Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dev/buildImagePerPR #231

Merged
merged 5 commits into from
Oct 22, 2024
Merged

Dev/buildImagePerPR #231

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
69adbae
feat: build image when a PR is opened and updated
Pugma Oct 18, 2024
62c1abf
feat: comment when a PR opened
Pugma Oct 18, 2024
4635381
fix: remove unnecessary build target
Pugma Oct 18, 2024
4e02d6c
fix: remove unnecessary permission
Pugma Oct 22, 2024
4fc73f4
fix: remove PR number setting
Pugma Oct 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions .github/workflows/preview-comment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Comment preview environment URL

on:
# pull_request_target を使うにあたって https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ の一読を推奨
pull_request_target:
types:
- opened

permissions:
pull-requests: write

jobs:
comment:
name: Comment preview environment URL
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@v7
with:
script: |
const prod = `https://${context.payload.pull_request.number}-prod.portfolio-preview.trapti.tech/`
const dev = `https://${context.payload.pull_request.number}-dev.portfolio-preview.trapti.tech/`
const msg = `
Preview (prod) → ${prod}
Preview (dev) → ${dev}
`

await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
body: msg
});
cp-20 marked this conversation as resolved.
Show resolved Hide resolved
48 changes: 48 additions & 0 deletions .github/workflows/preview.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: preview

on:
# pull_request_target を使うにあたって https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ の一読を推奨
pull_request_target:

permissions:
packages: write

env:
IMAGE_NAME: traportfolio-ui

jobs:
build-preview-image:
name: Build Preview Image
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: false

- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
- name: Builder instance name
run: echo ${{ steps.buildx.outputs.name }}
- name: Available platforms
run: echo ${{ steps.buildx.outputs.platforms }}

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: traptitech
password: ${{ secrets.GITHUB_TOKEN }}

# Docker 内でビルドを行うことで、write perm つきでの任意コード実行を避ける
# workflow 自体の改竄はないが、悪意のあるソースコードが入った場合に secret が抽出される可能性があるためである
- name: Build
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ghcr.io/traptitech/${{ env.IMAGE_NAME }}:preview-${{ github.event.number }}-${{ github.event.pull_request.head.sha }}
cache-from: type=registry,ref=ghcr.io/traptitech/${{ env.IMAGE_NAME }}:buildcache
Loading