95b814b751
* Reduce dependence on third-party build scripts in release pipeline This removes one third-party build script from the release pipeline for the release tar.gz, though one is still used in the now-separate netlify deploy. * Reduce GITHUB_TOKEN perms in actions when using 3rd party scripts This avoids allowing third parties to arbitrarily overwrite the repository. * Replace PGP signing action with the bash script from the same The PGP signing action ultimately just calls gpg with arguments set in https://github.com/actionhippie/gpgsign/blob/v1/overlay/usr/local/bin/entrypoint so its rather trivial to simply take the required arguments and put them directly in CI. This is substantially safer than the PGP signing action used as the action currently downloads, unverified and un-pinned, a docker image in order to access PGP.
81 lines
3.3 KiB
YAML
81 lines
3.3 KiB
YAML
name: Upload Preview Build to Netlify
|
|
on:
|
|
workflow_run:
|
|
workflows: ["Build pull request"]
|
|
types:
|
|
- completed
|
|
jobs:
|
|
get-build-and-deploy:
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
runs-on: ubuntu-latest
|
|
if: >
|
|
${{ github.event.workflow_run.conclusion == 'success' }}
|
|
steps:
|
|
# There's a 'download artifact' action but it hasn't been updated for the
|
|
# workflow_run action (https://github.com/actions/download-artifact/issues/60)
|
|
# so instead we get this mess:
|
|
- name: Download artifact
|
|
uses: actions/github-script@v6.1.0
|
|
with:
|
|
script: |
|
|
var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
run_id: ${{github.event.workflow_run.id }},
|
|
});
|
|
var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
|
|
return artifact.name == "previewbuild"
|
|
})[0];
|
|
var download = await github.rest.actions.downloadArtifact({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
artifact_id: matchArtifact.id,
|
|
archive_format: 'zip',
|
|
});
|
|
var fs = require('fs');
|
|
fs.writeFileSync('${{github.workspace}}/previewbuild.zip', Buffer.from(download.data));
|
|
var prInfoArtifact = artifacts.data.artifacts.filter((artifact) => {
|
|
return artifact.name == "pr.json"
|
|
})[0];
|
|
var download = await github.rest.actions.downloadArtifact({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
artifact_id: prInfoArtifact.id,
|
|
archive_format: 'zip',
|
|
});
|
|
var fs = require('fs');
|
|
fs.writeFileSync('${{github.workspace}}/pr.json.zip', Buffer.from(download.data));
|
|
- name: Extract Artifacts
|
|
run: unzip -d dist previewbuild.zip && rm previewbuild.zip && unzip pr.json.zip && rm pr.json.zip
|
|
- name: Read PR Info
|
|
id: readctx
|
|
uses: actions/github-script@v6.1.0
|
|
with:
|
|
script: |
|
|
var fs = require('fs');
|
|
var pr = JSON.parse(fs.readFileSync('${{github.workspace}}/pr.json'));
|
|
console.log(`::set-output name=prnumber::${pr.number}`);
|
|
- name: Deploy to Netlify
|
|
id: netlify
|
|
uses: nwtgck/actions-netlify@b7c1504e00c6b8a249d1848cc1b522a4865eed99
|
|
with:
|
|
publish-dir: dist
|
|
deploy-message: "Deploy from GitHub Actions"
|
|
# These don't work because we're in workflow_run
|
|
enable-pull-request-comment: false
|
|
enable-commit-comment: false
|
|
env:
|
|
NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
|
|
NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE3_ID }}
|
|
timeout-minutes: 1
|
|
- name: Edit PR Description
|
|
uses: Beakyn/gha-comment-pull-request@2167a7aee24f9e61ce76a23039f322e49a990409
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
with:
|
|
pull-request-number: ${{ steps.readctx.outputs.prnumber }}
|
|
description-message: |
|
|
Preview: ${{ steps.netlify.outputs.deploy-url }}
|
|
⚠️ Exercise caution. Use test accounts. ⚠️
|