-
Notifications
You must be signed in to change notification settings - Fork 5
feat: deploy dev pages preview for fork pull requests #122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| name: Deploy fork preview | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| artifact-name: | ||
| description: Artifact to download/deploy; also the target path and the `fork-` environment suffix | ||
| type: string | ||
| required: true | ||
|
|
||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| deployments: write | ||
| actions: read | ||
|
|
||
| jobs: | ||
| deploy: | ||
| if: > | ||
| ${{ github.event.workflow_run.event == 'pull_request' && | ||
| github.event.workflow_run.conclusion == 'success' && | ||
| github.event.workflow_run.head_repository.full_name != github.event.workflow_run.repository.full_name }} | ||
| runs-on: ubuntu-latest | ||
| continue-on-error: true | ||
| environment: | ||
| name: fork-${{ inputs.artifact-name }} | ||
|
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Using a separate environment is helpful for example, if we later want to require an extra layer of approval before forked-PR previews are deployed, we can enable it on this environment. |
||
| url: ${{ steps.deploy.outputs.preview-url }}index.html | ||
| steps: | ||
| - name: Download artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: ${{ inputs.artifact-name }} | ||
| path: build | ||
| run-id: ${{ github.event.workflow_run.id }} | ||
|
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. the artifact lives in the build run (a different run), so we fetch it by run-id via the REST API (hence github-token + actions: read). The run id comes from the caller's workflow_run payload. |
||
| github-token: ${{ github.token }} | ||
| - name: Deploy dev-pages | ||
| id: deploy | ||
| uses: cloudscape-design/actions/.github/actions/deploy-static@main | ||
| with: | ||
| role-to-assume: ${{ secrets.AWS_PREVIEW_ROLE_ARN }} | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How do the secrets work on workflows running for forks? Is there a risk that a fork can modify the workflow on their end to log out the secrets? Or are we relying on manual approval of the deploys to enforce that?
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It mainly relies on human review to make sure we don't deploy anything unexpected. On top of that, we can add an approval step on each repository's environment so every deployment is intentional. Is it gated technically/automatically? Yes, unless I missed something, what I did is split the flow: the artifact is built in the |
||
| deployment-bucket: ${{ secrets.AWS_PREVIEW_BUCKET_NAME }} | ||
| source-path: build | ||
| target-path: ${{ inputs.artifact-name }} | ||
| commit-sha: ${{ github.event.workflow_run.head_sha }} | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -19,7 +19,9 @@ permissions: | |
|
|
||
| jobs: | ||
| deploy: | ||
| if: github.event_name == 'pull_request' | ||
| if: > | ||
| github.event_name == 'pull_request' && | ||
| github.event.pull_request.head.repo.full_name == github.repository | ||
|
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Internal PRs only. Fork PRs can't deploy here (no secrets), and they are handled separately by deploy-fork-preview.yml. Keeping this guard here means consumers don't need to add it to their own deploy caller job. |
||
| runs-on: ubuntu-latest | ||
| continue-on-error: true | ||
| environment: | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This uses
workflow_call— should there be some other workflow that calls this? Or should this beworkflow_run?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this is called from the
workflow_runof other repositories. For example, in chat-components I will add a workflow that will fire after the build end, and it will be using this deply fork preview workflow_call.