Skip to content
Deploy Preview

DOCS-9447 PAB-Updates #3145

Sign in to view logs

DOCS-9447 PAB-Updates

DOCS-9447 PAB-Updates #3145

Workflow file for this run

.github/workflows/deploy-preview.yml at 44fd4cd
name: "Deploy Preview"
on:
pull_request_target:
branches: [ master ]
permissions: {}
concurrency:
group: preview-${{ github.event.number }}
cancel-in-progress: true
jobs:
precheck:
if: ${{ github.repository == 'PaloAltoNetworks/pan.dev' }}
name: Precheck
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
is-org-member-result: ${{ steps.is-org-member.outputs.is-org-member-result }}
steps:
- name: Check if PR head is trusted
id: is-org-member
run: |
if [[ "$PR_AUTHOR" == "create-pr-on-fork-for-pan-dev[bot]" ]]; then
echo "is-org-member-result=true" >> "$GITHUB_OUTPUT"
exit 0
fi
if [[ "$PR_AUTHOR" == "dependabot[bot]" ]]; then
echo "is-org-member-result=false" >> "$GITHUB_OUTPUT"
exit 0
fi
if [[ "$HEAD_REPO" != "$BASE_REPO" ]]; then
echo "is-org-member-result=false" >> "$GITHUB_OUTPUT"
exit 0
fi
status=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $GH_TOKEN" \
"https://api.github.com/orgs/PaloAltoNetworks/members/$PR_AUTHOR")
if [[ "$status" == "204" ]]; then
echo "is-org-member-result=true" >> "$GITHUB_OUTPUT"
else
echo "is-org-member-result=false" >> "$GITHUB_OUTPUT"
fi
env:
GH_TOKEN: ${{ secrets.READ_ORG_PAT }}
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
BASE_REPO: ${{ github.repository }}
analyze:
if: github.repository == 'PaloAltoNetworks/pan.dev' && needs.precheck.outputs.is-org-member-result == 'true'
name: Analyze
needs: precheck
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
strategy:
fail-fast: true
matrix:
language: [ 'javascript' ]
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: false
- name: Initialize CodeQL
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
languages: ${{ matrix.language }}
queries: security-extended
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
analyze_unsafe:
if: github.repository == 'PaloAltoNetworks/pan.dev' && needs.precheck.outputs.is-org-member-result == 'false'
name: Analyze Unsafe
needs: precheck
runs-on: ubuntu-latest
environment: default
permissions:
contents: read
security-events: write
strategy:
fail-fast: true
matrix:
language: [ 'javascript' ]
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: false
- name: Initialize CodeQL
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
languages: ${{ matrix.language }}
queries: security-extended
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
build:
name: Build
needs: [analyze, analyze_unsafe]
if: |
github.repository == 'PaloAltoNetworks/pan.dev' &&
!failure() && !cancelled() &&
(success('analyze') || success('analyze_unsafe'))
runs-on: pan-dev-runner-xl
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: false
- name: Setup node
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '20'
cache: 'yarn'
- name: Get yarn cache
id: yarn-cache
run: echo "YARN_CACHE_DIR=$(yarn cache dir)" >> "${GITHUB_OUTPUT}"
- name: Install dependencies
run: yarn --prefer-offline --frozen-lockfile --ignore-scripts
- name: Include netsec
if: contains(github.event.pull_request.labels.*.name, 'netsec')
run: |
echo "Including 'netsec' in build..."
if [[ -n "$PRODUCTS_INCLUDE" ]]; then
echo "PRODUCTS_INCLUDE=$PRODUCTS_INCLUDE,cdss,threat-vault,dns-security,iot,expedition,cloudngfw,cdl,panos,terraform,ansible,splunk,aiops-ngfw-bpa,email-dlp,dlp,prisma-airs" >> $GITHUB_ENV
else
echo "PRODUCTS_INCLUDE=cdss,threat-vault,dns-security,iot,expedition,cloudngfw,cdl,panos,terraform,ansible,splunk,aiops-ngfw-bpa,email-dlp,dlp,prisma-airs" >> $GITHUB_ENV
fi
- name: Include cloud
if: contains(github.event.pull_request.labels.*.name, 'cloud')
run: |
echo "Including 'cloud' in build..."
if [[ -n "$PRODUCTS_INCLUDE" ]]; then
echo "PRODUCTS_INCLUDE=$PRODUCTS_INCLUDE,prisma-cloud,compute" >> $GITHUB_ENV
else
echo "PRODUCTS_INCLUDE=prisma-cloud,compute" >> $GITHUB_ENV
fi
- name: Include sase
