feat(veans): build and publish veans alongside vikunja #1863
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Preview | |
| on: | |
| # pull_request_target gives write access to GHCR even for PRs from forks. | |
| # This is safe because: | |
| # 1. We explicitly checkout the PR's head commit (no base branch code execution) | |
| # 2. We ONLY build a Docker image (isolated container, no workflow scripts from PR) | |
| # 3. The github-script step only uses safe PR metadata (number, SHA) — no PR-supplied | |
| # text (title, body, commit messages) is interpolated, so there is no injection risk | |
| # 4. Build happens in isolated Docker container with well-defined Dockerfile | |
| pull_request_target: | |
| jobs: | |
| docker: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Free Disk Space | |
| uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 | |
| with: | |
| large-packages: false | |
| docker-images: false | |
| swap-storage: false | |
| - name: Checkout | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 | |
| with: | |
| # For pull_request_target, we need to explicitly fetch the PR ref from forks | |
| # since the PR's commit SHA is not reachable in the base repository. | |
| # This is safe because no PR code is executed in workflow context. | |
| # Only Docker build uses the PR code (isolated in container). | |
| ref: refs/pull/${{ github.event.pull_request.number }}/head | |
| - name: Git describe | |
| id: ghd | |
| uses: proudust/gh-describe@v2 | |
| - name: Login to GHCR | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| with: | |
| version: latest | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 | |
| with: | |
| images: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }} | |
| tags: | | |
| type=ref,event=pr | |
| type=sha,format=long | |
| - name: Build and push PR image | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 | |
| with: | |
| context: . | |
| platforms: linux/amd64 | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| RELEASE_VERSION=${{ steps.ghd.outputs.describe }} | |
| - name: Comment on PR | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| env: | |
| DOCKER_META_TAGS: ${{ steps.meta.outputs.tags }} | |
| with: | |
| script: | | |
| const prNumber = context.payload.pull_request.number; | |
| const base = 'preview.vikunja.dev'; | |
| const image = `ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}`; | |
| const marker = '<!-- vikunja-preview-comment -->'; | |
| // Extract the SHA tag from docker meta output (the actual tag pushed to GHCR) | |
| const metaTags = process.env.DOCKER_META_TAGS.split('\n').map(t => t.trim()).filter(Boolean); | |
| const shaImageRef = metaTags.find(t => t.includes(':sha-')); | |
| const shaTag = shaImageRef ? shaImageRef.split(':').pop() : null; | |
| const shortSha = shaTag ? shaTag.replace('sha-', '').substring(0, 7) : context.payload.pull_request.head.sha.substring(0, 7); | |
| const prTag = `pr-${prNumber}`; | |
| const newShaRow = shaTag | |
| ? `| https://${shaTag}.${base} | \`${image}:${shaTag}\` | \`${shortSha}\` |` | |
| : ''; | |
| // Collect previous SHA rows from existing comment | |
| let previousShaRows = []; | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: prNumber, | |
| }); | |
| const existing = comments.find(c => c.body.includes(marker)); | |
| if (existing) { | |
| previousShaRows = existing.body | |
| .split('\n') | |
| .filter(l => l.includes(`sha-`) && l.includes(`.${base}`)); | |
| } | |
| // Remove duplicate if this SHA was already recorded | |
| if (shaTag) { | |
| previousShaRows = previousShaRows.filter(r => !r.includes(shaTag)); | |
| } | |
| const allShaRows = [newShaRow, ...previousShaRows].filter(Boolean).join('\n'); | |
| const body = [ | |
| marker, | |
| `### Preview Deployment`, | |
| ``, | |
| `Preview deployments for this PR are available at:`, | |
| ``, | |
| `| URL | Tag | Commit |`, | |
| `| --- | --- | --- |`, | |
| `| https://${prTag}.${base} | \`${image}:${prTag}\` | latest |`, | |
| allShaRows, | |
| ``, | |
| `The preview environment will start automatically on first visit. Subsequent pushes to this PR will update the \`${prTag}\` image — the preview picks up the new version on restart. The per-commit URLs point to a specific version and will not change.`, | |
| ``, | |
| `<details>`, | |
| `<summary>Run locally with Docker</summary>`, | |
| ``, | |
| '```bash', | |
| `docker pull ${image}:${prTag}`, | |
| `docker run -p 3456:3456 ${image}:${prTag}`, | |
| '```', | |
| `</details>`, | |
| ``, | |
| `_Last updated for commit ${shortSha}_`, | |
| ].join('\n'); | |
| if (existing) { | |
| await github.rest.issues.updateComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| comment_id: existing.id, | |
| body, | |
| }); | |
| } else { | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: prNumber, | |
| body, | |
| }); | |
| } |