chore(ci): add IPFS and DNSLink deployment

lidel · lidel · commit 3e868ca00d91 · 2026-01-06T00:57:23.000+01:00
- add build.yml workflow to package web/ directory - add deploy.yml with IPFS cluster, DNSLink, and GitHub Pages - remove old deploy-pages.yml - DNSLink domain: check-ipfs-tech.dnslinks.ipshipyard.tech Related: ipshipyard/waterworks-community#23
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,41 @@
+# Build workflow - runs for both PRs and main branch pushes
+# This workflow packages the website without access to secrets
+# Static files from web/ directory are used as-is (no build step)
+# Artifacts are passed to the deploy workflow which has access to secrets
+
+name: Build
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+env:
+  BUILD_PATH: 'web'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
+
+      # Upload artifact for deploy workflow
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: website-build-${{ github.run_id }}
+          path: ${{ env.BUILD_PATH }}
+          retention-days: 1
diff --git a/.github/workflows/deploy-pages.yml b/.github/workflows/deploy-pages.yml
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,97 @@
+# Deploy workflow - triggered by workflow_run after successful build
+# This workflow has access to secrets but never executes untrusted code
+# It only downloads and deploys pre-built artifacts from the build workflow
+# Security: Fork code cannot access secrets as it only runs in build workflow
+# Deploys to IPFS for all branches and GitHub Pages for main branch only
+
+name: Deploy
+
+# Explicitly declare permissions
+permissions:
+  actions: read
+  contents: read
+  pull-requests: write
+  statuses: write
+
+on:
+  workflow_run:
+    workflows: ["Build"]
+    types: [completed]
+
+env:
+  BUILD_PATH: 'website-build'
+
+jobs:
+  deploy-ipfs:
+    if: github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    outputs:
+      cid: ${{ steps.deploy.outputs.cid }}
+    environment:
+      name: 'ipfs-publish'
+    steps:
+      - name: Download build artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: website-build-${{ github.event.workflow_run.id }}
+          path: ${{ env.BUILD_PATH }}
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ github.token }}
+
+      - name: Deploy to IPFS
+        uses: ipshipyard/ipfs-deploy-action@v1
+        id: deploy
+        with:
+          path-to-deploy: ${{ env.BUILD_PATH }}
+          cluster-url: "/dnsaddr/ipfs-websites.collab.ipfscluster.io"
+          cluster-user: ${{ secrets.CLUSTER_USER }}
+          cluster-password: ${{ secrets.CLUSTER_PASSWORD }}
+          cluster-pin-expire-in: ${{ github.event.workflow_run.head_branch != 'main' && '2160h' || '' }}
+          github-token: ${{ github.token }}
+
+  dnslink-update:
+    runs-on: ubuntu-latest
+    needs: deploy-ipfs
+    if: github.event.workflow_run.head_branch == 'main'
+    environment:
+      name: 'cf-dnslink'
+      url: "https://check-ipfs-tech.ipns.inbrowser.link/"
+    steps:
+      - name: Update DNSLink
+        uses: ipshipyard/dnslink-action@v1
+        with:
+          cid: ${{ needs.deploy-ipfs.outputs.cid }}
+          dnslink_domain: 'check-ipfs-tech.dnslinks.ipshipyard.tech'
+          cf_zone_id: ${{ secrets.CF_DNS_ZONE_ID }}
+          cf_auth_token: ${{ secrets.CF_DNS_AUTH_TOKEN }}
+          github_token: ${{ github.token }}
+          set_github_status: true
+
+  deploy-gh-pages:
+    if: |
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.head_branch == 'main'
+    runs-on: ubuntu-latest
+    permissions:
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - name: Download build artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: website-build-${{ github.event.workflow_run.id }}
+          path: website-build
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ github.token }}
+
+      - name: Upload Pages artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: website-build
+
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4
