ci: modernize workflows to support fork pr previews #2116
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,28 +1,38 @@ | ||
| # Build workflow - runs for both PRs and main branch pushes | ||
| # This workflow builds the website without access to secrets | ||
| # For PRs: Runs on untrusted fork code safely (using pull_request event, not pull_request_target) | ||
| # For main: Builds and uploads artifacts for deployment | ||
| # Artifacts are passed to the deploy workflow which has access to secrets | ||
|
|
||
| name: Build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| pull_request: | ||
| branches: | ||
| - main | ||
|
|
||
| env: | ||
| BUILD_PATH: 'docs/.vuepress/dist' | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| build: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| # No ref parameter needed - uses correct ref automatically: | ||
|
There was a problem hiding this comment. The problem with this, which I just realised, is that this will cause ipfs-deploy-action to set the commit status for merge SHA commits that aren't visible in the pull request. Both Cloudflare Pages and Vercel use the PR head commit for the following reasons:
If we want to ensure that PRs are up to date and avoid merge conflicts, we can require branches to be up to date before merging in the branch protection rules in GitHub. There was a problem hiding this comment. I'm currently testing this in this PR: #2119 There was a problem hiding this comment. For some reason, with #2119 the commit SHA that was used in the PR comment is I'm currently investigating why. There was a problem hiding this comment. I can confirm now that there's a discrepancy between the commit SHA used for the build and the commit SHA used to update the comment. You can see it here: https://github.com/ipfs/ipfs-docs/actions/runs/17208024892/job/48812841343#step:2:87 It's checking out and building e8daa37, but setting the commit status for a3bd938. |
||
| # - For PRs: merge commit (PR changes + latest main) | ||
| # - For pushes: the pushed commit | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
|
|
@@ -31,16 +41,15 @@ jobs: | |
| cache: 'npm' | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci --prefer-offline --no-audit --progress=false | ||
|
|
||
| - name: Build project | ||
| run: npm run docs:build | ||
|
|
||
| # Upload artifact for deploy workflow | ||
| - name: Upload build artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: docs-build-${{ github.run_id }} | ||
| path: ${{ env.BUILD_PATH }} | ||
| retention-days: 1 | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| # Deploy workflow - triggered by workflow_run after successful build | ||
| # This workflow has access to secrets but never executes untrusted code | ||
| # It only downloads and deploys pre-built artifacts from the build workflow | ||
| # Security: Fork code cannot access secrets as it only runs in build workflow | ||
| # Deploys to IPFS for all branches | ||
|
|
||
| name: Deploy | ||
|
|
||
| # Explicitly declare permissions | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| statuses: write | ||
|
|
||
| on: | ||
| workflow_run: | ||
| workflows: ["Build"] | ||
| types: [completed] | ||
|
|
||
| env: | ||
| BUILD_PATH: 'docs-build' | ||
2color marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| jobs: | ||
| deploy-ipfs: | ||
| if: github.event.workflow_run.conclusion == 'success' | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| cid: ${{ steps.deploy.outputs.cid }} | ||
| steps: | ||
| - name: Download build artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: docs-build-${{ github.event.workflow_run.id }} | ||
| path: ${{ env.BUILD_PATH }} | ||
| run-id: ${{ github.event.workflow_run.id }} | ||
| github-token: ${{ github.token }} | ||
|
|
||
| - name: Deploy to IPFS | ||
| uses: ipfs/ipfs-deploy-action@b491fdc2b1ca70a9b11b1a26dd4d36210c46653f # ipfs-deploy-action/pull/37 | ||
| id: deploy | ||
| with: | ||
| path-to-deploy: ${{ env.BUILD_PATH }} | ||
| storacha-key: ${{ secrets.STORACHA_KEY }} | ||
| storacha-proof: ${{ secrets.STORACHA_PROOF }} | ||
| github-token: ${{ github.token }} | ||
|
|
||
| # TODO: Add DNSLink update when needed | ||
| #- name: Update DNSLink | ||
| # if: github.event.workflow_run.head_branch == 'main' | ||
| # uses: ipfs/[email protected] | ||
| # with: | ||
| # cid: ${{ steps.deploy.outputs.cid }} | ||
| # dnslink_domain: 'docs.ipfs.tech' | ||
| # cf_record_id: ${{ secrets.CF_RECORD_ID }} | ||
| # cf_zone_id: ${{ secrets.CF_ZONE_ID }} | ||
| # cf_auth_token: ${{ secrets.CF_AUTH_TOKEN }} | ||
| # github_token: ${{ github.token }} | ||
| # set_github_status: true | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This does change the behaviour to checkout the merge commit. I guess there's a reason for this being the default. So let's give it a go and change if needed in the future.