vikunja/.github/workflows/preview.yml

153 lines
6.0 KiB
YAML

name: Preview
on:
# pull_request_target gives write access to GHCR even for PRs from forks.
# This is safe because:
# 1. We explicitly checkout the PR's head commit (no base branch code execution)
# 2. We ONLY build a Docker image (isolated container, no workflow scripts from PR)
# 3. The github-script step only uses safe PR metadata (number, SHA) — no PR-supplied
# text (title, body, commit messages) is interpolated, so there is no injection risk
# 4. Build happens in isolated Docker container with well-defined Dockerfile
pull_request_target:
jobs:
docker:
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
pull-requests: write
steps:
- name: Free Disk Space
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
with:
large-packages: false
docker-images: false
swap-storage: false
- name: Checkout
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
with:
# For pull_request_target, we need to explicitly fetch the PR ref from forks
# since the PR's commit SHA is not reachable in the base repository.
# This is safe because no PR code is executed in workflow context.
# Only Docker build uses the PR code (isolated in container).
ref: refs/pull/${{ github.event.pull_request.number }}/head
- name: Git describe
id: ghd
uses: proudust/gh-describe@v2
- name: Login to GHCR
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
with:
version: latest
- name: Docker meta
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
with:
images: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
tags: |
type=ref,event=pr
type=sha,format=long
- name: Build and push PR image
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
with:
context: .
platforms: linux/amd64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
RELEASE_VERSION=${{ steps.ghd.outputs.describe }}
- name: Comment on PR
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
with:
script: |
const prNumber = context.payload.pull_request.number;
const fullSha = context.payload.pull_request.head.sha;
const shortSha = fullSha.substring(0, 7);
const base = 'preview.vikunja.dev';
const image = `ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}`;
const marker = '<!-- vikunja-preview-comment -->';
const shaMarker = '<!-- sha-rows -->';
const shaMarkerEnd = '<!-- /sha-rows -->';
const prTag = `pr-${prNumber}`;
const shaTag = `sha-${fullSha}`;
const newShaRow = `| https://${shaTag}.${base} | \`${image}:${shaTag}\` | \`${shortSha}\` |`;
// Collect previous SHA rows from existing comment
let previousShaRows = [];
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: prNumber,
});
const existing = comments.find(c => c.body.includes(marker));
if (existing) {
const match = existing.body.match(
new RegExp(`${shaMarker}\\n([\\s\\S]*?)\\n${shaMarkerEnd}`)
);
if (match) {
previousShaRows = match[1]
.split('\n')
.map(l => l.trim())
.filter(l => l.startsWith('|'));
}
}
// Remove duplicate if this SHA was already recorded
previousShaRows = previousShaRows.filter(r => !r.includes(shaTag));
const allShaRows = [newShaRow, ...previousShaRows].join('\n');
const body = [
marker,
`### Preview Deployment`,
``,
`Preview deployments for this PR are available at:`,
``,
`| URL | Tag | Commit |`,
`| --- | --- | --- |`,
`| https://${prTag}.${base} | \`${image}:${prTag}\` | latest |`,
shaMarker,
allShaRows,
shaMarkerEnd,
``,
`The preview environment will start automatically on first visit. Subsequent pushes to this PR will update the \`${prTag}\` image — the preview picks up the new version on restart. The per-commit URLs point to a specific version and will not change.`,
``,
`<details>`,
`<summary>Run locally with Docker</summary>`,
``,
'```bash',
`docker pull ${image}:${prTag}`,
`docker run -p 3456:3456 ${image}:${prTag}`,
'```',
`</details>`,
``,
`_Last updated for commit ${shortSha}_`,
].join('\n');
if (existing) {
await github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: existing.id,
body,
});
} else {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: prNumber,
body,
});
}