-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathaction.yml
More file actions
290 lines (271 loc) · 10.6 KB
/
Copy pathaction.yml
File metadata and controls
290 lines (271 loc) · 10.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
# SPDX-License-Identifier: EUPL-1.2
name: 'Deploy to ZAD'
description: 'Deploy a container image to ZAD Operations Manager'
author: 'RijksICTGilde'
branding:
icon: 'upload-cloud'
color: 'blue'
inputs:
api-key:
description: 'ZAD API key (ZAD_API_KEY secret)'
required: true
project-id:
description: 'ZAD project identifier (e.g., regel-k4c)'
required: true
deployment-name:
description: 'Name of the deployment (e.g., pr-73, production)'
required: true
component:
description: 'Component reference (e.g., editor, api, my.service)'
required: true
image:
description: 'Full container image URI (e.g., ghcr.io/org/app:tag)'
required: true
clone-from:
description: 'Clone configuration from existing deployment (optional)'
required: false
default: ''
force-clone:
description: 'Force clone even if deployment exists (optional, default: false)'
required: false
default: 'false'
api-base-url:
description: 'ZAD Operations Manager API base URL'
required: false
default: 'https://operations-manager.rig.prd1.gn2.quattro.rijksapps.nl/api'
comment-on-pr:
description: 'Post/update a comment on the PR with the deployment URL'
required: false
default: 'false'
github-token:
description: 'GitHub token for PR commenting (defaults to automatic token)'
required: false
default: ${{ github.token }}
comment-header:
description: 'Custom header for the PR comment (default: "## 🚀 Preview Deployment")'
required: false
default: '## 🚀 Preview Deployment'
wait-for-ready:
description: 'Wait for deployment to be reachable before continuing'
required: false
default: 'false'
health-endpoint:
description: 'Endpoint to check for readiness (e.g., /, /health)'
required: false
default: '/'
wait-timeout:
description: 'Maximum time to wait for deployment in seconds'
required: false
default: '300'
wait-interval:
description: 'Seconds between readiness checks'
required: false
default: '10'
qr-code:
description: 'Include QR code in PR comment for mobile access (generated locally via qrencode)'
required: false
default: 'false'
outputs:
url:
description: 'URL of the deployed application'
value: ${{ steps.deploy.outputs.url }}
runs:
using: 'composite'
steps:
- name: Deploy to ZAD
id: deploy
shell: bash
env:
ZAD_API_KEY: ${{ inputs.api-key }}
PROJECT_ID: ${{ inputs.project-id }}
DEPLOYMENT_NAME: ${{ inputs.deployment-name }}
COMPONENT: ${{ inputs.component }}
IMAGE: ${{ inputs.image }}
CLONE_FROM: ${{ inputs.clone-from }}
FORCE_CLONE: ${{ inputs.force-clone }}
API_BASE_URL: ${{ inputs.api-base-url }}
run: |
# Validate inputs FIRST (before logging)
# Allow alphanumeric, hyphens, underscores, and dots
if ! echo "$PROJECT_ID" | grep -qE '^[a-zA-Z0-9._-]+$'; then
echo "Error: project-id contains invalid characters (allowed: a-z, A-Z, 0-9, ., _, -)"
exit 1
fi
if ! echo "$DEPLOYMENT_NAME" | grep -qE '^[a-zA-Z0-9._-]+$'; then
echo "Error: deployment-name contains invalid characters (allowed: a-z, A-Z, 0-9, ., _, -)"
exit 1
fi
if ! echo "$COMPONENT" | grep -qE '^[a-zA-Z0-9._-]+$'; then
echo "Error: component contains invalid characters (allowed: a-z, A-Z, 0-9, ., _, -)"
exit 1
fi
if [ -n "$CLONE_FROM" ] && ! echo "$CLONE_FROM" | grep -qE '^[a-zA-Z0-9._-]+$'; then
echo "Error: clone-from contains invalid characters (allowed: a-z, A-Z, 0-9, ., _, -)"
exit 1
fi
# Now safe to log validated inputs
echo "Deploying to ZAD..."
