jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-19 18:10:59 -05:00
Code Issues Projects Releases Wiki Activity

Public Repo Azure Preview Environments (#25206)

Browse Source 
* add public deploy workflow, update destroy to work on pull_request_target

Co-authored-by: Peter Bengtsson <mail@peterbe.com>
This commit is contained in:
Mike Surowiec
2022-02-10 14:14:40 -06:00
committed by GitHub
parent 67b43ec86b
commit ac8e7e58fd
6 changed files with 60 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.dockerignore
View File

@@ -10,3 +10,5 @@ tests/
lib/rest/static/dereferenced lib/rest/static/dereferenced
# Folder is cloned during the preview + prod workflows, the assets are merged into other locations for use before the build # Folder is cloned during the preview + prod workflows, the assets are merged into other locations for use before the build
docs-early-access/ docs-early-access/
# During the preview deploy untrusted user code may be cloned into this directory
user-code/

62
.github/workflows/azure-preview-env-deploy.yml vendored
View File

@@ -1,12 +1,13 @@
name: Azure - Deploy Preview Environment name: Azure - Deploy Preview Environment
# **What it does**: Build and deploy to an Azure preview environment # **What it does**: Build and deploy an Azure preview environment for this PR
# **Why we have it**: It's our preview environment deploy mechanism, only applicable to docs-internal # **Why we have it**: It's our preview environment deploy mechanism, to docs-internal and docs public repo
# **Who does it impact**: All contributors. # **Who does it impact**: All contributors.
# This whole workflow is only guaranteed to be secure in the *private # !!!
# repo* and because we repo-sync these files over the to the public one, # ! This worflow has access to secrets, runs in the public repository, and clones untrusted user code.
# IT'S IMPORTANT THAT THIS WORKFLOW IS ONLY ENABLED IN docs-internal! # ! Modify with extreme caution
# !!!
on: on:
# The advantage of 'pull_request' over 'pull_request_target' is that we # The advantage of 'pull_request' over 'pull_request_target' is that we
@@ -15,13 +16,17 @@ on:
# From a security point of view, its arguably safer this way because # From a security point of view, its arguably safer this way because
# unlike 'pull_request_target', these only have secrets if the pull # unlike 'pull_request_target', these only have secrets if the pull
# request creator has permission to access secrets. # request creator has permission to access secrets.
pull_request: pull_request_target:
workflow_dispatch: workflow_dispatch:
inputs: inputs:
PR_NUMBER: PR_NUMBER:
description: 'PR Number' description: 'PR Number'
type: string type: string
required: true required: true
COMMIT_REF:
description: 'The commit SHA to build'
type: string
required: true
permissions: permissions:
contents: read contents: read
@@ -34,7 +39,6 @@ concurrency:
jobs: jobs:
build-and-deploy-azure-preview: build-and-deploy-azure-preview:
if: ${{ github.repository == 'github/docs-internal' }}
name: Build and deploy Azure preview environment name: Build and deploy Azure preview environment
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 15 timeout-minutes: 15
@@ -47,7 +51,11 @@ jobs:
url: ${{ env.APP_URL }} url: ${{ env.APP_URL }}
env: env:
PR_NUMBER: ${{ github.event.number || github.event.inputs.PR_NUMBER }} PR_NUMBER: ${{ github.event.number || github.event.inputs.PR_NUMBER }}
ENABLE_EARLY_ACCESS: ${{ github.repository == 'github/docs-internal' }} COMMIT_REF: ${{ github.event.pull_request.head.sha || github.event.inputs.COMMIT_REF }}
BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
IS_INTERNAL_BUILD: ${{ github.repository == 'github/docs-internal' }}
# This may also run in forked repositories, not just 'github/docs'
IS_PUBLIC_BUILD: ${{ github.repository != 'github/docs-internal' }}
steps: steps:
- name: 'Az CLI login' - name: 'Az CLI login'
@@ -65,10 +73,19 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25
- name: Check out repo - if: ${{ env.IS_PUBLIC_BUILD }}
name: Check out main branch
uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97 uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
with: with:
ref: ${{ github.event.pull_request.head.sha }} ref: 'main'
persist-credentials: 'false'
lfs: 'true'
- if: ${{ env.IS_INTERNAL_BUILD }}
name: Check out PR code
uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
with:
ref: ${{ env.COMMIT_REF }}
# To prevent issues with cloning early access content later # To prevent issues with cloning early access content later
persist-credentials: 'false' persist-credentials: 'false'
lfs: 'true' lfs: 'true'
@@ -84,14 +101,14 @@ jobs:
- name: 'Set env vars' - name: 'Set env vars'
run: | run: |
# Image tag is unique to each workflow run so that it always triggers a new deployment # Image tag is unique to each workflow run so that it always triggers a new deployment
echo "DOCKER_IMAGE=${{ secrets.NONPROD_REGISTRY_SERVER }}/${IMAGE_REPO}:${{ github.event.pull_request.head.sha }}-${{ github.run_number }}-${{ github.run_attempt }}" >> $GITHUB_ENV echo "DOCKER_IMAGE=${{ secrets.NONPROD_REGISTRY_SERVER }}/${IMAGE_REPO}:${{ env.COMMIT_REF }}-${{ github.run_number }}-${{ github.run_attempt }}" >> $GITHUB_ENV
- if: ${{ env.ENABLE_EARLY_ACCESS }} - if: ${{ env.IS_INTERNAL_BUILD }}
name: Determine which docs-early-access branch to clone name: Determine which docs-early-access branch to clone
id: 'check-early-access' id: 'check-early-access'
uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
env: env:
BRANCH_NAME: ${{ github.head_ref || github.ref_name }} BRANCH_NAME: ${{ env.BRANCH_NAME }}
with: with:
github-token: ${{ secrets.DOCUBOT_REPO_PAT }} github-token: ${{ secrets.DOCUBOT_REPO_PAT }}
result-encoding: string result-encoding: string
@@ -116,7 +133,7 @@ jobs:
return 'main' return 'main'
} }
- if: ${{ env.ENABLE_EARLY_ACCESS }} - if: ${{ env.IS_INTERNAL_BUILD }}
name: Clone docs-early-access name: Clone docs-early-access
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
with: with:
@@ -125,10 +142,25 @@ jobs:
path: docs-early-access path: docs-early-access
ref: ${{ steps.check-early-access.outputs.result }} ref: ${{ steps.check-early-access.outputs.result }}
- if: ${{ env.ENABLE_EARLY_ACCESS }} - if: ${{ env.IS_INTERNAL_BUILD }}
name: Merge docs-early-access repo's folders name: Merge docs-early-access repo's folders
run: .github/actions-scripts/merge-early-access.sh run: .github/actions-scripts/merge-early-access.sh
- if: ${{ env.IS_PUBLIC_BUILD }}
name: Check out user code to temp directory
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
with:
path: ./user-code
ref: ${{ env.COMMIT_REF }}
# Move acceptable user changes into our main branch checkout
- if: ${{ env.IS_PUBLIC_BUILD }}
name: Move acceptable user changes
run: |
rsync -rptovR ./user-code/content/./**/*.md ./content
rsync -rptovR ./user-code/assets/./**/*.png ./assets
rsync -rptovR ./user-code/data/./**/*.{yml,md} ./data
# In addition to making the final image smaller, we also save time by not sending unnecessary files to the docker build context # In addition to making the final image smaller, we also save time by not sending unnecessary files to the docker build context
- name: 'Prune for preview env' - name: 'Prune for preview env'
run: .github/actions-scripts/prune-for-preview-env.sh run: .github/actions-scripts/prune-for-preview-env.sh

