feat: set up Secure Your Fleet use case #2366
Workflow file for this run
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | name: Build and deploy (docs) | |
| on: | |
| repository_dispatch: | |
| types: [trigger-preview-build] | |
| workflow_call: | |
| inputs: | |
| environment: | |
| description: "Deployment environment. Must be one of preview, dev, staging, or prod" | |
| required: true | |
| default: preview | |
| type: string | |
| secrets: | |
| AZURE_CREDENTIALS_DOCS: | |
| required: true | |
| AZURE_KEY_VAULT_DOCS: | |
| required: true | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: "Environment to deploy to" | |
| required: true | |
| default: "preview" | |
| type: choice | |
| options: | |
| - preview | |
| - dev | |
| - staging | |
| - prod | |
| hugo_theme_override: | |
| description: "Override hugo theme (leave blank to use latest version)" | |
| required: false | |
| default: "" | |
| type: string | |
| pull_request: | |
| branches: | |
| - "**" | |
| push: | |
| branches: | |
| - "main" | |
| env: | |
| FRONT_DOOR_USERNAME: ${{ secrets.FRONT_DOOR_USERNAME }} | |
| FRONT_DOOR_PASSWORD: ${{ secrets.FRONT_DOOR_PASSWORD }} | |
| GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }} | |
| jobs: | |
| prod-check-branch: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Output variables | |
| run: | | |
| echo "Environment: ${{ inputs.environment || github.event.client_payload.environment }}" | |
| echo "Branch: ${{ github.ref }}" | |
| - name: Checks to see that main branch is selected if deploying to prod | |
| if: ${{ inputs.environment == 'prod' && github.ref != 'refs/heads/main' }} | |
| run: | | |
| echo "Deployment to 'prod' can only be done from the 'main' branch." | |
| exit 1 | |
| call-docs-build-push: | |
| needs: prod-check-branch | |
| uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@9c59fab05a8131f4d691ba6ea2b6a119f3ef832a # v1.0.7 | |
| with: | |
| production_url_path: "" | |
| preview_url_path: "${{ vars.PREVIEW_URL_PATH }}" | |
| docs_source_path: "public" | |
| docs_build_path: "./" | |
| doc_type: "hugo" | |
| environment: ${{ inputs.environment || github.event.client_payload.environment }} | |
| force_hugo_theme_version: ${{inputs.hugo_theme_override}} | |
| auto_deploy_branch: "main" | |
| auto_deploy_env: "prod" | |
| secrets: | |
| AZURE_CREDENTIALS: ${{secrets.AZURE_CREDENTIALS_DOCS}} | |
| AZURE_KEY_VAULT: ${{secrets.AZURE_KEY_VAULT_DOCS}} | |
| trigger-theme-slack-notification: | |
| if: github.event_name == 'repository_dispatch' | |
| needs: call-docs-build-push | |
| runs-on: ubuntu-latest | |
| permissions: read-all | |
| steps: | |
| - name: Trigger 'Slack notification for new theme release' workflow in 'nginx-hugo-theme' repo. | |
| run: | | |
| curl -L \ | |
| -X POST \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "Authorization: Bearer ${{ secrets.THEME_SLACK_FLOW_PAT }}" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| "https://api.github.com/repos/${{ secrets.OWNER }}/${{ secrets.REPO }}/dispatches" \ | |
| -d "{\"event_type\": \"trigger-slack-notification\", \"client_payload\": {\"previewURL\": \"${{ env.PREVIEW_URL }}\", \"author\": \"${{ github.event.client_payload.author}}\", \"tag_name\": \"${{ github.event.client_payload.tag_name }}\", \"release_name\": \"${{ github.event.client_payload.release_name }}\"}}" | |
| env: | |
| PREVIEW_URL: ${{ needs.call-docs-build-push.outputs.PREVIEW_URL }} | |
| lighthouseci: | |
| if: github.event.pull_request | |
| needs: call-docs-build-push | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.workflow_run.head_branch }} | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 18 | |
| - name: Installing packages | |
| run: npm install | |
| - name: Generating lighthouse reports for PR and main... | |
| run: | | |
| node lighthouse-script.js | |
| - name: Compare the artifacts for negative differences in performance | |
| continue-on-error: true | |
| run: | | |
| FIELDS=("performance" "accessibility") | |
| for FIELD in "${FIELDS[@]}"; do | |
| PR_VALUE=$(cat lighthouse-reports/pr-report.json | jq -r ".categories.$FIELD.score") | |
| MAIN_VALUE=$(cat lighthouse-reports/main-report.json | jq -r ".categories.$FIELD.score") | |
| echo "$FIELD: PR - $PR_VALUE | Main - $MAIN_VALUE" | |
| if [ $FIELD = "performance" ]; then | |
| LOWER_BOUND=$(echo "$MAIN_VALUE - 0.05" | bc) | |
| UPPER_BOUND=$(echo "$MAIN_VALUE + 0.05" | bc) | |
| if (( $(echo "$PR_VALUE < $LOWER_BOUND" | bc -l) || $(echo "$PR_VALUE > $UPPER_BOUND" | bc -l) )); then | |
| echo "Error: $FIELD score in PR ($PR_VALUE) is less than in MAIN ($MAIN_VALUE)" | |
| exit 1 | |
| fi | |
| else | |
| if (( $(echo "$PR_VALUE < $MAIN_VALUE" | bc -l) )); then | |
| echo "Error: $FIELD score in PR ($PR_VALUE) is less than in MAIN ($MAIN_VALUE)" | |
| exit 1 | |
| fi | |
| fi | |
| done | |
| - uses: actions/upload-artifact@v4 | |
| if: ${{ !cancelled() }} | |
| with: | |
| name: lighthouse-reports | |
| path: lighthouse-reports/ | |
| retention-days: 30 |