Add CI/CD pipeline: build and deploy to Firebase Hosting

[Copilot]

No build or deployment pipeline existed for this Angular SSR app.

Changes

firebase.json

• Configures Firebase Hosting to serve from dist/app/browser
• Rewrites all routes to index.html for Angular client-side routing
• 1-year cache on JS/CSS assets (safe: production build uses content hashing via outputHashing: all)

.firebaserc

• Binds project to gen-lang-client-0879285190 (pulled from existing firebase-applet-config.json)

.github/workflows/deploy.yml

• Triggers on push to main and PRs targeting main
• Builds with npm ci + npm run build, injecting OPENAI_API_KEY from secrets
• PRs get a preview channel deploy with URL posted as a comment
• Merges to main deploy to the live channel
• GITHUB_TOKEN permissions scoped to contents: read + pull-requests: write

Required Secrets

Secret	Purpose
FIREBASE_SERVICE_ACCOUNT	Service account JSON with Hosting deploy permissions — generate at Firebase Console → Project Settings → Service Accounts
OPENAI_API_KEY	Embedded at build time for OpenAI features (optional if not needed in production)

[schoedel-learn]

Where do I add these secrets to github

[Copilot]

Where do I add these secrets to github

To add secrets to your GitHub repository:

1. Go to your repository on GitHub: https://github.com/schoedel-learn/LXPython
2. Click Settings (top tab)
3. In the left sidebar, click Secrets and variables → Actions
4. Click New repository secret
5. Add each secret:
   • Name: FIREBASE_SERVICE_ACCOUNT
     Value: The JSON contents of your Firebase service account key. Generate it at Firebase Console → Project Settings → Service Accounts → click Generate new private key → copy the entire JSON file content
   • Name: OPENAI_API_KEY
     Value: Your OpenAI API key (if you want OpenAI features enabled in the production build)

Once FIREBASE_SERVICE_ACCOUNT is added, the workflow will be able to deploy to Firebase Hosting automatically on every push to main.

[Copilot]

Pull request overview

Adds an initial GitHub Actions CI/CD workflow to build the Angular app and deploy it to Firebase Hosting, along with Firebase Hosting project configuration.

Changes:

• Added firebase.json Hosting configuration (public dir, SPA rewrites, caching headers).
• Added .firebaserc to bind the repo to the target Firebase project.
• Added .github/workflows/deploy.yml to build on pushes/PRs and deploy preview/live via action-hosting-deploy.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
firebase.json	Configures Firebase Hosting output directory, rewrites, and cache headers.
.github/workflows/deploy.yml	Defines the CI build + preview/live deploy workflow.
.firebaserc	Sets the default Firebase project ID for deployments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This Hosting config rewrites all requests to /index.html, which effectively deploys the app as a pure SPA. Since the app is configured for SSR (outputMode: "server" with an SSR entry in angular.json), this deployment will not run the server renderer (no rewrite to a Cloud Function/Cloud Run endpoint), so SSR won’t actually be used in production. Consider either (a) changing the Firebase rewrites to route all requests to an SSR backend (Functions/Run) or (b) switching the Angular build/deploy to a purely static build if SSR is not intended.

[Copilot]

Cache-Control: max-age=31536000 is missing public (and typically immutable) for long-lived hashed assets. Without public, shared caches/CDNs may not cache as expected, reducing the benefit of the 1-year TTL. Consider setting the value to include public (and immutable if all these assets are content-hashed).

Suggested change

	"value": "max-age=31536000"
	"value": "public, max-age=31536000, immutable"

[Copilot]

Setting OPENAI_API_KEY as an env var for npm run build likely doesn’t do what the PR description claims: the build script is just ng build, and this repo appears to only pass OPENAI_API_KEY into Angular via --define (see the dev script), not via process env. If the intent is to actually inject the secret into the browser bundle, that would also publish the key to all clients (the app uses OpenAI in the browser with dangerouslyAllowBrowser: true). Consider removing this env var from the build, and instead route OpenAI calls through a server-side component where the key can remain secret (and if you truly need build-time defines, pass them explicitly and only for non-secret values).

Suggested change

	env:
	OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}

[Copilot]

The preview deploy runs on every pull_request event, but FIREBASE_SERVICE_ACCOUNT (and other secrets) are not provided to workflows triggered from forked PRs, which will cause this job to fail for external contributors. Consider guarding the preview deploy step to only run for same-repo PRs (or otherwise handling forks explicitly) so CI stays green.