7
.github/workflows/azure-preview-env-destroy.yml vendored
View File

@@ -5,7 +5,7 @@ name: Azure - Destroy Preview Env
# **Who does it impact**: All contributors. # **Who does it impact**: All contributors.
on: on:
pull_request: pull_request_target:
types: types:
- closed - closed
- locked - locked
@@ -16,10 +16,12 @@ on:
type: string type: string
required: true required: true
permissions:
contents: read
jobs: jobs:
destory-azure-preview-env: destory-azure-preview-env:
name: Destroy name: Destroy
if: ${{ github.repository == 'github/docs-internal' }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 5 timeout-minutes: 5
env: env:
@@ -59,5 +61,6 @@ jobs:
# Remove all GitHub deployments from this environment and remove the environment # Remove all GitHub deployments from this environment and remove the environment
- uses: strumwolf/delete-deployment-environment@45c821e46baa405e25410700fe2e9643929706a0 - uses: strumwolf/delete-deployment-environment@45c821e46baa405e25410700fe2e9643929706a0
with: with:
# The token provided by the workflow does not have the permissions to delete created environments
token: ${{ secrets.DOCUBOT_REPO_PAT }} token: ${{ secrets.DOCUBOT_REPO_PAT }}
environment: preview-env-${{ env.PR_NUMBER }} environment: preview-env-${{ env.PR_NUMBER }}

4
.github/workflows/main-preview-docker-cache.yml vendored
View File

@@ -24,8 +24,6 @@ jobs:
timeout-minutes: 15 timeout-minutes: 15
env: env:
ENABLE_EARLY_ACCESS: ${{ github.repository == 'github/docs-internal' }} ENABLE_EARLY_ACCESS: ${{ github.repository == 'github/docs-internal' }}
NONPROD_REGISTRY_USERNAME: ghdocs
NONPROD_REGISTRY_NAME: ghdocs
DOCKER_IMAGE_CACHE_REF: ${{ secrets.NONPROD_REGISTRY_SERVER }}/${{ github.repository }}:main-preview DOCKER_IMAGE_CACHE_REF: ${{ secrets.NONPROD_REGISTRY_SERVER }}/${{ github.repository }}:main-preview
steps: steps:
@@ -38,7 +36,7 @@ jobs:
uses: azure/docker-login@81744f9799e7eaa418697cb168452a2882ae844a uses: azure/docker-login@81744f9799e7eaa418697cb168452a2882ae844a
with: with:
login-server: ${{ secrets.NONPROD_REGISTRY_SERVER }} login-server: ${{ secrets.NONPROD_REGISTRY_SERVER }}
username: ${{ env.NONPROD_REGISTRY_USERNAME }} username: ${{ secrets.NONPROD_REGISTRY_USERNAME }}
password: ${{ secrets.NONPROD_REGISTRY_PASSWORD }} password: ${{ secrets.NONPROD_REGISTRY_PASSWORD }}
- name: Set up Docker Buildx - name: Set up Docker Buildx

4
.gitignore vendored
View File

@@ -17,3 +17,7 @@ blc_output.log
blc_output_internal.log blc_output_internal.log
broken_links.md broken_links.md
lib/redirects/.redirects-cache_*.json lib/redirects/.redirects-cache_*.json
# During the preview deploy untrusted user code may be cloned into this directory
# We ignore it from git to keep things deterministic
user-code/

2
Dockerfile
View File

@@ -23,7 +23,7 @@ FROM base as all_deps
COPY --chown=node:node package.json package-lock.json ./ COPY --chown=node:node package.json package-lock.json ./
RUN npm ci --no-optional RUN npm ci --no-optional --registry https://registry.npmjs.org/
# For Next.js v12+ # For Next.js v12+
# This the appropriate necessary extra for node:16-alpine # This the appropriate necessary extra for node:16-alpine