diff --git a/.github/workflows/docs-preview-build.yml b/.github/workflows/docs-preview-build.yml new file mode 100644 index 000000000000..dcfaad42e6d4 --- /dev/null +++ b/.github/workflows/docs-preview-build.yml @@ -0,0 +1,38 @@ +# This workflow builds the previews for pull requests when a certain label is applied. +# The actual deployment happens as part of a dedicated second workflow to avoid security +# issues where the building would otherwise occur in an authorized context where secrets +# could be leaked. More details can be found here: + +# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/. + +name: Build docs for preview deployment + +on: + pull_request: + types: [synchronize, labeled] + +permissions: read-all + +jobs: + adev-build: + runs-on: ubuntu-latest + if: | + (github.event.action == 'labeled' && github.event.label.name == 'docs: preview') || + (github.event.action == 'synchronize' && contains(github.event.pull_request.labels.*.name, 'docs: preview')) + steps: + - name: Initialize environment + uses: angular/dev-infra/github-actions/npm/checkout-and-setup-node@e4bf37af223483ce00f9316d227fd62cd744dc4b + - name: Setup Bazel + uses: angular/dev-infra/github-actions/bazel/setup@e4bf37af223483ce00f9316d227fd62cd744dc4b + - name: Setup Bazel RBE + uses: angular/dev-infra/github-actions/bazel/configure-remote@e4bf37af223483ce00f9316d227fd62cd744dc4b + - name: Install node modules + run: pnpm install --frozen-lockfile + - name: Build docs site + run: pnpm bazel build //docs:build.production + - uses: angular/dev-infra/github-actions/previews/pack-and-upload-artifact@b9bcdb3f9dff85fbfe8d1ca1d95531ddfe475f80 + with: + workflow-artifact-name: 'docs-preview' + pull-number: '${{github.event.pull_request.number}}' + artifact-build-revision: '${{github.event.pull_request.head.sha}}' + deploy-directory: './dist/bin/docs/material-angular-io.production' diff --git a/.github/workflows/docs-preview-deploy.yml b/.github/workflows/docs-preview-deploy.yml new file mode 100644 index 000000000000..1d9658f59499 --- /dev/null +++ b/.github/workflows/docs-preview-deploy.yml @@ -0,0 +1,50 @@ +# This workflow runs whenever the ADEV build workflow has completed. Deployment happens +# as part of a dedicated second workflow to avoid security issues where the building would +# otherwise occur in an authorized context where secrets could be leaked. +# +# More details can be found here: +# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/. + +name: Deploying docs preview to Firebase + +on: + workflow_run: + workflows: ['Build docs for preview deployment'] + types: [completed] + +permissions: + # Needed in order to be able to comment on the pull request. + pull-requests: write + # Needed in order to checkout the repository + contents: read + # Needed in order to retrieve the artifacts from the previous job + actions: read + +env: + PREVIEW_PROJECT: ng-dev-previews + PREVIEW_SITE: ng-dev-previews-comp + +jobs: + deploy: + runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + token: '${{secrets.GITHUB_TOKEN}}' + + - name: Configure Firebase deploy target + working-directory: ./ + run: | + # We can use `npx` as the Firebase deploy actions uses it too. + npx -y firebase-tools@latest target:clear --config docs/firebase.json --project ${{env.PREVIEW_PROJECT}} hosting mat-aio + npx -y firebase-tools@latest target:apply --config docs/firebase.json --project ${{env.PREVIEW_PROJECT}} hosting mat-aio ${{env.PREVIEW_SITE}} + + - uses: angular/dev-infra/github-actions/previews/upload-artifacts-to-firebase@b9bcdb3f9dff85fbfe8d1ca1d95531ddfe475f80 + with: + github-token: '${{secrets.GITHUB_TOKEN}}' + workflow-artifact-name: 'docs-preview' + firebase-config-dir: './docs' + firebase-public-dir: './bin/docs/material-angular-io.production' + firebase-project-id: '${{env.PREVIEW_PROJECT}}' + firebase-service-key: '${{secrets.FIREBASE_PREVIEW_SERVICE_TOKEN}}'