Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use SHA for untrusted actions #852

Merged
merged 1 commit into from
Jan 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 45 additions & 12 deletions .github/workflows/docs-deploy-surge.yml
Original file line number Diff line number Diff line change
@@ -1,32 +1,38 @@
# Use this starter workflow to deploy HTML generated by Antora to surge.sh
# Docs are published at <org>-<repo>-<deployid>.surge.sh
# By default, this workflow runs on completion of a workflow called "Verify PR"
#
# By default, this workflow runs on completion of a workflow called "Verify docs PR"
#
# This workflow expects the triggering workflow to generate an artifact called "docs"

# - update the reference to "docs" and "docs.zip" in this workflow if your triggering workflow generates an artifact with a different name
name: "Deploy to surge"

name: "Deploy docs preview"

on:
workflow_run:
workflows: ["Verify PR"]
workflows: ["Verify Docs PR"]
types:
- completed

jobs:
publish-docs:
# Uncomment this if statement to deploy only when the PR builds cleanly
# if: github.event.workflow_run.conclusion == 'success'

runs-on: ubuntu-latest

steps:
- name: "Download built documentation"
uses: actions/[email protected]
uses: actions/[email protected]
env:
RUN_ID: ${{ github.event.workflow_run.id }}
WORKSPACE: ${{ github.workspace }}
with:
script: |
var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: ${{ github.event.workflow_run.id }},
run_id: ${{ env.RUN_ID }},
});
var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "docs"
Expand All @@ -38,7 +44,7 @@ jobs:
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{ github.workspace }}/docs.zip', Buffer.from(download.data));
fs.writeFileSync('${{ env.WORKSPACE }}/docs.zip', Buffer.from(download.data));

- run: unzip docs.zip

Expand All @@ -47,6 +53,15 @@ jobs:
deployid=$(<deployid)
case "$deployid" in ''|*[!0-9]*) echo "Provided PR number is not an integer"; exit 1 ;; esac
echo "deploy-id=$deployid" >> "$GITHUB_OUTPUT"

- id: get-deploy-url
env:
ORG: ${{ github.event.repository.owner.login }}
REPO: ${{ github.event.repository.name }}
DEPLOYID: ${{ steps.get-deploy-id.outputs.deploy-id }}
run: |
deployurl=$ORG-$REPO-$DEPLOYID.surge.sh
echo "deploy-url=$deployurl" >> $GITHUB_OUTPUT

- uses: actions/setup-node@v3
with:
Expand All @@ -55,17 +70,35 @@ jobs:
- name: Deploy docs to surge
shell: bash
env:
DEPLOY_URL: ${{ steps.get-deploy-url.outputs.deploy-url }}
SURGE_TOKEN: "${{ secrets.DOCS_SURGE_TOKEN }}"
run: |
npm install -g surge
surge ./site ${{ github.event.repository.owner.login}}-${{ github.event.repository.name}}-${{ steps.get-deploy-id.outputs.deploy-id }}.surge.sh --token "$SURGE_TOKEN"
surge ./site $DEPLOY_URL --token "$SURGE_TOKEN"

- name: Comment on PR
uses: marocchino/sticky-pull-request-comment@v2
# If the PR artifacts include a changelog file, add it to the PR as a comment
# The changelog contains links to new and changed files in the deployed docs
- name: Comment on PR (changelog)
if: ${{ hashFiles('changelog') != '' }}
uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd #v2.8.0
with:
number: ${{ steps.get-deploy-id.outputs.deploy-id }}
recreate: true
header: docs-pr-changes
path: changelog
GITHUB_TOKEN: ${{ secrets.DOCS_PR_COMMENT_TOKEN }}

# If there's no changelog, add a generic comment to the PR
- name: Comment on PR (no changelog)
if: ${{ hashFiles('changelog') == '' }}
env:
DEPLOY_URL: ${{ steps.get-deploy-url.outputs.deploy-url }}
uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd #v2.8.0
with:
number: ${{ steps.get-deploy-id.outputs.deploy-id }}
header: docs-pr-changes
message: |
This PR includes documentation updates.
Looks like you've updated the documentation!

