-
-
Notifications
You must be signed in to change notification settings - Fork 51
147 lines (135 loc) · 5.9 KB
/
unsafe_docs_ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# Copyright (c) 2022 Sharezone UG (haftungsbeschränkt)
# Licensed under the EUPL-1.2-or-later.
#
# You may obtain a copy of the Licence at:
# https://joinup.ec.europa.eu/software/page/eupl
#
# SPDX-License-Identifier: EUPL-1.2
# This workflow handles the CI for the docs.
#
# Therefore, it's only triggered on pull requests that make changes to the
# docs. It only contains jobs that require secrets. The jobs that don't
# require secrets are handled in the "safe_docs_ci.yml" workflow.
name: unsafe-docs-ci
concurrency:
group: unsafe-docs-ci-${{ github.head_ref }}
# In order to conserve the use of GitHub Actions, we cancel the running action
# of the previous commit. This means that if you first commit "A" and then
# commit "B" to the pull request a few minutes later, the workflow for commit
# "A" will be cancelled.
cancel-in-progress: true
on:
# Triggers the workflow on pull request events
pull_request_target:
types:
- opened
- synchronize
- reopened
# It's important to trigger this workflow again when the pull is changing
# from a draft pull request to a ready for review pull request.
#
# Some jobs are skipped when the pull request is a draft. Therefore, we
# need to trigger these jobs again when the pull request is changing to
# ready for review.
- ready_for_review
# Retrigger the workflow when label has been add to run the CI when the
# "safe to test" label is added.
- labeled
merge_group:
types:
- checks_requested
# Set permissions to none.
#
# Using the broad default permissions is considered a bad security practice
# and would cause alerts from our scanning tools.
permissions: {}
jobs:
# It's important that we run this job first, because we need to remove the
# "safe to test" label when the PR comes from a fork in order to ensure that
# every change is reviewed for security implications.
remove-safe-to-build-label:
runs-on: ubuntu-22.04
permissions:
# Required by the remove-safe-to-test-label action
contents: read
pull-requests: write
steps:
- name: Remove "safe to test" label, if PR is from a fork
uses: SharezoneApp/remove-safe-to-test-label@91b378205db41bb08dde8e4c4f2685847eb3d168
# We can't use the official "paths" filter because it has no support for merge
# groups and we would need some kind of fallback CI when a check is required
# but ignored because of the path filter.
#
# See:
# * https://github.com/community/community/discussions/45899 (merge groups)
# * https://github.com/github/docs/commit/4364076e0fb56c2579ae90cd048939eaa2c18954
# (workaround for required checks with path filters)
changes:
needs: remove-safe-to-build-label
runs-on: ubuntu-22.04
outputs:
changesFound: ${{ steps.filter.outputs.changesFound }}
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
with:
# Because we are using the "pull_request_target" event, we need to
# checkout the PR head commit instead of the merge commit.
ref: ${{ github.event.pull_request.head.sha }}
- uses: AurorNZ/paths-filter@3b1f3abc3371cca888d8eb03dfa70bc8a9867629
id: filter
with:
filters: |
changesFound:
# We only build and deploy a new version, when a user relevant files
# changed.
- "docs/**"
# We trigger also this workflow, if this workflow is changed, so that new
# changes will be applied.
- ".github/workflows/unsafe_docs_ci.yml"
# We are building for every PR a web preview, which will be deployed to
# Firebase Hosting. The link to the website will posted as comment (like:
# https://github.com/SharezoneApp/sharezone-app/pull/119#issuecomment-1030012299).
#
# The previews are helping reviewer and other users to quickly view the
# changes in a compiled version.
#
# A link to a preview expires after 3 days.
#
# Required steps to set this up:
# 1. Run "firebase init hosting:github"
# 2. Enable "Firebase Hosting API" in Google Cloud project
# 3. Write GitHub action job
# 4. Adjust website restrictions for Firebase Key "Sharezone Web Key".
web-preview:
needs: changes
if: ${{ github.event_name == 'pull_request_target' && needs.changes.outputs.changesFound == 'true'}}
runs-on: ubuntu-22.04
permissions:
pull-requests: write # for FirebaseExtended/action-hosting-deploy to comment on PRs
checks: write # for FirebaseExtended/action-hosting-deploy to comment on PRs (without write permissions for checks the action doesn't post a comment to the PR, we don't know why)
steps:
- name: Ensure PR has "safe to test" label, if PR is from a fork
uses: SharezoneApp/verify-safe-to-test-label@c1059d43fc918756660a700ca6d08e445ff314a2
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
with:
# Because we are using the "pull_request_target" event, we need to
# checkout the PR head commit instead of the merge commit.
ref: ${{ github.event.pull_request.head.sha }}
- name: Install dependencies
run: npm install -C docs/
- name: Build
run: npm run build -C docs/
- name: Deploy to Firebase Hosting
uses: FirebaseExtended/action-hosting-deploy@120e124148ab7016bec2374e5050f15051255ba2
with:
repoToken: ${{ secrets.GITHUB_TOKEN }}
firebaseServiceAccount: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_SHAREZONE_DEBUG }}
projectId: sharezone-debug
entryPoint: "./docs"
# The expiration date shouldn't be too high, because if we open a lot
# of pull requests, we will run out of quota (we get 429 errors).
expires: "3d"
target: "docs"
env:
# Required to deploy Next.js applications to Firebase Hosting
FIREBASE_CLI_EXPERIMENTS: webframeworks