ac3d59a206
* Updated language to reference enabling instead of opt-in * Optimize images * fixing broken link * Update content/get-started/privacy-on-github/about-githubs-use-of-your-data.md Co-authored-by: Felicity Chapman <felicitymay@github.com> * Update content/get-started/privacy-on-github/managing-data-use-settings-for-your-private-repository.md Co-authored-by: Felicity Chapman <felicitymay@github.com> * Update content/get-started/privacy-on-github/managing-data-use-settings-for-your-private-repository.md Co-authored-by: Felicity Chapman <felicitymay@github.com> * Openapi update api.github.com (#26398) * Openapi 3.0 ghae (#26400) * Update OpenAPI Descriptions (#26397) * Fix a change missed in a last minute update (#26389) * change order of some site-policy docs (#26307) * reordering the docs * Create codespace.md * Update README.md * Update README.md * Update codespace.md * Update codespace.md * Update codespace.md * Update codespace.md * Update OpenAPI Descriptions * update preview env app_url to preview.ghdocs.com (#26335) * Fix flag (#26420) * Update codespace.md * Update codespace.md * Update codespace.md * Remove Caddy from preview envs (#26336) * remove caddy from preview envs * fix: remove location from template Co-authored-by: Peter Bengtsson <mail@peterbe.com> * Add `Ignore commits in the blame view` to blame docs (#26017) * Connect addendum deprecation (#26296) * temporarily commented out * also comment out * also comment out Co-authored-by: Jenni Christensen <97056108+dihydroJenoxide@users.noreply.github.com> Co-authored-by: github-actions <github-actions@github.com> Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: Rachael Sewell <rachmari@github.com> Co-authored-by: github-openapi-bot <69533958+github-openapi-bot@users.noreply.github.com> Co-authored-by: Abby Vollmer <vollmera@users.noreply.github.com> Co-authored-by: hubwriter <hubwriter@github.com> Co-authored-by: docubot <67483024+docubot@users.noreply.github.com> Co-authored-by: Mike Surowiec <mikesurowiec@users.noreply.github.com> Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com> Co-authored-by: Peter Bengtsson <mail@peterbe.com> Co-authored-by: Jason Etcovitch <jasonetco@github.com> Co-authored-by: Billy Rusteen <birust@github.com>
213 lines
8.9 KiB
YAML
213 lines
8.9 KiB
YAML
name: Azure - Deploy Preview Environment
|
|
|
|
# **What it does**: Build and deploy an Azure preview environment for this PR
|
|
# **Why we have it**: It's our preview environment deploy mechanism, to docs-internal and docs public repo
|
|
# **Who does it impact**: All contributors.
|
|
|
|
# !!!
|
|
# ! This worflow has access to secrets, runs in the public repository, and clones untrusted user code.
|
|
# ! Modify with extreme caution
|
|
# !!!
|
|
|
|
on:
|
|
# The advantage of 'pull_request' over 'pull_request_target' is that we
|
|
# can make changes to this file and test them in a pull request, instead
|
|
# of relying on landing it in 'main' first.
|
|
# From a security point of view, its arguably safer this way because
|
|
# unlike 'pull_request_target', these only have secrets if the pull
|
|
# request creator has permission to access secrets.
|
|
pull_request_target:
|
|
workflow_dispatch:
|
|
inputs:
|
|
PR_NUMBER:
|
|
description: 'PR Number'
|
|
type: string
|
|
required: true
|
|
COMMIT_REF:
|
|
description: 'The commit SHA to build'
|
|
type: string
|
|
required: true
|
|
push:
|
|
branches:
|
|
- gh-readonly-queue/main/**
|
|
|
|
permissions:
|
|
contents: read
|
|
deployments: write
|
|
|
|
# This allows one deploy workflow to interrupt another
|
|
concurrency:
|
|
group: 'preview-env @ ${{ github.head_ref || github.run_id }} for ${{ github.event.number || github.event.inputs.PR_NUMBER }}'
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
build-and-deploy-azure-preview:
|
|
name: Build and deploy Azure preview environment
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
environment:
