forked from juice-shop/multi-juicer
-
-
Notifications
You must be signed in to change notification settings - Fork 20
325 lines (266 loc) · 10.4 KB
/
Copy pathpreview.yml
File metadata and controls
325 lines (266 loc) · 10.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
--- # yamllint disable rule:line-length
name: "Preview Deployment"
on:
pull_request:
types: [opened, synchronize, reopened]
push:
branches: [main]
permissions:
contents: read
packages: write
pull-requests: write
env:
REGISTRY: ghcr.io
IMAGE_PREFIX: ghcr.io/${{ github.repository_owner }}
jobs:
set-tag:
name: "Determine Tag"
runs-on: ubuntu-latest
outputs:
tag: ${{ steps.set-tag.outputs.tag }}
steps:
- name: Set output tag
id: set-tag
run: |
if [ "${{ github.event_name }}" == "pull_request" ]; then
echo "tag=pr-${{ github.event.number }}" >> $GITHUB_OUTPUT
else
echo "tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT
fi
build-and-publish:
name: "Build and Publish Preview Images"
runs-on: ubuntu-latest
needs: set-tag
strategy:
matrix:
component:
- wrongsecrets-balancer
- cleaner
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Log in to Container Registry
uses: docker/login-action@v4
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate metadata
id: meta
uses: docker/metadata-action@v6
with:
images: ${{ env.IMAGE_PREFIX }}/${{ matrix.component }}
tags: |
type=raw,value=${{ needs.set-tag.outputs.tag }}
- name: Build and push
uses: docker/build-push-action@v7
with:
context: ./${{ matrix.component }}
file: ./${{ matrix.component }}/Dockerfile
# Only push if it's a push to main OR a PR from the same repo (not a fork)
# External contributors from forks can't write to the org's container registry
push: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
generate-preview-instructions:
name: "Generate Preview Instructions"
runs-on: ubuntu-latest
needs: [set-tag, build-and-publish]
if: github.event_name == 'pull_request'
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Install yq
run: |
sudo snap install yq
- name: Generate preview values
id: values
run: |
# Create a preview values file
cat > preview-values.yaml << EOF
balancer:
repository: ${{ env.IMAGE_PREFIX }}/wrongsecrets-balancer
tag: ${{ needs.set-tag.outputs.tag }}
wrongsecretsCleanup:
repository: ${{ env.IMAGE_PREFIX }}/cleaner
tag: ${{ needs.set-tag.outputs.tag }}
# Preview configuration
ingress:
enabled: true
hosts:
- host: >-
preview-${{ needs.set-tag.outputs.tag }}.wrongsecrets.local
paths:
- "/"
EOF
# Output the content for use in the comment
echo "values<<EOF" >> $GITHUB_OUTPUT
cat preview-values.yaml >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
- name: Create deployment instructions
id: instructions
env:
IMAGE_PREFIX: ${{ env.IMAGE_PREFIX }}
TAG: ${{ needs.set-tag.outputs.tag }}
PR_NUMBER: ${{ github.event.number }}
REPO_OWNER: ${{ github.repository_owner }}
VALUES_CONTENT: ${{ steps.values.outputs.values }}
IS_FORK: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
run: |
# yamllint disable rule:line-length
if [ "${IS_FORK}" = "true" ]; then
cat > instructions.md << EOF
## 🚀 Preview Build Complete!
Your pull request has been built successfully. However, since this is from a fork, preview images cannot be pushed to the organization's container registry.
### Testing Your Changes
To test your changes, you can build and deploy locally:
\`\`\`bash
# Clone this PR
git fetch origin pull/${PR_NUMBER}/head:pr-${PR_NUMBER}
git checkout pr-${PR_NUMBER}
# Build and deploy locally
./build-and-deploy.sh
# Or for minikube
./build-and-deploy-minikube.sh
# Port forward to access locally
kubectl port-forward service/wrongsecrets-balancer 3000:3000
\`\`\`
### Alternative: Manual Build
\`\`\`bash
# Build images locally
cd wrongsecrets-balancer
docker build -t my-wrongsecrets-balancer:test .
cd ../cleaner
docker build -t my-cleaner:test .
