docs/.github/workflows/azure-preview-env-deploy.yml

name: Azure - Deploy Preview Environment

# **What it does**: Build and deploy to an Azure preview environment
# **Why we have it**: It's our preview environment deploy mechanism, only applicable to docs-internal
# **Who does it impact**: All contributors.

# This whole workflow is only guaranteed to be secure in the *private
# repo* and because we repo-sync these files over the to the public one,
# IT'S IMPORTANT THAT THIS WORKFLOW IS ONLY ENABLED IN docs-internal!

on:
  # The advantage of 'pull_request' over 'pull_request_target' is that we
  # can make changes to this file and test them in a pull request, instead
  # of relying on landing it in 'main' first.
  # From a security point of view, its arguably safer this way because
  # unlike 'pull_request_target', these only have secrets if the pull
  # request creator has permission to access secrets.
  pull_request:
  workflow_dispatch:
    inputs:
      PR_NUMBER:
        description: 'PR Number'
        type: string
        required: true

permissions:
  contents: read
  deployments: write

# This allows one deploy workflow to interrupt another
concurrency:
  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label }}'
  cancel-in-progress: true

jobs:
  build-and-deploy-azure-preview:
    if: ${{ github.repository == 'github/docs-internal' }}
    name: Build and deploy Azure preview environment
    runs-on: ubuntu-latest
    timeout-minutes: 15
    environment:
      name: preview-env-${{ github.event.number }}
      url: ${{ steps.deploy.outputs.defaultHostName }}
    env:
      PR_NUMBER: ${{ github.event.number || github.event.inputs.PR_NUMBER }}
      NONPROD_REGISTRY_USERNAME: ghdocs
      APP_LOCATION: eastus
      ENABLE_EARLY_ACCESS: ${{ github.repository == 'github/docs-internal' }}

    steps:
      - name: 'Az CLI login'
        uses: azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
        with:
          creds: ${{ secrets.NONPROD_AZURE_CREDENTIALS }}

      - name: 'Docker login'
        uses: azure/docker-login@81744f9799e7eaa418697cb168452a2882ae844a
        with:
          login-server: ${{ secrets.NONPROD_REGISTRY_SERVER }}
          username: ${{ env.NONPROD_REGISTRY_USERNAME }}
          password: ${{ secrets.NONPROD_REGISTRY_PASSWORD }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25

      - name: Check out repo
        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          # To prevent issues with cloning early access content later
          persist-credentials: 'false'
          lfs: 'true'

      - name: Check out LFS objects
        run: git lfs checkout

      - name: Get preview app info
        run: .github/actions-scripts/get-preview-app-info.sh

      - name: 'Set env vars'
        run: |
          # Image tag is unique to each workflow run so that it always triggers a new deployment
          echo "DOCKER_IMAGE=${{ secrets.NONPROD_REGISTRY_SERVER }}/${IMAGE_REPO}:${{ github.event.pull_request.head.sha }}-${{ github.run_number }}-${{ github.run_attempt }}" >> $GITHUB_ENV

      - if: ${{ env.ENABLE_EARLY_ACCESS }}
        name: Determine which docs-early-access branch to clone
        id: 'check-early-access'
        uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
        env:
          BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
        with:
          github-token: ${{ secrets.DOCUBOT_REPO_PAT }}
          result-encoding: string
          script: |
            const { BRANCH_NAME } = process.env

            try {
              const { status } = await github.request('GET /repos/{owner}/{repo}/branches/{branch}', {
                owner: 'github',
                repo: 'docs-early-access',
                branch: BRANCH_NAME,
              })

              if (status !== 200) {
                throw new Error('Received non-200 response from branch GET request')
              }

              console.log(`Using docs-early-access branch '${BRANCH_NAME}'`)
              return BRANCH_NAME
            } catch (e) {
              console.log(`Failed to get docs-early-access branch '${BRANCH_NAME}', 'main' will be used instead.`)
              return 'main'
            }

      - if: ${{ env.ENABLE_EARLY_ACCESS }}
        name: Clone docs-early-access
        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
        with:
          repository: github/docs-early-access
          token: ${{ secrets.DOCUBOT_REPO_PAT }}
          path: docs-early-access
          ref: ${{ steps.check-early-access.outputs.result }}

      - if: ${{ env.ENABLE_EARLY_ACCESS }}
        name: Merge docs-early-access repo's folders
        run: .github/actions-scripts/merge-early-access.sh

      # In addition to making the final image smaller, we also save time by not sending unnecessary files to the docker build context
      - name: 'Prune for preview env'
        run: .github/actions-scripts/prune-for-preview-env.sh

      - name: 'Build and push image'
        uses: docker/build-push-action@7f9d37fa544684fb73bfe4835ed7214c255ce02b
        with:
          context: .
          push: true
          target: preview
          tags: ${{ env.DOCKER_IMAGE }}
          # we only pull the `main` cache image
          cache-from: type=registry,ref=${{ secrets.NONPROD_REGISTRY_SERVER }}/${{ github.repository }}:main-preview
          # `main-docker-cache.yml` handles updating the remote cache so we don't pollute it with PR specific code
          cache-to: ''

      # Succeed despite any non-zero exit code (e.g. if there is no deployment to cancel)
      - name: 'Cancel any existing deployments for this PR'
        run: |
          az deployment group cancel --name ${{ env.DEPLOYMENT_NAME }} -g ${{ env.RESOURCE_GROUP }} || true

      # Deploy ARM template is idempotent
      # Note: once the resources exist the image tag must change for a new deployment to occur (the image tag includes workflow run number, run attempt, as well as sha)
      - name: Run ARM deploy
        id: deploy
        uses: azure/arm-deploy@841b12551939c88af8f6df767c24c38a5620fd0d
        with:
          resourceGroupName: ${{ env.RESOURCE_GROUP }}
          subscriptionId: ${{ secrets.NONPROD_SUBSCRIPTION_ID }}
          template: ./azure-preview-env-template.json
          deploymentName: ${{ env.DEPLOYMENT_NAME }}
          parameters: appName="${{ env.APP_NAME_SHORT }}"
            location="${{ env.APP_LOCATION }}"
            linuxFxVersion="DOCKER|${{ env.DOCKER_IMAGE }}"
            dockerRegistryUrl="https://${{ secrets.NONPROD_REGISTRY_SERVER }}"
            dockerRegistryUsername="${{ env.NONPROD_REGISTRY_USERNAME }}"
            dockerRegistryPassword="${{ secrets.NONPROD_REGISTRY_PASSWORD }}"

      - run: echo ${{ steps.deploy.outputs.defaultHostName }}