docker-mailserver/.github/workflows/docs-preview-prepare.yml

71 lines
3.2 KiB
YAML
Raw Normal View History

docs(ci): Deploy Previews (#1988) * docs(ci): Support deploy previews for documentation Each PR that contributes to docs will generate a unique (to that PR) URL to preview the PR live for review. * docs(ci): Split workflow To support previews from non-collaborators PR contributions, we cannot rely on secrets access from workflows triggered by the `pull_request` event. To do so securely, according to official advice from Github, we must run the third-party contribution in the restricted `pull_request` context, and then use a 2nd workflow to deploy the build (which requires secrets access). * docs(ci): Rename doc workflows + add commit status Better naming convention for documentation workflows. Split workflow only indicated status on PR of the 1st stage (building the preview to deploy), not the deployment progress/result. This needs to be managed more directly until the action better supports split-workflow scenario. * docs(ci): Add concurrency limit to preview deploy workflow This would be more ideal on the 2nd phase workflow (`workflow_run`), however keeping it simple for now. Limits the concurrency of the initial pull request workflow for documentation contributions that have PRs with multiple event triggers in a small time span (before the workflow triggered would complete). The main benefit is to avoid redundant deploys if the initial workflow has been triggered again to build the PR once more. It only will work against concurrent workflows for that PR in the 1st stage, if an existing `workflow_run` (2nd stage) is active for that PR it will not be cancelled. * docs(ci): Add sponsor branding for deploy preview service A requirement from Netlify for the [sponsored OSS organization plan](https://www.netlify.com/legal/open-source-policy). * docs(ci): Use a shared build script Production and Deploy Preview builds are now maintained via the same shell command, so version updates of docker image is in one place. Additionally deletes unnecessary build output which upstream provides no support to exclude. * docs: Add a custom 404 page This is used by the preview deploys on Netlify. Production deploys on Github Pages require a top-level 404 page manually deployed (since all are deployed to a version subpath). This 404 page was custom built and optimized by me. This is the final minified output, separate source to build is available if needed. --- Likewise the `favicon.ico` is a fallback for browsers that implicitly check the domain root for this file if the SVG isn't supported/preferred. Browsers check for this file without it being present in the HTML head meta elements. On Github Pages the `favicon.ico` isn't likely to be picked up by even top-level as typical deployment has the project name as a subpath. The docs however reference a PNG favicon which should be widely supported. The `favicon.ico` was generated by RealFaviconGenerator online tool with SVG source input. It contains 16px, 32px and 48px sizes. Quality is better than the `favicon.io` generator. * chore: Optimized logo SVG source cleaned up and optimized with SVGO 2.3. Minified versions (`.min.svg` extension) remove unnecessary data and white-space to reduce size further for production use. This extension better differentiates by filename that it's different from the `src` version.
2021-05-20 10:24:46 +00:00
name: 'Documentation (PR)'
on:
pull_request:
paths:
- 'docs/**'
# If the workflow for a PR is triggered multiple times, previous existing runs will be canceled.
# eg: Applying multiple suggestions from a review directly via the Github UI.
# Instances of the 2nd phase of this workflow (via `workflow_run`) presently lack concurrency limits due to added complexity.
concurrency:
group: deploypreview-pullrequest-${{ github.event.pull_request.number }}
cancel-in-progress: true
# `pull_request` workflow is unreliable alone: Non-collaborator contributions lack access to secrets for security reasons.
# A separate workflow (docs-preview-deploy.yml) handles the deploy after the potentially untrusted code is first run in this workflow.
# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
jobs:
prepare-preview:
name: 'Build Preview'
runs-on: ubuntu-20.04
env:
BUILD_DIR: docs/site
NETLIFY_SITE_PREFIX: pullrequest-${{ github.event.pull_request.number }}
NETLIFY_SITE_NAME: dms-doc-previews
steps:
- uses: actions/checkout@v2.3.4
- name: 'Build with mkdocs-material via Docker'
working-directory: docs
env:
PREVIEW_URL: 'https://${NETLIFY_SITE_PREFIX}--${NETLIFY_SITE_NAME}.netlify.app/'
2021-05-20 12:22:02 +00:00
NETLIFY_BRANDING: '<a href="https://www.netlify.com/"><img alt="Deploys by Netlify" src="https://www.netlify.com/img/global/badges/netlify-color-accent.svg" style="float: right;"></a>'
docs(ci): Deploy Previews (#1988) * docs(ci): Support deploy previews for documentation Each PR that contributes to docs will generate a unique (to that PR) URL to preview the PR live for review. * docs(ci): Split workflow To support previews from non-collaborators PR contributions, we cannot rely on secrets access from workflows triggered by the `pull_request` event. To do so securely, according to official advice from Github, we must run the third-party contribution in the restricted `pull_request` context, and then use a 2nd workflow to deploy the build (which requires secrets access). * docs(ci): Rename doc workflows + add commit status Better naming convention for documentation workflows. Split workflow only indicated status on PR of the 1st stage (building the preview to deploy), not the deployment progress/result. This needs to be managed more directly until the action better supports split-workflow scenario. * docs(ci): Add concurrency limit to preview deploy workflow This would be more ideal on the 2nd phase workflow (`workflow_run`), however keeping it simple for now. Limits the concurrency of the initial pull request workflow for documentation contributions that have PRs with multiple event triggers in a small time span (before the workflow triggered would complete). The main benefit is to avoid redundant deploys if the initial workflow has been triggered again to build the PR once more. It only will work against concurrent workflows for that PR in the 1st stage, if an existing `workflow_run` (2nd stage) is active for that PR it will not be cancelled. * docs(ci): Add sponsor branding for deploy preview service A requirement from Netlify for the [sponsored OSS organization plan](https://www.netlify.com/legal/open-source-policy). * docs(ci): Use a shared build script Production and Deploy Preview builds are now maintained via the same shell command, so version updates of docker image is in one place. Additionally deletes unnecessary build output which upstream provides no support to exclude. * docs: Add a custom 404 page This is used by the preview deploys on Netlify. Production deploys on Github Pages require a top-level 404 page manually deployed (since all are deployed to a version subpath). This 404 page was custom built and optimized by me. This is the final minified output, separate source to build is available if needed. --- Likewise the `favicon.ico` is a fallback for browsers that implicitly check the domain root for this file if the SVG isn't supported/preferred. Browsers check for this file without it being present in the HTML head meta elements. On Github Pages the `favicon.ico` isn't likely to be picked up by even top-level as typical deployment has the project name as a subpath. The docs however reference a PNG favicon which should be widely supported. The `favicon.ico` was generated by RealFaviconGenerator online tool with SVG source input. It contains 16px, 32px and 48px sizes. Quality is better than the `favicon.io` generator. * chore: Optimized logo SVG source cleaned up and optimized with SVGO 2.3. Minified versions (`.min.svg` extension) remove unnecessary data and white-space to reduce size further for production use. This extension better differentiates by filename that it's different from the `src` version.
2021-05-20 10:24:46 +00:00
run: |
# Adjust mkdocs.yml for preview build
sed -i "s|^site_url:.*|site_url: '${PREVIEW_URL}'|" mkdocs.yml
# Insert sponsor branding into page content (Provider OSS plan requirement):
# Upstream does not provide a nicer maintainable way to do this..
# Prepends HTML to copyright text and then aligns to the right side.
sed -i "s|^copyright: '|copyright: '${NETLIFY_BRANDING}|" mkdocs.yml
# Need to override a CSS media query for parent element to always be full width:
echo '.md-footer-copyright { width: 100%; }' >> content/assets/css/customizations.css
../.github/workflows/scripts/docs/build-docs.sh
# ============================== #
# Volley over to secure workflow #
# ============================== #
# Minimize risk of upload failure by bundling files to a single compressed archive (tar + zstd).
# Bundles build dir and env file into a compressed archive, nested file paths will be preserved.
- name: 'Prepare artifact for transfer'
run: |
# Save ENV for transfer
echo "PR_HEADSHA=${{ github.event.pull_request.head.sha }}" >> pr.env
echo "PR_NUMBER=${{ github.event.pull_request.number }}" >> pr.env
echo "PR_TITLE=${{ github.event.pull_request.title }}" >> pr.env
echo "NETLIFY_SITE_PREFIX=${{ env.NETLIFY_SITE_PREFIX }}" >> pr.env
echo "BUILD_DIR=${{ env.BUILD_DIR }}" >> pr.env
tar --zstd -cf artifact.tar.zst pr.env ${{ env.BUILD_DIR }}
- name: 'Upload artifact for workflow transfer'
uses: actions/upload-artifact@v2
with:
name: preview-build
path: artifact.tar.zst
retention-days: 1