# Deploy with custom images using Helm
helm repo add wrongsecrets https://owasp.org/wrongsecrets-ctf-party
helm repo update
helm install my-preview wrongsecrets/wrongsecrets-ctf-party \\
--set balancer.repository=my-wrongsecrets-balancer \\
--set balancer.tag=test \\
--set wrongsecretsCleanup.repository=my-cleaner \\
--set wrongsecretsCleanup.tag=test \\
--set balancer.imagePullPolicy=Never \\
--set wrongsecretsCleanup.imagePullPolicy=Never
\`\`\`
### Why Can't Images Be Pushed?
External contributors don't have write permissions to the organization's GitHub Container Registry. This is a security measure to protect the organization's packages.
---
*This preview was automatically generated for PR #${PR_NUMBER}*
EOF
else
cat > instructions.md << EOF
## 🚀 Preview Deployment Ready!
Your pull request has been built and is ready for preview deployment.
Here's how to test your changes:
### Container Images Built
- **Balancer**: \`${IMAGE_PREFIX}/wrongsecrets-balancer:${TAG}\`
- **Cleaner**: \`${IMAGE_PREFIX}/cleaner:${TAG}\`
### Quick Deploy with Helm
\`\`\`bash
# Add the wrongsecrets helm repository
helm repo add wrongsecrets https://owasp.org/wrongsecrets-ctf-party
helm repo update
# Deploy with preview images
helm install my-preview wrongsecrets/wrongsecrets-ctf-party \\
--set balancer.repository=${IMAGE_PREFIX}/wrongsecrets-balancer \\
--set balancer.tag=${TAG} \\
--set wrongsecretsCleanup.repository=${IMAGE_PREFIX}/cleaner \\
--set wrongsecretsCleanup.tag=${TAG} \\
--set imagePullPolicy=Always
# Port forward to access locally
kubectl port-forward service/wrongsecrets-balancer 3000:3000
\`\`\`
### Deploy with Custom Values
<details>
<summary>Click to see preview-values.yaml</summary>
\`\`\`yaml
${VALUES_CONTENT}
\`\`\`
</details>
\`\`\`bash
# Save the above values to preview-values.yaml, then:
helm install my-preview wrongsecrets/wrongsecrets-ctf-party \\
-f preview-values.yaml
\`\`\`
### Deploy with Local Build Scripts
\`\`\`bash
# Clone this PR
git fetch origin pull/${PR_NUMBER}/head:pr-${PR_NUMBER}
git checkout pr-${PR_NUMBER}
# Use the existing deployment script with custom images
./build-and-deploy.sh
\`\`\`
### Test the Changes
1. Access the application at http://localhost:3000
2. Create a team and verify functionality
3. Test any new features or bug fixes
### Container Registry
The preview images are available at:
- https://github.com/${REPO_OWNER}/wrongsecrets-ctf-party/pkgs/container/wrongsecrets-balancer
- https://github.com/${REPO_OWNER}/wrongsecrets-ctf-party/pkgs/container/cleaner
---
*This preview was automatically generated for PR #${PR_NUMBER}*
EOF
fi
# yamllint enable rule:line-length
echo "content<<EOF" >> $GITHUB_OUTPUT
cat instructions.md >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
- name: Comment on PR
uses: actions/github-script@v8
env:
INSTRUCTIONS_CONTENT: ${{ steps.instructions.outputs.content }}
with:
script: |
const { owner, repo } = context.repo;
const issue_number = context.issue.number;
// Find existing preview comment
const comments = await github.rest.issues.listComments({
owner,
repo,
issue_number,
});
const existingComment = comments.data.find(comment =>
comment.user.login === 'github-actions[bot]' &&
comment.body.includes('🚀 Preview Deployment Ready!')
);
const body = process.env.INSTRUCTIONS_CONTENT;
if (existingComment) {
// Update existing comment
await github.rest.issues.updateComment({
owner,
repo,
comment_id: existingComment.id,
body
});
} else {
// Create new comment
await github.rest.issues.createComment({
owner,
repo,
issue_number,
body
});
}
notify-main-branch:
name: "Notify Main Branch Build"
runs-on: ubuntu-latest
needs: [set-tag, build-and-publish]
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- name: Create main branch notification
run: |
# yamllint disable rule:line-length
echo "## 🚀 Main Branch Preview Images Updated!"
echo ""
echo "New preview images have been built for the main branch:"
echo ""
echo "- **Balancer**: \`${{ env.IMAGE_PREFIX }}/wrongsecrets-balancer:${{ needs.set-tag.outputs.tag }}\`"
echo "- **Cleaner**: \`${{ env.IMAGE_PREFIX }}/cleaner:${{ needs.set-tag.outputs.tag }}\`"
echo ""
echo "These can be used for testing the latest main branch changes."
# yamllint enable rule:line-length