ci: modernize workflows to support fork pr previews #2116
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,28 +1,38 @@ | ||
| # Build workflow - runs for both PRs and main branch pushes | ||
| # This workflow builds the website without access to secrets | ||
| # For PRs: Runs on untrusted fork code safely (using pull_request event, not pull_request_target) | ||
| # For main: Builds and uploads artifacts for deployment | ||
| # Artifacts are passed to the deploy workflow which has access to secrets | ||
|
|
||
| name: Build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| pull_request: | ||
| branches: | ||
| - main | ||
|
|
||
| env: | ||
| BUILD_PATH: 'docs/.vuepress/dist' | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| build: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| # No ref parameter needed - uses correct ref automatically: | ||
|
There was a problem hiding this comment. The problem with this, which I just realised, is that this will cause ipfs-deploy-action to set the commit status for merge SHA commits that aren't visible in the pull request. Both Cloudflare Pages and Vercel use the PR head commit for the following reasons:
If we want to ensure that PRs are up to date and avoid merge conflicts, we can require branches to be up to date before merging in the branch protection rules in GitHub. There was a problem hiding this comment. I'm currently testing this in this PR: #2119 There was a problem hiding this comment. For some reason, with #2119 the commit SHA that was used in the PR comment is I'm currently investigating why. There was a problem hiding this comment. I can confirm now that there's a discrepancy between the commit SHA used for the build and the commit SHA used to update the comment. You can see it here: https://github.com/ipfs/ipfs-docs/actions/runs/17208024892/job/48812841343#step:2:87 It's checking out and building e8daa37, but setting the commit status for a3bd938. |
||
| # - For PRs: merge commit or PR head | ||
|
||
| # - For pushes: the pushed commit | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
|
|
@@ -31,16 +41,15 @@ jobs: | |
| cache: 'npm' | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci --prefer-offline --no-audit --progress=false | ||
|
|
||
| - name: Build project | ||
| run: npm run docs:build | ||
|
|
||
| # Upload artifact for deploy workflow | ||
| - name: Upload build artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: docs-build-${{ github.run_id }} | ||
| path: ${{ env.BUILD_PATH }} | ||
| retention-days: 1 | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| # Deploy workflow - triggered by workflow_run after successful build | ||
| # This workflow has access to secrets but never executes untrusted code | ||
| # It only downloads and deploys pre-built artifacts from the build workflow | ||
| # Security: Fork code cannot access secrets as it only runs in build workflow | ||
| # Deploys to IPFS for all branches | ||
|
|
||
| name: Deploy | ||
|
|
||
| # Explicitly declare permissions | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| statuses: write | ||
|
|
||
| on: | ||
| workflow_run: | ||
| workflows: ["Build"] | ||
| types: [completed] | ||
|
|
||
| env: | ||
| BUILD_PATH: 'docs-build' | ||
2color marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| jobs: | ||
| deploy-ipfs: | ||
| if: github.event.workflow_run.conclusion == 'success' | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| cid: ${{ steps.deploy.outputs.cid }} | ||
| steps: | ||
| - name: Download build artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: docs-build-${{ github.event.workflow_run.id }} | ||
| path: ${{ env.BUILD_PATH }} | ||
| run-id: ${{ github.event.workflow_run.id }} | ||
| github-token: ${{ github.token }} | ||
|
|
||
| - name: Deploy to IPFS | ||
| uses: ipfs/ipfs-deploy-action@b491fdc2b1ca70a9b11b1a26dd4d36210c46653f # ipfs-deploy-action/pull/37 | ||
| id: deploy | ||
| with: | ||
| path-to-deploy: ${{ env.BUILD_PATH }} | ||
| storacha-key: ${{ secrets.STORACHA_KEY }} | ||
| storacha-proof: ${{ secrets.STORACHA_PROOF }} | ||
| github-token: ${{ github.token }} | ||
|
|
||
| # TODO: Add DNSLink update when needed | ||
| #- name: Update DNSLink | ||
| # if: github.event.workflow_run.head_branch == 'main' | ||
| # uses: ipfs/[email protected] | ||
| # with: | ||
| # cid: ${{ steps.deploy.outputs.cid }} | ||
| # dnslink_domain: 'docs.ipfs.tech' | ||
| # cf_record_id: ${{ secrets.CF_RECORD_ID }} | ||
| # cf_zone_id: ${{ secrets.CF_ZONE_ID }} | ||
| # cf_auth_token: ${{ secrets.CF_AUTH_TOKEN }} | ||
| # github_token: ${{ github.token }} | ||
| # set_github_status: true | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This does change the behaviour to checkout the merge commit. I guess there's a reason for this being the default. So let's give it a go and change if needed in the future.