Setup GitHub actions

Author: nicolo-ribaudo

.github/workflows/deploy.yml

@@ -0,0 +1,16 @@
+name: Deploy
+on:
+  push:
+    branches: [main]
+jobs:
+  build:
+    name: Deploy DNS changes
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Deploy
+        run: |
+          docker run --rm -v "$(pwd):/dns" --env CLOUDFLARE_ACCOUNT_ID --env CLOUDFLARE_API_TOKEN ghcr.io/stackexchange/dnscontrol:4.18.0 push
+        env:
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN_WRITE }}

.github/workflows/pr.yml

@@ -0,0 +1,39 @@
+name: Preview
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+jobs:
+  build:
+    name: Preview
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      # SECURITY: We are checking out dnsconfig.js and creds.json from the PR.
+      # These two files cannot perform I/O, and cannot thus be used to leak
+      # the secret tokens. As a second layer of security, for this job we use
+      # a Cloudflare API token with read-only permissions.
+      - name: Checkout config from PR
+        run: |
+          git fetch origin +refs/pull/${{ github.event.pull_request.number }}/head
+          git checkout FETCH_HEAD -- dnsconfig.js
+      - name: Generate preview
+        id: preview
+        run: |
+          {
+            echo "dnscontrol<<DNS_CONTROL_PREVIEW_OUTPUT"
+            docker run --rm -v "$(pwd):/dns" --env CLOUDFLARE_ACCOUNT_ID --env CLOUDFLARE_API_TOKEN ghcr.io/stackexchange/dnscontrol:4.18.0 preview
+            echo "DNS_CONTROL_PREVIEW_OUTPUT"
+          } | tee -a $GITHUB_OUTPUT
+        env:
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN_READ_ONLY }}
+      - name: Create comment
+        uses: babel/actions/create-comment@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          issue: ${{ github.event.pull_request.number }}
+          comment: |
+            Preview output:
+            ```
+            ${{ steps.preview.outputs.dnscontrol }}
+            ```

README.md

@@ -35,3 +35,19 @@ This is only needed when upgrading DNSControl.
 docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol:4.18.0 write-types
 ```
 
+## Contributing flow
+
+All changes to this repository must be made through pull requests. When opening a pull request, GitHub Actions will generate a previw of the DNS changes and post is as a comment.
+
+## Copying this repository for your organization
+
+Feel free to fork this repository in your own organization! Here is the recommended setup:
+- Babel's DNS is managed through Cloudflare:
+  - if you also use Cloudflare, you can copy the GitHub Actions workflows as-is. You will need to provide the following secrets: `CLOUDFLARE_ACCOUNT_ID`, `CLOUDFLARE_API_TOKEN_WRITE` (with the permissions described in the [DNSControl documentation](https://docs.dnscontrol.org/provider/cloudflareapi#api-tokens-recommended)), `CLOUDFLARE_API_TONEN_READ_ONLY` (same as `CLOUDFLARE_API_TOKEN_WRITE`, but will all permissions set to "Read").
+  - if you use any other provider, check on the DNSControl documentation how to configure it and update the GitHub Actions workflow to pass the correct environment variables to the Docker container.
+- In the GitHub repository [settings for for branches](https://github.com/babel/dns/settings/branches), create a rule for the `main` branch with the following restrictions:
+  - Require linear history
+  - Require a pull request before merging
+  - Require status checks to pass
+    - Require branches to be up to date before merging
+    - Select the "Preview" check as required