-
-
Notifications
You must be signed in to change notification settings - Fork 22
160 lines (149 loc) · 5.48 KB
/
deploy-preview.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
# Because C.I. jobs could expose secrets to malicious pull requsets,
# GitHub prevents (by default) exposing action secrets to pull requests
# from forks.
#
# This is great, however, the jobs that use the secrets are still useful on
# pull requests.
#
# To run a _trusted_ workflow, we can trigger it from an event from an _untrusted_
# workflow. This keeps the secrets out of reach from the fork, but still allows
# us to keep the utility of pull request preview deploys, browserstack running, etc.
# Normally, this _trusted_ behavior is offloaded by Cloudflare, Netlify, Vercel, etc
# -- their own workers are trusted and can push comments / updates to pull requests.
#
# We don't want to use their slower (and sometimes paid) hardware.
# When we use our own workflows, we can re-use the cache built from the PR
# (or elsewhere).
#
# To be *most* secure, you'd need to build all the artifacts in the PR,
# then upload them to then be downloaded in the trusted workflows.
# Trusted workflows should not run any scripts from a PR, as malicious
# submitters may tweak the build scripts.
# Since all build artifacts are for the web browser, and not executed in
# node-space, we can be reasonably confident that downloading and testing/deploying
# those artifacts does not compromise our secrets.
#
#
# More information here:
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
#
# Things that would make this easier:
# Readablity: https://github.com/actions/download-artifact/issues/172
# Security:
# - if there was a way to avoid pnpm install *entirely*
name: Deploy Preview
# read-write repo token
# access to secrets
on:
workflow_run:
workflows: ["CI"]
types:
# as early as possible
- requested
concurrency:
group: deploy-preview-${{ github.event.workflow_run.pull_requests[0].number }}
cancel-in-progress: true
env:
TURBO_API: http://127.0.0.1:9080
TURBO_TOKEN: this-is-not-a-secret
TURBO_TEAM: myself
jobs:
# This is the only job that needs access to the source code
Build:
runs-on: ubuntu-latest
timeout-minutes: 15
needs: [determinePR]
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.workflow_run.head_branch }}
- name: TurboRepo local server
uses: felixmosh/turborepo-gh-artifacts@v2
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- uses: wyvox/action-setup-pnpm@v3
- run: pnpm turbo build
- uses: actions/upload-artifact@v4
with:
name: deploy-prep-dist
if-no-files-found: error
path: |
./apps/**/dist/**/*
!node_modules/
!./**/node_modules/
#################################################################
# For the rest:
# Does not checkout code, has access to secrets
#################################################################
determinePR:
# this job gates the others -- if the workflow_run request did not come from a PR,
# exit as early as possible
runs-on: ubuntu-latest
if: github.event.workflow_run.event == 'pull_request'
outputs:
number: ${{ steps.number.outputs.pr-number }}
steps:
- run: echo "${{ toJSON(github.event.workflow_run) }}"
- run: echo "${{ github.event.workflow_run.pull_requests[0].number }}"
id: number
DeployPreview_Tutorial:
name: "Deploy: Preview"
runs-on: ubuntu-latest
timeout-minutes: 15
needs: [Build]
permissions:
contents: read
deployments: write
outputs:
tutorialUrl: ${{ steps.deploy.outputs.url }}
steps:
- uses: actions/download-artifact@v4
name: deploy-prep-dist
- id: deploy
uses: cloudflare/[email protected]
with:
branch: ${{ github.event.workflow_run.head_branch }}
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
projectName: limber-glimmer-tutorial
directory: ./deploy-prep-dist/tutorial/dist
gitHubToken: ${{ secrets.GITHUB_TOKEN }}
DeployPreview_Limber:
name: "Deploy: Preview"
runs-on: ubuntu-latest
timeout-minutes: 15
needs: [Build]
permissions:
contents: read
deployments: write
outputs:
limberUrl: ${{ steps.deploy.outputs.url }}
steps:
- uses: actions/download-artifact@v4
name: deploy-prep-dist
- id: deploy
uses: cloudflare/[email protected]
with:
branch: ${{ github.event.workflow_run.head_branch }}
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
projectName: limber-glimdown
directory: ./deploy-prep-dist/repl/dist
gitHubToken: ${{ secrets.GITHUB_TOKEN }}
PostComment:
name: Post Preview URL as comment to PR
runs-on: ubuntu-latest
needs: [DeployPreview_Limber, DeployPreview_Tutorial, determinePR]
permissions:
pull-requests: write
steps:
- uses: marocchino/sticky-pull-request-comment@v2
with:
header: preview-urls
number: ${{ github.event.workflow_run.pull_requests[0].number }}
message: |+
| Project | Preview URL |
| ------- | ----------- |
| Limber | ${{ needs.DeployPreview_Limber.outputs.limberUrl }} |
| Tutorial | ${{ needs.DeployPreview_Tutorial.outputs.tutorialUrl }} |
[Logs](https://github.com/NullVoxPopuli/limber/actions/runs/${{ github.run_id }})