153 lines
6.0 KiB
YAML
153 lines
6.0 KiB
YAML
name: Preview
|
|
|
|
on:
|
|
# pull_request_target gives write access to GHCR even for PRs from forks.
|
|
# This is safe because:
|
|
# 1. We explicitly checkout the PR's head commit (no base branch code execution)
|
|
# 2. We ONLY build a Docker image (isolated container, no workflow scripts from PR)
|
|
# 3. The github-script step only uses safe PR metadata (number, SHA) — no PR-supplied
|
|
# text (title, body, commit messages) is interpolated, so there is no injection risk
|
|
# 4. Build happens in isolated Docker container with well-defined Dockerfile
|
|
pull_request_target:
|
|
|
|
jobs:
|
|
docker:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
packages: write
|
|
contents: read
|
|
pull-requests: write
|
|
steps:
|
|
- name: Free Disk Space
|
|
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
|
|
with:
|
|
large-packages: false
|
|
docker-images: false
|
|
swap-storage: false
|
|
- name: Checkout
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
|
|
with:
|
|
# For pull_request_target, we need to explicitly fetch the PR ref from forks
|
|
# since the PR's commit SHA is not reachable in the base repository.
|
|
# This is safe because no PR code is executed in workflow context.
|
|
# Only Docker build uses the PR code (isolated in container).
|
|
ref: refs/pull/${{ github.event.pull_request.number }}/head
|
|
- name: Git describe
|
|
id: ghd
|
|
uses: proudust/gh-describe@v2
|
|
- name: Login to GHCR
|
|
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
|
|
with:
|
|
version: latest
|
|
- name: Docker meta
|
|
id: meta
|
|
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
|
|
with:
|
|
images: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
|
|
tags: |
|
|
type=ref,event=pr
|
|
type=sha,format=long
|
|
- name: Build and push PR image
|
|
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
|
|
with:
|
|
context: .
|
|
platforms: linux/amd64
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
build-args: |
|
|
RELEASE_VERSION=${{ steps.ghd.outputs.describe }}
|
|
- name: Comment on PR
|
|
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
|
|
with:
|
|
script: |
|
|
const prNumber = context.payload.pull_request.number;
|
|
const fullSha = context.payload.pull_request.head.sha;
|
|
const shortSha = fullSha.substring(0, 7);
|
|
const base = 'preview.vikunja.dev';
|
|
const image = `ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}`;
|
|
const marker = '<!-- vikunja-preview-comment -->';
|
|
const shaMarker = '<!-- sha-rows -->';
|
|
const shaMarkerEnd = '<!-- /sha-rows -->';
|
|
|
|
const prTag = `pr-${prNumber}`;
|
|
const shaTag = `sha-${fullSha}`;
|
|
const newShaRow = `| https://${shaTag}.${base} | \`${image}:${shaTag}\` | \`${shortSha}\` |`;
|
|
|
|
// Collect previous SHA rows from existing comment
|
|
let previousShaRows = [];
|
|
const { data: comments } = await github.rest.issues.listComments({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: prNumber,
|
|
});
|
|
const existing = comments.find(c => c.body.includes(marker));
|
|
|
|
if (existing) {
|
|
const match = existing.body.match(
|
|
new RegExp(`${shaMarker}\\n([\\s\\S]*?)\\n${shaMarkerEnd}`)
|
|
);
|
|
if (match) {
|
|
previousShaRows = match[1]
|
|
.split('\n')
|
|
.map(l => l.trim())
|
|
.filter(l => l.startsWith('|'));
|
|
}
|
|
}
|
|
|
|
// Remove duplicate if this SHA was already recorded
|
|
previousShaRows = previousShaRows.filter(r => !r.includes(shaTag));
|
|
|
|
const allShaRows = [newShaRow, ...previousShaRows].join('\n');
|
|
|
|
const body = [
|
|
marker,
|
|
`### Preview Deployment`,
|
|
``,
|
|
`Preview deployments for this PR are available at:`,
|
|
``,
|
|
`| URL | Tag | Commit |`,
|
|
`| --- | --- | --- |`,
|
|
`| https://${prTag}.${base} | \`${image}:${prTag}\` | latest |`,
|
|
shaMarker,
|
|
allShaRows,
|
|
shaMarkerEnd,
|
|
``,
|
|
`The preview environment will start automatically on first visit. Subsequent pushes to this PR will update the \`${prTag}\` image — the preview picks up the new version on restart. The per-commit URLs point to a specific version and will not change.`,
|
|
``,
|
|
`<details>`,
|
|
`<summary>Run locally with Docker</summary>`,
|
|
``,
|
|
'```bash',
|
|
`docker pull ${image}:${prTag}`,
|
|
`docker run -p 3456:3456 ${image}:${prTag}`,
|
|
'```',
|
|
`</details>`,
|
|
``,
|
|
`_Last updated for commit ${shortSha}_`,
|
|
].join('\n');
|
|
|
|
if (existing) {
|
|
await github.rest.issues.updateComment({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
comment_id: existing.id,
|
|
body,
|
|
});
|
|
} else {
|
|
await github.rest.issues.createComment({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: prNumber,
|
|
body,
|
|
});
|
|
}
|