Deploy Preview #6548
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Because C.I. jobs could expose secrets to malicious pull requsets, | |
# GitHub prevents (by default) exposing action secrets to pull requests | |
# from forks. | |
# | |
# This is great, however, the jobs that use the secrets are still useful on | |
# pull requests. | |
# | |
# To run a _trusted_ workflow, we can trigger it from an event from an _untrusted_ | |
# workflow. This keeps the secrets out of reach from the fork, but still allows | |
# us to keep the utility of pull request preview deploys, browserstack running, etc. | |
# Normally, this _trusted_ behavior is offloaded by Cloudflare, Netlify, Vercel, etc | |
# -- their own workers are trusted and can push comments / updates to pull requests. | |
# | |
# We don't want to use their slower (and sometimes paid) hardware. | |
# When we use our own workflows, we can re-use the cache built from the PR | |
# (or elsewhere). | |
# | |
# To be *most* secure, you'd need to build all the artifacts in the PR, | |
# then upload them to then be downloaded in the trusted workflows. | |
# Trusted workflows should not run any scripts from a PR, as malicious | |
# submitters may tweak the build scripts. | |
# Since all build artifacts are for the web browser, and not executed in | |
# node-space, we can be reasonably confident that downloading and testing/deploying | |
# those artifacts does not compromise our secrets. | |
# | |
# | |
# More information here: | |
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
# | |
# Things that would make this easier: | |
# Readablity: https://github.com/actions/download-artifact/issues/172 | |
# Security: | |
# - if there was a way to avoid pnpm install *entirely* | |
name: Deploy Preview | |
# read-write repo token | |
# access to secrets | |
on: | |
workflow_run: | |
workflows: ["CI"] | |
types: | |
# as early as possible | |
- requested | |
concurrency: | |
group: deploy-preview-${{ github.event.workflow_run.pull_requests[0].number }} | |
cancel-in-progress: true | |
env: | |
TURBO_API: http://127.0.0.1:9080 | |
TURBO_TOKEN: this-is-not-a-secret | |
TURBO_TEAM: myself | |
jobs: | |
# This is the only job that needs access to the source code | |
Build: | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
needs: [determinePR] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.workflow_run.head_branch }} | |
- name: TurboRepo local server | |
uses: felixmosh/turborepo-gh-artifacts@v2 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
- uses: wyvox/action-setup-pnpm@v3 | |
- run: pnpm turbo build | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: deploy-prep-dist | |
if-no-files-found: error | |
path: | | |
./apps/**/dist/**/* | |
!node_modules/ | |
!./**/node_modules/ | |
################################################################# | |
# For the rest: | |
# Does not checkout code, has access to secrets | |
################################################################# | |
determinePR: | |
# this job gates the others -- if the workflow_run request did not come from a PR, | |
# exit as early as possible | |
runs-on: ubuntu-latest | |
if: github.event.workflow_run.event == 'pull_request' | |
outputs: | |
number: ${{ steps.number.outputs.pr-number }} | |
steps: | |
- run: echo "${{ toJSON(github.event.workflow_run) }}" | |
- run: echo "${{ github.event.workflow_run.pull_requests[0].number }}" | |
id: number | |
DeployPreview_Tutorial: | |
name: "Deploy: Preview" | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
needs: [Build] | |
permissions: | |
contents: read | |
deployments: write | |
outputs: | |
tutorialUrl: ${{ steps.deploy.outputs.url }} | |
steps: | |
- uses: actions/download-artifact@v4 | |
name: deploy-prep-dist | |
- id: deploy | |
uses: cloudflare/[email protected] | |
with: | |
branch: ${{ github.event.workflow_run.head_branch }} | |
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} | |
projectName: limber-glimmer-tutorial | |
directory: ./deploy-prep-dist/tutorial/dist | |
gitHubToken: ${{ secrets.GITHUB_TOKEN }} | |
DeployPreview_Limber: | |
name: "Deploy: Preview" | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
needs: [Build] | |
permissions: | |
contents: read | |
deployments: write | |
outputs: | |
limberUrl: ${{ steps.deploy.outputs.url }} | |
steps: | |
- uses: actions/download-artifact@v4 | |
name: deploy-prep-dist | |
- id: deploy | |
uses: cloudflare/[email protected] | |
with: | |
branch: ${{ github.event.workflow_run.head_branch }} | |
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} | |
projectName: limber-glimdown | |
directory: ./deploy-prep-dist/repl/dist | |
gitHubToken: ${{ secrets.GITHUB_TOKEN }} | |
PostComment: | |
name: Post Preview URL as comment to PR | |
runs-on: ubuntu-latest | |
needs: [DeployPreview_Limber, DeployPreview_Tutorial, determinePR] | |
permissions: | |
pull-requests: write | |
steps: | |
- uses: marocchino/sticky-pull-request-comment@v2 | |
with: | |
header: preview-urls | |
number: ${{ github.event.workflow_run.pull_requests[0].number }} | |
message: |+ | |
| Project | Preview URL | | |
| ------- | ----------- | | |
| Limber | ${{ needs.DeployPreview_Limber.outputs.limberUrl }} | | |
| Tutorial | ${{ needs.DeployPreview_Tutorial.outputs.tutorialUrl }} | | |
[Logs](https://github.com/NullVoxPopuli/limber/actions/runs/${{ github.run_id }}) |