-
Notifications
You must be signed in to change notification settings - Fork 9
146 lines (128 loc) · 7.05 KB
/
Copy pathdeploy-preview.yaml
File metadata and controls
146 lines (128 loc) · 7.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: Deploy Preview Environment
on:
pull_request_target: # zizmor: ignore[dangerous-triggers] - Mitigated with label-based approval
types: [labeled, synchronize, opened, reopened]
branches:
- main
paths: ['examples/homepage/**', 'packages/vechain-kit/**', 'yarn.lock']
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
cancel-in-progress: true
jobs:
# Job 1: Post instruction comment for external PRs
comment-external-pr:
runs-on: ubuntu-latest
permissions:
pull-requests: write
if: |
github.event.pull_request.head.repo.full_name != github.repository &&
github.event.action == 'opened'
steps:
- name: Check branch name prefix (for external PRs)
env:
USER_NAME: ${{ github.event.pull_request.user.login }}
BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
run: |
PREFIX="${BRANCH_NAME%%/*}"
lower_user_name="${USER_NAME,,}"
lower_prefix="${PREFIX,,}"
if [[ "$lower_prefix" != "$lower_user_name" ]]; then
echo "Invalid branch name. Please ensure that your PR branch name starts with your GitHub username in the format of <username>/<branch-name>. Eg. myusername/my-feature"
exit 1
fi
- name: Comment on external PR
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
issue-number: ${{ github.event.pull_request.number }}
body: |
## 👋 Thanks for your contribution!
Since this PR comes from a forked repository, preview deployment requires approval from a maintainer for security reasons.
Please ensure that your PR branch name starts with your GitHub username in the format of <username>/<branch-name>. Eg. myusername/my-feature **not main**
**Next steps:**
1. A maintainer will review your code
2. If approved, they'll add the `safe-to-deploy` label to trigger deployment
3. **After each new commit**, the maintainer will need to remove and re-add the label for security
This ensures every version of the code is explicitly reviewed before deployment. Thank you for your patience! 🙏
# Job 2: Deploy (runs for internal PRs OR when external PR gets labeled)
deploy:
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: write
# Security gate: Only run when 'safe-to-deploy' label is ADDED OR from internal branch
if: |
(github.event.label.name == 'safe-to-deploy') ||
(github.event.pull_request.head.repo.full_name == github.repository) && github.event.pull_request.head.ref != 'main'
env:
NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID: ${{ secrets.NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID }}
NEXT_PUBLIC_PRIVY_APP_ID: ${{ secrets.NEXT_PUBLIC_PRIVY_APP_ID }}
NEXT_PUBLIC_PRIVY_CLIENT_ID: ${{ secrets.NEXT_PUBLIC_PRIVY_CLIENT_ID }}
NEXT_PUBLIC_DELEGATOR_URL: ${{ secrets.NEXT_PUBLIC_DELEGATOR_URL }}
NEXT_PUBLIC_NETWORK_TYPE: 'main'
AWS_REGION: eu-west-1
BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
steps:
- name: Check branch name prefix (for external PRs)
if: github.event.pull_request.head.repo.full_name != github.repository
env:
USER_NAME: ${{ github.event.pull_request.user.login }}
run: |
PREFIX="${BRANCH_NAME%%/*}"
lower_user_name="${USER_NAME,,}"
lower_prefix="${PREFIX,,}"
if [[ "$lower_prefix" != "$lower_user_name" ]]; then
echo "Invalid branch name. Please ensure that your PR branch name starts with your GitHub username in the format of <username>/<branch-name>. Eg. myusername/my-feature"
exit 1
fi
- name: Checkout
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Process Branch Name
id: process-branch-name
run: |
sanitized_branch_name=$(echo "$BRANCH_NAME" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9-]//g')
echo "processedBranchName=$sanitized_branch_name" >> $GITHUB_OUTPUT
echo "basePath=/$sanitized_branch_name" >> $GITHUB_OUTPUT
- name: Build App
env:
NODE_OPTIONS: '--max-old-space-size=8192'
NEXT_PUBLIC_BASE_PATH: ${{ steps.process-branch-name.outputs.basePath }}
run: |
yarn install
yarn install:all
yarn build
- name: Fix permissions
run: |
chmod -c -R +rX "./examples/homepage/dist" | while read line; do
echo "::warning title=Invalid file permissions automatically fixed::$line"
done
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
with:
role-to-assume: ${{ secrets.AWS_ACC_ROLE }}
aws-region: ${{ env.AWS_REGION }}
- name: Deploy to S3
run: |
aws s3 sync ./examples/homepage/dist s3://${{ secrets.AWS_PREVIEW_BUCKET_NAME }}/${{ steps.process-branch-name.outputs.processedBranchName }} --delete
- name: Cloudfront Invalidation
run: |
AWS_MAX_ATTEMPTS=10 aws cloudfront create-invalidation --distribution-id ${{ secrets.AWS_PREVIEW_CLOUDFRONT_DISTRIBUTION_ID }} --paths '/' '/*'
- name: Find Comment
uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
id: find-comment
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: 🚀 Preview environment deployed!
- name: Create Deployment Comment
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
comment-id: ${{ steps.find-comment.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
# 🚀 Preview environment deployed!
Preview URL: https://preview.vechainkit.vechain.org/${{ steps.process-branch-name.outputs.processedBranchName }}
edit-mode: replace