echo "Project: $PROJECT_ID"
echo "Deployment: $DEPLOYMENT_NAME"
echo "Component: $COMPONENT"
echo "Image: $IMAGE"
if [ -n "$CLONE_FROM" ]; then
echo "Cloning config from: $CLONE_FROM (force: $FORCE_CLONE)"
fi
# Build the request payload
if [ -n "$CLONE_FROM" ]; then
FORCE_CLONE_BOOL="false"
if [ "$FORCE_CLONE" = "true" ]; then
FORCE_CLONE_BOOL="true"
fi
PAYLOAD=$(jq -n \
--arg name "$DEPLOYMENT_NAME" \
--arg ref "$COMPONENT" \
--arg image "$IMAGE" \
--arg clone "$CLONE_FROM" \
--argjson force "$FORCE_CLONE_BOOL" \
'{
deploymentName: $name,
cloneFrom: $clone,
forceClone: $force,
components: [{
reference: $ref,
image: $image
}]
}')
else
PAYLOAD=$(jq -n \
--arg name "$DEPLOYMENT_NAME" \
--arg ref "$COMPONENT" \
--arg image "$IMAGE" \
'{
deploymentName: $name,
components: [{
reference: $ref,
image: $image
}]
}')
fi
# Make the API call (60s timeout)
RESPONSE=$(curl -s -w "\n%{http_code}" \
--max-time 60 \
-X POST \
-H "X-API-Key: $ZAD_API_KEY" \
-H "Content-Type: application/json" \
-d "$PAYLOAD" \
"$API_BASE_URL/projects/$PROJECT_ID/:upsert-deployment")
HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
BODY=$(echo "$RESPONSE" | sed '$d')
if [ "$HTTP_CODE" -ge 200 ] && [ "$HTTP_CODE" -lt 300 ]; then
echo "Deployment successful (HTTP $HTTP_CODE)"
echo "$BODY" | jq . 2>/dev/null || echo "$BODY"
# Construct the URL (standard ZAD URL pattern)
URL="https://${COMPONENT}-${DEPLOYMENT_NAME}-${PROJECT_ID}.rig.prd1.gn2.quattro.rijksapps.nl"
echo "url=$URL" >> "$GITHUB_OUTPUT"
echo "Deployed to: $URL"
elif [ "$HTTP_CODE" -eq 000 ]; then
echo "::error::Deployment failed: Unable to connect to ZAD API"
echo "::error::This could be a network issue or the API may be unavailable"
echo "::error::Please verify the API URL: $API_BASE_URL"
exit 1
elif [ "$HTTP_CODE" -eq 401 ]; then
echo "::error::Deployment failed: Authentication failed (HTTP 401)"
echo "::error::Please verify your ZAD_API_KEY secret is correct and not expired"
exit 1
elif [ "$HTTP_CODE" -eq 403 ]; then
echo "::error::Deployment failed: Access denied (HTTP 403)"
echo "::error::Your API key may not have permission for project '$PROJECT_ID'"
exit 1
elif [ "$HTTP_CODE" -eq 404 ]; then
echo "::error::Deployment failed: Project not found (HTTP 404)"
echo "::error::Please verify project-id '$PROJECT_ID' exists in ZAD"
exit 1
elif [ "$HTTP_CODE" -ge 500 ]; then
echo "::error::Deployment failed: ZAD API server error (HTTP $HTTP_CODE)"
echo "::error::This is likely a temporary issue. Please try again later"
echo "$BODY"
exit 1
else
echo "::error::Deployment failed (HTTP $HTTP_CODE)"
echo "$BODY"
exit 1
fi
- name: Wait for deployment to be ready
if: inputs.wait-for-ready == 'true'
shell: bash
env:
DEPLOYMENT_URL: ${{ steps.deploy.outputs.url }}
HEALTH_ENDPOINT: ${{ inputs.health-endpoint }}
WAIT_TIMEOUT: ${{ inputs.wait-timeout }}
WAIT_INTERVAL: ${{ inputs.wait-interval }}
run: |
URL="${DEPLOYMENT_URL}${HEALTH_ENDPOINT}"
echo "Waiting for $URL to be ready..."
ELAPSED=0
while [ "$ELAPSED" -lt "$WAIT_TIMEOUT" ]; do
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 "$URL" || echo "000")
if [ "$HTTP_CODE" -ge 200 ] && [ "$HTTP_CODE" -lt 400 ]; then
echo "Deployment is ready (HTTP $HTTP_CODE)"
exit 0
fi
echo "Waiting... (HTTP $HTTP_CODE, ${ELAPSED}s elapsed)"
sleep "$WAIT_INTERVAL"
ELAPSED=$((ELAPSED + WAIT_INTERVAL))
done
echo "::error::Deployment did not become ready within ${WAIT_TIMEOUT}s"
exit 1
- name: Generate QR code
id: qr
if: inputs.qr-code == 'true' && inputs.comment-on-pr == 'true' && github.event_name == 'pull_request'
shell: bash
env:
DEPLOYMENT_URL: ${{ steps.deploy.outputs.url }}
run: |
sudo apt-get install -y qrencode >/dev/null 2>&1 || true
if command -v qrencode &> /dev/null; then
QR_BASE64=$(qrencode -o - -t PNG -s 4 -m 1 "$DEPLOYMENT_URL" | base64 -w0)
IMG="<img src='data:image/png;base64,${QR_BASE64}' width='100' height='100' align='right' alt='QR code'>"
echo "html=${IMG}" >> "$GITHUB_OUTPUT"
else
echo "Warning: qrencode not available, skipping QR code"
fi
- name: Comment on PR
if: inputs.comment-on-pr == 'true' && github.event_name == 'pull_request'
shell: bash
env:
GH_TOKEN: ${{ inputs.github-token }}
DEPLOYMENT_URL: ${{ steps.deploy.outputs.url }}
COMMENT_HEADER: ${{ inputs.comment-header }}
PR_NUMBER: ${{ github.event.pull_request.number }}
GITHUB_REPOSITORY: ${{ github.repository }}
QR_HTML: ${{ steps.qr.outputs.html }}
run: |
# Build the comment body
COMMENT_BODY="${COMMENT_HEADER}"$'\n\n'
if [ -n "$QR_HTML" ]; then
COMMENT_BODY+="${QR_HTML}"$'\n\n'
fi
COMMENT_BODY+="Your changes have been deployed to a preview environment:"$'\n\n'
COMMENT_BODY+="**URL:** ${DEPLOYMENT_URL}"$'\n\n'
COMMENT_BODY+="This deployment will be automatically cleaned up when the PR is closed."
# Check for existing comment from this action (identified by header)
EXISTING_COMMENT_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" \
--jq ".[] | select(.body | startswith(\"${COMMENT_HEADER}\")) | .id" \
2>/dev/null | head -n1 || echo "")
if [ -n "$EXISTING_COMMENT_ID" ]; then
# Update existing comment
echo "Updating existing PR comment (ID: $EXISTING_COMMENT_ID)"
gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${EXISTING_COMMENT_ID}" \
-X PATCH \
-f body="$COMMENT_BODY" \
--silent
echo "PR comment updated"
else
# Create new comment
echo "Creating new PR comment"
gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" \
-X POST \
-f body="$COMMENT_BODY" \
--silent
echo "PR comment created"
fi