|
|
name: preview-env-${{ github.event.number }}
|
|
# The environment variable is computer later in this job in
|
|
# the "Get preview app info" step.
|
|
# That script sets environment variables which is used by Actions
|
|
# to link a PR to a list of environments later.
|
|
url: ${{ env.APP_URL }}
|
|
env:
|
|
PR_NUMBER: ${{ github.event.number || github.event.inputs.PR_NUMBER || github.run_id }}
|
|
COMMIT_REF: ${{ github.event.pull_request.head.sha || github.event.inputs.COMMIT_REF }}
|
|
BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
|
|
IS_INTERNAL_BUILD: ${{ github.repository == 'github/docs-internal' }}
|
|
# This may also run in forked repositories, not just 'github/docs'
|
|
IS_PUBLIC_BUILD: ${{ github.repository != 'github/docs-internal' }}
|
|
|
|
steps:
|
|
- name: 'Az CLI login'
|
|
uses: azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
|
|
with:
|
|
creds: ${{ secrets.NONPROD_AZURE_CREDENTIALS }}
|
|
|
|
- name: 'Docker login'
|
|
uses: azure/docker-login@81744f9799e7eaa418697cb168452a2882ae844a
|
|
with:
|
|
login-server: ${{ secrets.NONPROD_REGISTRY_SERVER }}
|
|
username: ${{ secrets.NONPROD_REGISTRY_USERNAME }}
|
|
password: ${{ secrets.NONPROD_REGISTRY_PASSWORD }}
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25
|
|
|
|
- if: ${{ env.IS_PUBLIC_BUILD == 'true' }}
|
|
name: Check out main branch
|
|
uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
|
|
with:
|
|
ref: 'main'
|
|
persist-credentials: 'false'
|
|
lfs: 'true'
|
|
|
|
- if: ${{ env.IS_INTERNAL_BUILD == 'true' }}
|
|
name: Check out PR code
|
|
uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
|
|
with:
|
|
ref: ${{ env.COMMIT_REF }}
|
|
# To prevent issues with cloning early access content later
|
|
persist-credentials: 'false'
|
|
lfs: 'true'
|
|
|
|
- name: Check out LFS objects
|
|
run: git lfs checkout
|
|
|
|
- name: Get preview app info
|
|
env:
|
|
APP_NAME_SEED: ${{ secrets.PREVIEW_ENV_NAME_SEED }}
|
|
run: .github/actions-scripts/get-preview-app-info.sh
|
|
|
|
- name: 'Set env vars'
|
|
run: |
|
|
# Image tag is unique to each workflow run so that it always triggers a new deployment
|
|
echo "DOCKER_IMAGE=${{ secrets.NONPROD_REGISTRY_SERVER }}/${IMAGE_REPO}:${{ env.COMMIT_REF }}-${{ github.run_number }}-${{ github.run_attempt }}" >> $GITHUB_ENV
|
|
|
|
- if: ${{ env.IS_INTERNAL_BUILD == 'true' }}
|
|
name: Determine which docs-early-access branch to clone
|
|
id: 'check-early-access'
|
|
uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
|
|
env:
|
|
BRANCH_NAME: ${{ env.BRANCH_NAME }}
|
|
with:
|
|
github-token: ${{ secrets.DOCUBOT_REPO_PAT }}
|
|
result-encoding: string
|
|
script: |
|
|
const { BRANCH_NAME } = process.env
|
|
|
|
try {
|
|
const { status } = await github.request('GET /repos/{owner}/{repo}/branches/{branch}', {
|
|
owner: 'github',
|
|
repo: 'docs-early-access',
|
|
branch: BRANCH_NAME,
|
|
})
|
|
|
|
if (status !== 200) {
|
|
throw new Error('Received non-200 response from branch GET request')
|
|
}
|
|
|
|
console.log(`Using docs-early-access branch '${BRANCH_NAME}'`)
|
|
return BRANCH_NAME
|
|
} catch (e) {
|
|
console.log(`Failed to get docs-early-access branch '${BRANCH_NAME}', 'main' will be used instead.`)
|
|
return 'main'
|
|
}
|
|
|
|
- if: ${{ env.IS_INTERNAL_BUILD == 'true' }}
|
|
name: Clone docs-early-access
|
|
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
