Merge pull request #3 from MatrixAI/feature-workflows

Setup common workflows for all GH repositories (public/private)

Author: CMCDragonkai

.github/actions/secrets-parse/action.yml

@@ -0,0 +1,44 @@
+name: Secrets Bundle Parse
+description: |
+  Parses a secrets bundle and exports each secret as an environment variable.
+  Requires `jq`.
+
+inputs:
+  secrets:
+    required: true
+    description: |
+      Secret bundle created by block scalar `|` and `toJSON` which is used to
+      encode each secret into 1 line, allowing line-based separation per secret.
+
+      SECRETS: |
+        SECRET1=\$\{\{ toJSON(secrets.SECRET1) \}\}
+        SECRET2=\$\{\{ toJSON(secrets.SECRET2) \}\}
+        SECRET3=\$\{\{ toJSON(secrets.SECRET3) \}\}
+
+runs:
+  using: composite
+  steps:
+    - shell: bash
+      env:
+        SECRETS: ${{ inputs.secrets }}
+      run: |
+        if ! type jq &> /dev/null; then
+          echo 'jq is not installed. Please install jq to proceed.'
+          exit 1
+        fi
+        delimiter="EOF-$RANDOM"
+        while IFS= read -r line; do
+          if [ -z "$line" ]; then
+            continue
+          fi
+          key="${line%%=*}"
+          json_value="${line#*=}"
+          value="$(jq -r '.' <<< "$json_value")"
+          # Mask the value (possibly multiline) from the logs 
+          while IFS= read -r line; do printf "::add-mask::%s\n" "$line"; done <<< "$value"
+          {
+            printf "%s<<%s\n" "$key" "$delimiter"
+            printf "%s\n" "$value"
+            printf "%s\n" "$delimiter"
+          } >> "$GITHUB_ENV"
+        done <<< "$SECRETS"

.github/workflows/application-js-cloudflare-feature-closed.yml

@@ -0,0 +1,58 @@
+name: "CI / Application JS Cloudflare Feature Closed"
+
+on:
+  workflow_call:
+    inputs:
+      appName:
+        type: string
+        required: true
+      appHostname:
+        type: string
+        required: true
+      featureBranch:
+        type: string
+        required: true
+    secrets:
+      NIXPKGS_PRIVATE_PAT:
+        required: true
+      CLOUDFLARE_ACCOUNT_ID:
+        required: true
+      CLOUDFLARE_ZONE_ID:
+        required: true
+      CLOUDFLARE_API_TOKEN:
+        required: true
+
+jobs:
+  feature-closed-deployment-stop:
+    name: "Feature Closed / Deployment Stop"
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/matrixai/github-runner
+    concurrency:
+      group: feature-closed-deployment-stop
+      cancel-in-progress: false
+    # Only run if the PR head is a feature branch
+    # This means the feature branch PR is closed
+    if: startsWith(inputs.featureBranch, 'feature')
+    permissions:
+      packages: read
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          lfs: true
+      - name: Stop Deployment
+        env:
+          NIX_CONFIG: access-tokens = github.com=${{ secrets.NIXPKGS_PRIVATE_PAT }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          CLOUDFLARE_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }}
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          APP_NAME: ${{ inputs.appName }}
+          APP_HOSTNAME: ${{ inputs.appHostname }}
+          FEATURE_BRANCH: ${{ inputs.featureBranch }}
+        run: |
+          echo 'Perform service undeployment for feature'
+          nix develop .#ci --command bash -c $'
+          wrangler delete --name "$APP_NAME-dev-$FEATURE_BRANCH" --force
+          ./scripts/certs-gc.sh "$FEATURE_BRANCH.dev.$APP_HOSTNAME"
+          '

