential XSS vulnerabilities. Use htmlspecialchars() to escape output: - - $

Suggested change
<?= $trade['pair']; ?> - <?= $trade['direction']; ?> - $<?= $trade['amount']; ?>
<?= htmlspecialchars($trade['pair']); ?> - <?= htmlspecialchars($trade['direction']); ?> - $<?= htmlspecialchars($trade['amount']); ?>

Copilot uses AI. Check for mistakes.
</li>
<?php endforeach; ?>
</ul>
</div>

<div class="col-md-6">
<h4>Trade History</h4>
<ul class="list-group">
<?php foreach ($tradeHistory as $trade): ?>
<li class="list-group-item">
<?= $trade['pair']; ?> - <?= $trade['type']; ?> - <?= $trade['created_at']; ?>
Copy link

@gemini-code-assist gemini-code-assist bot Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Similar to the open trades list, the trade history data is outputted without escaping. This is also a Cross-Site Scripting (XSS) vulnerability. All dynamic data should be escaped to prevent malicious script execution.1

            <?= htmlspecialchars($trade['pair'], ENT_QUOTES, 'UTF-8'); ?> - <?= htmlspecialchars($trade['type'], ENT_QUOTES, 'UTF-8'); ?> - <?= htmlspecialchars($trade['created_at'], ENT_QUOTES, 'UTF-8'); ?>

Style Guide References

Footnotes

  1. OWASP Top 10 recommends sanitizing all user-controllable data to prevent XSS attacks. Using functions like htmlspecialchars() is a standard practice in PHP for this purpose. ↩

Copy link

Copilot AI Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

User data is being output without proper escaping, creating potential XSS vulnerabilities. Use htmlspecialchars() to escape output: - -

Suggested change
<?= $trade['pair']; ?> - <?= $trade['type']; ?> - <?= $trade['created_at']; ?>
<?= htmlspecialchars($trade['pair']); ?> - <?= htmlspecialchars($trade['type']); ?> - <?= htmlspecialchars($trade['created_at']); ?>

Copilot uses AI. Check for mistakes.
</li>
<?php endforeach; ?>
</ul>
</div>
</div>
</div>
<?php include 'footer.php'; ?>
8 changes: 8 additions & 0 deletions bot.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
xpert_telegram_bot/
β”œβ”€β”€ bot.py ← Paste this code here
β”œβ”€β”€ handlers/
β”œβ”€β”€ config/
β”œβ”€β”€ logs/
β”œβ”€β”€ .env
β”œβ”€β”€ requirements.txt
└── diagnostics.py
Comment on lines +1 to +8
Copy link

@gemini-code-assist gemini-code-assist bot Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

This file appears to contain a text representation of the directory structure instead of Python code for the bot. The file should contain the actual bot implementation. This seems to be a placeholder that was committed by mistake.

Comment on lines +1 to +8
Copy link

Copilot AI Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file contains a directory structure outline instead of actual Python code. The bot.py file should contain the implementation of the Telegram bot, not ASCII art of the folder structure.

Copilot uses AI. Check for mistakes.
27 changes: 27 additions & 0 deletions index-alt.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Xpert-Forex-Tradex</title>
<link href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" rel="stylesheet">
</head>
<body>
<nav class="navbar navbar-expand-lg navbar-dark bg-dark">
<div class="container-fluid">
<a class="navbar-brand" href="#">Xpert-Forex-Tradex</a>
</div>
</nav>

<div class="container mt-5 text-center">
<h1>Welcome to Xpert-Forex-Tradex</h1>
<p class="lead">Your gateway to smarter trading insights and transparent onboarding.</p>
<a href="login.php" class="btn btn-primary">Login</a>
<a href="register.php" class="btn btn-outline-primary">Register</a>
</div>

<footer class="bg-light text-center mt-5 p-3">
<small>&copy; <?= date('Y'); ?> Xpert-Forex-Tradex. All rights reserved.</small>
Copy link

@gemini-code-assist gemini-code-assist bot Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This HTML file contains a PHP short tag <?= date('Y'); ?> to display the current year. Standard web servers do not process .html files as PHP, so this tag will be displayed as literal text in the browser.

To fix this, you can use JavaScript to dynamically set the year. You can replace the line with the suggested code and add the following script tag just before the closing </body> tag:

<script>
  document.getElementById('year').textContent = new Date().getFullYear();
</script>

Alternatively, if this page is intended to be dynamic, consider renaming it to index-alt.php.

    <small>&copy; <span id="year"><?= date('Y'); ?></span> Xpert-Forex-Tradex. All rights reserved.</small>

</footer>
</body>
</html>