if: contains(github.event.pull_request.labels.*.name, 'sase')
run: |
echo "Including 'sase' in build..."
if [[ -n "$PRODUCTS_INCLUDE" ]]; then
echo "PRODUCTS_INCLUDE=$PRODUCTS_INCLUDE,sase,access,sdwan,scm" >> $GITHUB_ENV
else
echo "PRODUCTS_INCLUDE=sase,access,sdwan,scm" >> $GITHUB_ENV
fi
- name: Include contributing
if: contains(github.event.pull_request.labels.*.name, 'contributing')
run: |
echo "Including 'contributing' in build..."
if [[ -n "$PRODUCTS_INCLUDE" ]]; then
echo "PRODUCTS_INCLUDE=$PRODUCTS_INCLUDE,contributing" >> $GITHUB_ENV
else
echo "PRODUCTS_INCLUDE=contributing" >> $GITHUB_ENV
fi
- name: Include dependencies
if: contains(github.event.pull_request.labels.*.name, 'dependencies')
run: |
echo "Including 'dependencies' in build..."
if [[ -n "$PRODUCTS_INCLUDE" ]]; then
echo "PRODUCTS_INCLUDE=$PRODUCTS_INCLUDE,contributing" >> $GITHUB_ENV
else
echo "PRODUCTS_INCLUDE=contributing" >> $GITHUB_ENV
fi
- name: Output final PRODUCTS_INCLUDE
run: |
echo "Building the following products: $PRODUCTS_INCLUDE"
# needed for fetching Hashicorp blog feed
- name: Cache Playwright
id: playwright-cache
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: |
~/.cache/ms-playwright
key: ${{ runner.os }}-playwright-${{ hashFiles('package.json') }}
- name: Install Playwright
if: steps.playwright-cache.outputs.cache-hit != 'true'
run: |
npx playwright install chromium
npx playwright install-deps chromium
- name: Build site
run: FEED_SOFT_FAIL=1 FEED_DEBUG=1 yarn build-github
- name: Verify build did not modify critical files
run: |
git diff --exit-code -- \
firebase.json .firebaserc package.json yarn.lock docusaurus.config.ts \
'scripts/**' '.github/**' 'src/theme/**' 'plugin-sitemap-coveo/**'
- name: Zip build directory
run: |
if [ -d "build" ]; then
BUILD_DIR="build"
elif [ -d "websites/pan-dev/build" ]; then
BUILD_DIR="websites/pan-dev/build"
else
echo "Error: 'build' directory not found in current directory or in websites/pan-dev/"
exit 1
fi
echo "Build directory found at: $BUILD_DIR"
rm -f build.zip
zip -r build.zip "$BUILD_DIR"
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: build
path: build.zip
deploy:
name: Deploy
needs: build
if: ${{ github.repository == 'PaloAltoNetworks/pan.dev' && !failure() && !cancelled() }}
runs-on: pan-dev-runner-lg
environment: preview
permissions:
contents: read
pull-requests: write
checks: write
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup node
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '20'
cache: 'yarn'
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: build
- name: Unzip build artifact
run: |
unzip -n build.zip 'build/*' || unzip -n build.zip 'websites/pan-dev/build/*'
if [ -d "build" ]; then
DEPLOY_DIR="."
elif [ -d "websites/pan-dev/build" ]; then
DEPLOY_DIR="websites/pan-dev"
else
echo "Error: 'build' directory not found in current directory or in websites/pan-dev/"
exit 1
fi
echo "Deploy directory found at: $DEPLOY_DIR"
echo "DEPLOY_DIR=$DEPLOY_DIR" >> $GITHUB_ENV
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
with:
workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }}
export_environment_variables: false
- name: Mask sensitive values in logs
run: |
echo "::add-mask::${{ steps.auth.outputs.credentials_file_path }}"
echo "::add-mask::${{ secrets.GCP_PROJECT_NUMBER }}"
- name: Read GCP credentials
id: creds
run: |
creds=$(cat "${{ steps.auth.outputs.credentials_file_path }}")
echo "::add-mask::$creds"
echo "sa_key=$creds" >> "$GITHUB_OUTPUT"
- name: Deploy to Firebase
id: deploy_preview
uses: FirebaseExtended/action-hosting-deploy@e2eda2e106cfa35cdbcf4ac9ddaf6c4756df2c8c # v0.10.0
with:
repoToken: '${{ secrets.GITHUB_TOKEN }}'
firebaseServiceAccount: "${{ steps.creds.outputs.sa_key }}"
projectId: ${{ secrets.FIREBASE_PROJECT_ID }}
expires: 7d
channelId: 'pr${{ github.event.number }}'
totalPreviewChannelLimit: 25
entryPoint: ${{ env.DEPLOY_DIR }}
env:
FIREBASE_CLI_PREVIEWS: hostingchannels
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true