.github/workflows/application-js-cloudflare-feature.yml

@@ -0,0 +1,105 @@
+name: "CI / Application JS Cloudflare Feature"
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        type: string
+        default: master
+        description: >
+          Reference used for this repository, so we can re-use it when
+          referencing local actions, and avoid having to checkout this
+          repository separately.
+    secrets:
+      NIXPKGS_PRIVATE_PAT:
+        required: true
+      DEPLOY_SECRETS:
+        required: true
+
+jobs:
+  # Lint the code
+  feature-lint:
+    name: "Feature / Lint"
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/matrixai/github-runner
+    permissions:
+      packages: read
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          lfs: true
+      - name: Run linting
+        env:
+          NIX_CONFIG: access-tokens = github.com=${{ secrets.NIXPKGS_PRIVATE_PAT }}
+        run: |
+          nix develop .#ci --command bash -c $'
+          npm run lint
+          '
+
+  # Build the public
+  feature-build:
+    name: "Feature / Build"
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/matrixai/github-runner
+    permissions:
+      packages: read
+      contents: read
+      actions: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          lfs: true
+      - name: Run build
+        env:
+          NIX_CONFIG: access-tokens = github.com=${{ secrets.NIXPKGS_PRIVATE_PAT }}
+        run: |
+          nix develop .#ci --command bash -c $'
+          npm run build --verbose
+          '
+      - name: Upload Build
+        uses: actions/upload-artifact@v4
+        with:
+          name: public
+          path: ./public
+
+  # Deploy the public
+  feature-deployment:
+    name: "Feature / Deployment"
+    runs-on: ubuntu-latest
+    needs: feature-build
+    container:
+      image: ghcr.io/matrixai/github-runner
+    concurrency:
+      group: feature-deployment
+      cancel-in-progress: false
+    steps:
+      - name: Checkout Actions
+        uses: actions/checkout@v4
+        with:
+          repository: MatrixAI/.github
+          ref: ${{ inputs.ref }}
+          path: tmp/.github
+      - name: Parse Secrets
+        uses: ./tmp/.github/.github/actions/secrets-parse
+        with:
+          secrets: ${{ secrets.DEPLOY_SECRETS }}
+      - uses: actions/checkout@v4
+        with:
+          lfs: true
+      - uses: actions/download-artifact@v4
+        with:
+          name: public
+          path: ./public
+      - name: Run deployment
+        env:
+          NIX_CONFIG: access-tokens = github.com=${{ secrets.NIXPKGS_PRIVATE_PAT }}
+        run: |
+          echo 'Perform service deployment for feature'
+          nix develop .#ci --command bash -c $'
+          npm run deploy -- \
+            --feature "$GITHUB_REF_NAME" \
+            --env "$GITHUB_REF_NAME"
+          '

.github/workflows/application-js-cloudflare-master.yml

@@ -0,0 +1,85 @@
+name: "CI / Application JS Cloudflare Master"
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        type: string
+        default: master
+        description: >
+          Reference used for this repository, so we can re-use it when
+          referencing local actions, and avoid having to checkout this
+          repository separately.
+    secrets:
+      NIXPKGS_PRIVATE_PAT:
+        required: true
+      DEPLOY_SECRETS:
+        required: true
+
+jobs:
+  # Build the public - JS is platform-agnostic
+  master-build:
+    name: "Master / Build"
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/matrixai/github-runner
+    permissions:
+      packages: read
+      contents: read
+      actions: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          lfs: true
+      - name: Run build
+        env:
+          NIX_CONFIG: access-tokens = github.com=${{ secrets.NIXPKGS_PRIVATE_PAT }}
+        run: |
+          nix develop .#ci --command bash -c $'
+          npm run build --verbose
+          '
+      - name: Upload Build
+        uses: actions/upload-artifact@v4
+        with:
+          name: public
+          path: ./public
+
+  # Deploy the public
+  master-deployment:
+    name: "Master / Deployment"
+    runs-on: ubuntu-latest
+    needs: master-build
+    container:
+      image: ghcr.io/matrixai/github-runner
+    concurrency:
+      group: master-deployment
+      cancel-in-progress: false
+    permissions:
+      packages: read
+      contents: read
+    steps:
+      - name: Checkout Actions
+        uses: actions/checkout@v4
+        with:
+          repository: MatrixAI/.github
+          ref: ${{ inputs.ref }}
+          path: tmp/.github
+      - name: Parse Secrets
+        uses: ./tmp/.github/.github/actions/secrets-parse
+        with:
+          secrets: ${{ secrets.DEPLOY_SECRETS }}
+      - uses: actions/checkout@v4
+        with:
+          lfs: true
+      - uses: actions/download-artifact@v4
+        with:
+          name: public
+          path: ./public
+      - name: Run deployment
+        env:
+          NIX_CONFIG: access-tokens = github.com=${{ secrets.NIXPKGS_PRIVATE_PAT }}
+        run: |
+          echo 'Perform service deployment for master'
+          nix develop .#ci --command bash -c $'
+          npm run deploy -- --env master
+          '