Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/workflows/staging.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,11 @@ jobs:
# unit tests can't (e.g. the Void Cache API ban that 500'd every packument)
# BEFORE the change reaches main. Make this a required status check so a
# failing smoke test blocks the merge.
#
# This deploy keeps the long-lived VOID_TOKEN secret: the GitHub OIDC
# exchange that void-deploy.yml uses is rejected for pull_request events
# by the Void platform (PR runs execute untrusted code, so they may not
# mint deploy tokens), so OIDC cannot replace the token here.
- name: Deploy to staging
run: pnpm exec void deploy --project pkg-pr-registry-bridge-staging
env:
Expand Down
15 changes: 11 additions & 4 deletions .github/workflows/deploy.yml → .github/workflows/void-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,15 @@ concurrency:
group: void-deploy-${{ github.ref }}
cancel-in-progress: true

# `void deploy` authenticates via GitHub OIDC, so there is no long-lived
# VOID_TOKEN secret here: id-token lets the job mint an OIDC token that the
# CLI exchanges for a short-lived project-scoped deploy token. The Void
# platform only honors the exchange from `.github/workflows/void-deploy.yml`
# on a push to the connected branch, so this file must keep exactly that name.
permissions:
id-token: write
contents: read

jobs:
deploy:
runs-on: ubuntu-latest
Expand All @@ -33,8 +42,6 @@ jobs:
# staging deploy + smoke here and only ship to production when it passes.
- name: Deploy to staging
run: pnpm exec void deploy --project pkg-pr-registry-bridge-staging
env:
VOID_TOKEN: ${{ secrets.VOID_TOKEN }}

- name: Smoke-test staging
run: node scripts/smoke-test.mjs https://pkg-pr-registry-bridge-staging.void.app
Expand All @@ -43,9 +50,9 @@ jobs:
- name: Deploy to production
run: pnpm exec void deploy
env:
VOID_TOKEN: ${{ secrets.VOID_TOKEN }}
# VOID_PROJECT is required because the project link in `.void/` is
# gitignored, so there is nothing to resolve from in CI.
# gitignored, so there is nothing to resolve from in CI. The OIDC
# exchange also scopes the deploy token to this slug.
VOID_PROJECT: pkg-pr-registry-bridge

- name: Smoke-test production
Expand Down
22 changes: 15 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -275,14 +275,22 @@ CI deploys in two stages, both smoke-testing the REAL Void runtime, which the
runs `scripts/smoke-test.mjs` against it. Make `Staging` a required status
check (branch protection) so a failing smoke test blocks the merge. (Skipped
for fork PRs, which can't read `VOID_TOKEN`.)
- **Push to `main`** (`.github/workflows/deploy.yml`) re-runs the staging deploy
+ smoke as a gate, then deploys to production and smoke-tests it. The gate is
necessary because a change can reach `main` without the PR check, a fork PR or
a direct push, so production never ships unless staging passes first.
- **Push to `main`** (`.github/workflows/void-deploy.yml`) re-runs the staging
deploy + smoke as a gate, then deploys to production and smoke-tests it. The
gate is necessary because a change can reach `main` without the PR check, a
fork PR or a direct push, so production never ships unless staging passes
first.

The smoke test hits `/_health`, the `/vite-plus` packument (200 with `time`),
`/-/refs`, and a download redirect.

Add a `VOID_TOKEN` repository secret (`void auth token` copies one to your
clipboard); the same token deploys both projects. Run the smoke test locally
with `pnpm smoke <url>`, and deploy staging by hand with `pnpm deploy:staging`.
The push-to-`main` workflow authenticates with GitHub OIDC: `void deploy`
exchanges a short-lived OIDC token for a project-scoped deploy token, so no
secret is involved. This requires the repo to be connected once per project
(`void github connect <project> --repo voidzero-dev/pkg-pr-registry-bridge
--branch main --executor github_actions`) and the workflow file to be named
exactly `void-deploy.yml`. The PR staging deploy still needs a `VOID_TOKEN`
repository secret (`void auth token` copies one to your clipboard): the
platform refuses to mint deploy tokens for pull_request events, which run
untrusted code. Run the smoke test locally with `pnpm smoke <url>`, and deploy
staging by hand with `pnpm deploy:staging`.
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
"typescript": "^6.0.0",
"vite": "^8.1.0",
"vitest": "^4.1.0",
"void": "^0.9.3",
"void": "^0.10.2",
"wrangler": "^4.105.0"
},
"devEngines": {
Expand Down
12 changes: 6 additions & 6 deletions pnpm-lock.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions pnpm-workspace.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,5 @@ allowBuilds:
workerd: true
sharp: true
better-sqlite3: false
minimumReleaseAgeExclude:
- void@0.10.2