name: Preview on: # pull_request_target gives write access to GHCR even for PRs from forks. # This is safe because: # 1. We explicitly checkout the PR's head commit (no base branch code execution) # 2. We ONLY build a Docker image (isolated container, no workflow scripts from PR) # 3. The github-script step only uses safe PR metadata (number, SHA) — no PR-supplied # text (title, body, commit messages) is interpolated, so there is no injection risk # 4. Build happens in isolated Docker container with well-defined Dockerfile pull_request_target: jobs: docker: runs-on: ubuntu-latest permissions: packages: write contents: read pull-requests: write steps: - name: Free Disk Space uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 with: large-packages: false docker-images: false swap-storage: false - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: # For pull_request_target, we need to explicitly fetch the PR ref from forks # since the PR's commit SHA is not reachable in the base repository. # This is safe because no PR code is executed in workflow context. # Only Docker build uses the PR code (isolated in container). ref: refs/pull/${{ github.event.pull_request.number }}/head - name: Git describe id: ghd uses: proudust/gh-describe@v2 - name: Login to GHCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 with: version: latest - name: Docker meta id: meta uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }} tags: | type=ref,event=pr type=sha,format=long - name: Build and push PR image uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: . platforms: linux/amd64 push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max build-args: | RELEASE_VERSION=${{ steps.ghd.outputs.describe }} - name: Comment on PR uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const prNumber = context.payload.pull_request.number; const fullSha = context.payload.pull_request.head.sha; const shortSha = fullSha.substring(0, 7); const base = 'preview.vikunja.dev'; const image = `ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}`; const marker = ''; const prTag = `pr-${prNumber}`; const shaTag = `sha-${fullSha}`; const newShaRow = `| https://${shaTag}.${base} | \`${image}:${shaTag}\` | \`${shortSha}\` |`; // Collect previous SHA rows from existing comment let previousShaRows = []; const { data: comments } = await github.rest.issues.listComments({ owner: context.repo.owner, repo: context.repo.repo, issue_number: prNumber, }); const existing = comments.find(c => c.body.includes(marker)); if (existing) { previousShaRows = existing.body .split('\n') .filter(l => l.includes(`sha-`) && l.includes(`.${base}`)); } // Remove duplicate if this SHA was already recorded previousShaRows = previousShaRows.filter(r => !r.includes(shaTag)); const allShaRows = [newShaRow, ...previousShaRows].join('\n'); const body = [ marker, `### Preview Deployment`, ``, `Preview deployments for this PR are available at:`, ``, `| URL | Tag | Commit |`, `| --- | --- | --- |`, `| https://${prTag}.${base} | \`${image}:${prTag}\` | latest |`, allShaRows, ``, `The preview environment will start automatically on first visit. Subsequent pushes to this PR will update the \`${prTag}\` image — the preview picks up the new version on restart. The per-commit URLs point to a specific version and will not change.`, ``, `
`, `Run locally with Docker`, ``, '```bash', `docker pull ${image}:${prTag}`, `docker run -p 3456:3456 ${image}:${prTag}`, '```', `
`, ``, `_Last updated for commit ${shortSha}_`, ].join('\n'); if (existing) { await github.rest.issues.updateComment({ owner: context.repo.owner, repo: context.repo.repo, comment_id: existing.id, body, }); } else { await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: prNumber, body, }); }