You can view the updated docs at https://${{ github.event.repository.owner.login}}-${{ github.event.repository.name}}-${{ steps.get-deploy-id.outputs.deploy-id }}.surge.sh
Check out your changes at https://${{ env.DEPLOY_URL }}
GITHUB_TOKEN: ${{ secrets.DOCS_PR_COMMENT_TOKEN }}
61 changes: 61 additions & 0 deletions .github/workflows/docs-pr-checks.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@

name: "Verify Docs PR"

on:
pull_request:
branches:
- "dev"
- "5.x"
- "4.[0-9]"
- "3.5"

jobs:

# Generate HTML
docs-build-pr:
uses: neo4j/docs-tools/.github/workflows/[email protected]
with:
deploy-id: ${{ github.event.number }}
retain-artifacts: 14

# Parse the json log output from the HTML build, and output warnings and errors as annotations
# Optionally, fail the build if there are warnings or errors
# By default, the job fails if there are errors, passes if there are warnings only.
docs-verify-pr:
needs: docs-build-pr
uses: neo4j/docs-tools/.github/workflows/[email protected]
with:
failOnWarnings: true

# Get lists of changes in the PR
# - all updated asciidoc files
# - all updated asciidoc pages
# - all new asciidoc pages
docs-changes-pr:
runs-on: ubuntu-latest
outputs:
asciidoc-files: ${{ steps.get-file-changes.outputs.asciidoc_all_changed_files }}
pages-modified: ${{ steps.get-file-changes.outputs.pages_modified_files }}
pages-added: ${{ steps.get-file-changes.outputs.pages_added_files }}
steps:
- name: Get file changes
id: get-file-changes
uses: tj-actions/changed-files@cbda684547adc8c052d50711417fa61b428a9f88 # v41.1.2
with:
separator: ','
files_yaml: |
pages:
- modules/**/pages/**/*.adoc
asciidoc:
- modules/**/*.adoc

# Generate a PR comment if the docs are using the pageList extension
# The extension maps asciidoc source files to their HTML output paths
# The comment will contain links to new and changed pages in the deployed HTML docs
docs-updates-comment-pr:
if: needs.docs-build-pr.outputs.pages-listed == 'success'
needs: [docs-build-pr, docs-changes-pr]
uses: neo4j/docs-tools/.github/workflows/[email protected]
with:
pages-modified: ${{ needs.docs-changes-pr.outputs.pages-modified }}
pages-added: ${{ needs.docs-changes-pr.outputs.pages-added }}
30 changes: 0 additions & 30 deletions .github/workflows/docs-pr.yml

This file was deleted.

24 changes: 18 additions & 6 deletions .github/workflows/docs-teardown.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@ name: "Documentation Teardown"
on:
pull_request_target:
branches:
- "3.5"
- "4.[0-9]"
- "5.x"
- "dev"
- "5.x"
- "4.[0-9]"
- "3.5"
types:
- closed

Expand All @@ -19,20 +19,32 @@ jobs:
- uses: actions/setup-node@v3
with:
node-version: lts/*

- id: get-deploy-url
env:
ORG: ${{ github.event.repository.owner.login }}
REPO: ${{ github.event.repository.name }}
DEPLOYID: ${{ github.event.pull_request.number }}
run: |
deployurl=$ORG-$REPO-$DEPLOYID.surge.sh
echo "deploy-url=$deployurl" >> $GITHUB_OUTPUT

- name: Teardown documentation
shell: bash
env:
SURGE_TOKEN: "${{ secrets.DOCS_SURGE_TOKEN }}"
DEPLOY_URL: ${{ steps.get-deploy-url.outputs.deploy-url }}
run: |
npm install -g surge
surge teardown ${{ github.event.repository.owner.login}}-${{ github.event.repository.name}}-${{ github.event.pull_request.number }}.surge.sh --token "$SURGE_TOKEN"
surge teardown $DEPLOY_URL --token "$SURGE_TOKEN"

- name: Comment on PR
uses: marocchino/sticky-pull-request-comment@v2
uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2.8.0
with:
number: ${{ github.event.pull_request.number }}
header: docs-pr-changes
message: |
Thanks for the documentation updates.

The preview documentation has now been torn down - reopening this PR will republish it.
GITHUB_TOKEN: ${{ secrets.DOCS_PR_COMMENT_TOKEN }}