Skip to content

Set up Oxygen deployment workflow file#161

Closed
shopify[bot] wants to merge 1 commit intomainfrom
shopify-setup-oxygen-workflow-8yo4
Closed

Set up Oxygen deployment workflow file#161
shopify[bot] wants to merge 1 commit intomainfrom
shopify-setup-oxygen-workflow-8yo4

Conversation

@shopify
Copy link
Copy Markdown

@shopify shopify bot commented Apr 3, 2026

Warning

If you've previously made customizations to your Oxygen workflow file, then this PR might overwrite them. Be sure to review all changes before merging.

Automatic deployments with Hydrogen and Oxygen

This pull request adds a workflow file that enables GitHub to automatically deploy your Hydrogen app each time you push or merge changes.

Pushes to your main branch deploy to your production environment. Pushes to any other branch deploy to your preview environment:

Git branch Environment URL
main Production https://hydrogen-contentstack-demo-a49b04942340461e133e.o2.myshopify.dev
(All other branches) Preview {hash}.myshopify.dev

You can also create your own custom environments (like "Staging" or "QA") and assign them to your own custom domains.

Developing locally 💻

After you’ve cloned your project, install the dependencies and run the local development server:

npm install && npm run dev

Link your local development environment to your Shopify store to render your product inventory data:

npx shopify hydrogen link --storefront "Hydrogen Contentstack Demo"

Linking your project automatically keeps your local environment variables in sync with Oxygen, allows you to query your store data, and lets you create deployments from the command line at any time. Check the complete list of Hydrogen CLI for a complete list of features.

@shopify shopify bot requested a review from a team as a code owner April 3, 2026 11:35
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 3, 2026

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type Count (with fixes) Without fixes Threshold Result
🔴 Critical Severity 6 0 10 ✅ Passed
🟠 High Severity 14 17 25 ✅ Passed
🟡 Medium Severity 29 17 500 ✅ Passed
🔵 Low Severity 0 0 1000 ✅ Passed

⏱️ SLA Breach Summary

⚠️ Warning: The following vulnerabilities have exceeded their SLA thresholds (days since publication).

Severity Breaches (with fixes) Breaches (no fixes) SLA Threshold (with/no fixes) Status
🔴 Critical 6 0 15 / 30 days ❌ Failed
🟠 High 4 0 30 / 120 days ❌ Failed
🟡 Medium 0 0 90 / 365 days ✅ Passed
🔵 Low 0 0 180 / 365 days ✅ Passed

🔴 Critical Severity - SLA Breached Issues (with fixes)

Showing 6 issue(s) that have exceeded the 15-day SLA threshold:

  1. Prototype Pollution

    • ID: SNYK-JS-IMMUTABLE-15423650
    • Package: immutable@3.7.6
    • Published: 29 days ago (SLA: 15 days)
    • CVSS Score: 9.3
    • CVE: CVE-2026-29063

  2. Prototype Pollution

    • ID: SNYK-JS-IMMUTABLE-15423650
    • Package: immutable@3.7.6
    • Published: 29 days ago (SLA: 15 days)
    • CVSS Score: 9.3
    • CVE: CVE-2026-29063

  3. Prototype Pollution

    • ID: SNYK-JS-IMMUTABLE-15423650
    • Package: immutable@3.7.6
    • Published: 29 days ago (SLA: 15 days)
    • CVSS Score: 9.3
    • CVE: CVE-2026-29063

  4. Prototype Pollution

    • ID: SNYK-JS-IMMUTABLE-15423650
    • Package: immutable@3.7.6
    • Published: 29 days ago (SLA: 15 days)
    • CVSS Score: 9.3
    • CVE: CVE-2026-29063

  5. Prototype Pollution

    • ID: SNYK-JS-IMMUTABLE-15423650
    • Package: immutable@3.7.6
    • Published: 29 days ago (SLA: 15 days)
    • CVSS Score: 9.3
    • CVE: CVE-2026-29063

  6. Prototype Pollution

    • ID: SNYK-JS-IMMUTABLE-15423650
    • Package: immutable@3.7.6
    • Published: 29 days ago (SLA: 15 days)
    • CVSS Score: 9.3
    • CVE: CVE-2026-29063

🟠 High Severity - SLA Breached Issues (with fixes)

Showing 4 issue(s) that have exceeded the 30-day SLA threshold:

  1. Prototype Pollution

    • ID: SNYK-JS-AXIOS-15252993
    • Package: axios@1.13.2
    • Published: 52 days ago (SLA: 30 days)
    • CVSS Score: 8.7
    • CVE: CVE-2026-25639

  2. Regular Expression Denial of Service (ReDoS)

    • ID: SNYK-JS-MINIMATCH-15309438
    • Package: minimatch@9.0.5
    • Published: 43 days ago (SLA: 30 days)
    • CVSS Score: 8.7
    • CVE: CVE-2026-26996

  3. Regular Expression Denial of Service (ReDoS)

    • ID: SNYK-JS-MINIMATCH-15353387
    • Package: minimatch@9.0.5
    • Published: 36 days ago (SLA: 30 days)
    • CVSS Score: 8.7
    • CVE: CVE-2026-27904

  4. Inefficient Algorithmic Complexity

    • ID: SNYK-JS-MINIMATCH-15353389
    • Package: minimatch@9.0.5
    • Published: 36 days ago (SLA: 30 days)
    • CVSS Score: 8.7
    • CVE: CVE-2026-27903

ℹ️ Vulnerabilities Without Available Fixes (Informational Only)

The following vulnerabilities were detected but do not have fixes available (no upgrade or patch). These are excluded from failure thresholds:

  • Critical without fixes: 0
  • High without fixes: 17
  • Medium without fixes: 17
  • Low without fixes: 0

❌ BUILD FAILED - Security checks failed

Please review and fix the security vulnerabilities before merging.

@shopify
Copy link
Copy Markdown
Author

shopify bot commented Apr 3, 2026

Oxygen deployed a preview of your shopify-setup-oxygen-workflow-8yo4 branch. Details:

Storefront Status Preview link Deployment details Last update (UTC)
Hydrogen Contentstack Demo ❌ Error (Logs) - Inspect deployment April 3, 202611:36 AM

Learn more about Hydrogen's GitHub integration.

@sankartn sankartn closed this Apr 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sankartn