|
|
with:
|
|
repository: github/docs-early-access
|
|
token: ${{ secrets.DOCUBOT_REPO_PAT }}
|
|
path: docs-early-access
|
|
ref: ${{ steps.check-early-access.outputs.result }}
|
|
|
|
- if: ${{ env.IS_INTERNAL_BUILD == 'true' }}
|
|
name: Merge docs-early-access repo's folders
|
|
run: .github/actions-scripts/merge-early-access.sh
|
|
|
|
- if: ${{ env.IS_PUBLIC_BUILD == 'true' }}
|
|
name: Check out user code to temp directory
|
|
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
|
|
with:
|
|
path: ./user-code
|
|
ref: ${{ env.COMMIT_REF }}
|
|
|
|
# Move acceptable user changes into our main branch checkout
|
|
- if: ${{ env.IS_PUBLIC_BUILD == 'true' }}
|
|
name: Move acceptable user changes
|
|
run: |
|
|
# Make sure recursive path expansion is enabled
|
|
shopt -s globstar
|
|
rsync -rptovR ./user-code/content/./**/*.md ./content
|
|
rsync -rptovR ./user-code/assets/./**/*.png ./assets
|
|
rsync -rptovR ./user-code/data/./**/*.{yml,md} ./data
|
|
rsync -rptovR ./user-code/components/./**/*.{scss,ts,tsx} ./components
|
|
rsync -rptovR --ignore-missing-args ./user-code/lib/./**/*.{js,ts} ./lib
|
|
rsync -rptovR --ignore-missing-args ./user-code/middleware/./**/*.{js,ts} ./middleware
|
|
rsync -rptovR ./user-code/pages/./**/*.tsx ./pages
|
|
rsync -rptovR ./user-code/stylesheets/./**/*.scss ./stylesheets
|
|
|
|
# In addition to making the final image smaller, we also save time by not sending unnecessary files to the docker build context
|
|
- name: 'Prune for preview env'
|
|
run: .github/actions-scripts/prune-for-preview-env.sh
|
|
|
|
- name: 'Build and push image'
|
|
uses: docker/build-push-action@7f9d37fa544684fb73bfe4835ed7214c255ce02b
|
|
with:
|
|
context: .
|
|
push: true
|
|
target: preview
|
|
tags: ${{ env.DOCKER_IMAGE }}
|
|
# we only pull the `main` cache image
|
|
cache-from: type=registry,ref=${{ secrets.NONPROD_REGISTRY_SERVER }}/${{ github.repository }}:main-preview
|
|
# `main-docker-cache.yml` handles updating the remote cache so we don't pollute it with PR specific code
|
|
cache-to: ''
|
|
|
|
# Succeed despite any non-zero exit code (e.g. if there is no deployment to cancel)
|
|
- name: 'Cancel any existing deployments for this PR'
|
|
run: |
|
|
az deployment group cancel --name ${{ env.DEPLOYMENT_NAME }} -g ${{ secrets.PREVIEW_ENV_RESOURCE_GROUP }} || true
|
|
|
|
# Deploy ARM template is idempotent
|
|
# Note: once the resources exist the image tag must change for a new deployment to occur (the image tag includes workflow run number, run attempt, as well as sha)
|
|
- name: Run ARM deploy
|
|
id: deploy
|
|
uses: azure/arm-deploy@841b12551939c88af8f6df767c24c38a5620fd0d
|
|
with:
|
|
resourceGroupName: ${{ secrets.PREVIEW_ENV_RESOURCE_GROUP }}
|
|
subscriptionId: ${{ secrets.NONPROD_SUBSCRIPTION_ID }}
|
|
template: ./azure-preview-env-template.json
|
|
deploymentName: ${{ env.DEPLOYMENT_NAME }}
|
|
parameters: appName="${{ env.APP_NAME }}"
|
|
containerImage="${{ env.DOCKER_IMAGE }}"
|
|
dockerRegistryUrl="${{ secrets.NONPROD_REGISTRY_SERVER }}"
|
|
dockerRegistryUsername="${{ secrets.NONPROD_REGISTRY_USERNAME }}"
|
|
dockerRegistryPassword="${{ secrets.NONPROD_REGISTRY_PASSWORD }}"
|
|
# this shows warnings in the github actions console, because the flag is passed through a validation run,
|
|
# but it *is* functional during the actual execution
|
|
additionalArguments: --no-wait
|