From 69adbae4734d8872ed3b46f380bf2fc804550193 Mon Sep 17 00:00:00 2001 From: Pugma Date: Fri, 18 Oct 2024 10:18:49 +0900 Subject: [PATCH 1/5] feat: build image when a PR is opened and updated --- .github/workflows/preview.yaml | 52 ++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/preview.yaml diff --git a/.github/workflows/preview.yaml b/.github/workflows/preview.yaml new file mode 100644 index 0000000..a5f5924 --- /dev/null +++ b/.github/workflows/preview.yaml @@ -0,0 +1,52 @@ +name: preview + +on: + # pull_request_target を使うにあたって https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ の一読を推奨 + pull_request_target: + +permissions: + packages: write + +env: + IMAGE_NAME: traportfolio-ui + +jobs: + build-preview-image: + name: Build Preview Image + runs-on: ubuntu-latest + steps: + - name: Set PR_NUMBER env + run: echo "PR_NUMBER=${{ github.event.number }}" >> $GITHUB_ENV + + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v3 + - name: Builder instance name + run: echo ${{ steps.buildx.outputs.name }} + - name: Available platforms + run: echo ${{ steps.buildx.outputs.platforms }} + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: traptitech + password: ${{ secrets.GITHUB_TOKEN }} + + # Docker 内でビルドを行うことで、write perm つきでの任意コード実行を避ける + # workflow 自体の改竄はないが、悪意のあるソースコードが入った場合に secret が抽出される可能性があるためである + - name: Build + uses: docker/build-push-action@v5 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: true + tags: ghcr.io/traptitech/${{ env.IMAGE_NAME }}:preview-${{ env.PR_NUMBER }}-${{ github.event.pull_request.head.sha }} + cache-from: type=registry,ref=ghcr.io/traptitech/${{ env.IMAGE_NAME }}:buildcache From 62c1abf0770fb85cc9acb5d2d43d535d78bc25a2 Mon Sep 17 00:00:00 2001 From: Pugma Date: Fri, 18 Oct 2024 10:19:05 +0900 Subject: [PATCH 2/5] feat: comment when a PR opened --- .github/workflows/preview-comment.yaml | 33 ++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/preview-comment.yaml diff --git a/.github/workflows/preview-comment.yaml b/.github/workflows/preview-comment.yaml new file mode 100644 index 0000000..1ee2933 --- /dev/null +++ b/.github/workflows/preview-comment.yaml @@ -0,0 +1,33 @@ +name: Comment preview environment URL + +on: + # pull_request_target を使うにあたって https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ の一読を推奨 + pull_request_target: + types: + - opened + +permissions: + issues: write + pull-requests: write + +jobs: + comment: + name: Comment preview environment URL + runs-on: ubuntu-latest + steps: + - uses: actions/github-script@v7 + with: + script: | + const prod = `https://${context.payload.pull_request.number}-prod.portfolio-preview.trapti.tech/` + const dev = `https://${context.payload.pull_request.number}-dev.portfolio-preview.trapti.tech/` + const msg = ` + Preview (prod) → ${prod} + Preview (dev) → ${dev} + ` + + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.payload.pull_request.number, + body: msg + }); From 46353810206932ffa18fe0148727a499801c421b Mon Sep 17 00:00:00 2001 From: Pugma Date: Fri, 18 Oct 2024 10:21:41 +0900 Subject: [PATCH 3/5] fix: remove unnecessary build target --- .github/workflows/preview.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/preview.yaml b/.github/workflows/preview.yaml index a5f5924..abec9ad 100644 --- a/.github/workflows/preview.yaml +++ b/.github/workflows/preview.yaml @@ -46,7 +46,6 @@ jobs: uses: docker/build-push-action@v5 with: context: . - platforms: linux/amd64,linux/arm64 push: true tags: ghcr.io/traptitech/${{ env.IMAGE_NAME }}:preview-${{ env.PR_NUMBER }}-${{ github.event.pull_request.head.sha }} cache-from: type=registry,ref=ghcr.io/traptitech/${{ env.IMAGE_NAME }}:buildcache From 4e02d6cc0536e1433c3e4e2c8b4e06bfc510d266 Mon Sep 17 00:00:00 2001 From: Pugma Date: Tue, 22 Oct 2024 14:38:19 +0900 Subject: [PATCH 4/5] fix: remove unnecessary permission --- .github/workflows/preview-comment.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/preview-comment.yaml b/.github/workflows/preview-comment.yaml index 1ee2933..1f12878 100644 --- a/.github/workflows/preview-comment.yaml +++ b/.github/workflows/preview-comment.yaml @@ -7,7 +7,6 @@ on: - opened permissions: - issues: write pull-requests: write jobs: From 4fc73f47aa6c7135f3a9c8a83d936add67ef7cfd Mon Sep 17 00:00:00 2001 From: Pugma Date: Tue, 22 Oct 2024 14:41:56 +0900 Subject: [PATCH 5/5] fix: remove PR number setting --- .github/workflows/preview.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/preview.yaml b/.github/workflows/preview.yaml index abec9ad..5c8df95 100644 --- a/.github/workflows/preview.yaml +++ b/.github/workflows/preview.yaml @@ -15,9 +15,6 @@ jobs: name: Build Preview Image runs-on: ubuntu-latest steps: - - name: Set PR_NUMBER env - run: echo "PR_NUMBER=${{ github.event.number }}" >> $GITHUB_ENV - - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} @@ -47,5 +44,5 @@ jobs: with: context: . push: true - tags: ghcr.io/traptitech/${{ env.IMAGE_NAME }}:preview-${{ env.PR_NUMBER }}-${{ github.event.pull_request.head.sha }} + tags: ghcr.io/traptitech/${{ env.IMAGE_NAME }}:preview-${{ github.event.number }}-${{ github.event.pull_request.head.sha }} cache-from: type=registry,ref=ghcr.io/traptitech/${{ env.IMAGE_NAME }}:buildcache