executor/.github/workflows/preview.yml at main · RhysSullivan/executor · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
name: Preview

# Per-PR preview deploys of the Cloudflare host to a dedicated preview account.
# Every same-repo PR gets its own isolated stack (Worker + D1 + Access app)
# behind Cloudflare Access; it is torn down when the PR closes. Fork PRs are
# skipped — they must not run with the deploy token.
#
# Required repo configuration:
#   secret CLOUDFLARE_PREVIEW_API_TOKEN  — scoped token (Workers/D1/R2/Access edit)
#   var    CLOUDFLARE_PREVIEW_ACCOUNT_ID — the preview Cloudflare account
#   var    PREVIEW_ACCESS_TEAM_DOMAIN    — Zero Trust team domain
#   var    PREVIEW_ACCESS_EMAILS         — comma-separated emails allowed through Access

on:
  pull_request:
    types: [opened, reopened, synchronize, closed]

permissions:
  contents: read
  pull-requests: write

concurrency:
  group: preview-${{ github.event.pull_request.number }}
  cancel-in-progress: ${{ github.event.action != 'closed' }}

jobs:
  deploy:
    name: Deploy preview
    if: github.event.action != 'closed' && github.event.pull_request.head.repo.full_name == github.repository
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: oven-sh/setup-bun@v2
        with:
          bun-version: 1.3.11

      - run: bun install --frozen-lockfile

      - name: Deploy
        id: deploy
        working-directory: apps/host-cloudflare
        env:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_PREVIEW_API_TOKEN }}
          CLOUDFLARE_ACCOUNT_ID: ${{ vars.CLOUDFLARE_PREVIEW_ACCOUNT_ID }}
          PREVIEW_ACCESS_TEAM_DOMAIN: ${{ vars.PREVIEW_ACCESS_TEAM_DOMAIN }}
          PREVIEW_ACCESS_EMAILS: ${{ vars.PREVIEW_ACCESS_EMAILS }}
        run: bun scripts/preview.ts deploy --pr ${{ github.event.pull_request.number }}

      - name: Comment preview URL
        uses: actions/github-script@v7
        env:
          PREVIEW_URL: ${{ steps.deploy.outputs.url }}
        with:
          script: |
            const marker = "<!-- executor-preview -->";
            const body = [
              marker,
              "### Cloudflare preview",
              "",
              `| | |`,
              `|---|---|`,
              `| Console | ${process.env.PREVIEW_URL} |`,
              `| MCP | \`${process.env.PREVIEW_URL}/mcp\` |`,
              `| Deployed commit | ${context.payload.pull_request.head.sha} |`,
              "",
              "Sign-in is Cloudflare Access (one-time PIN to an allowed email). " +
                "The preview has its own database and encryption key; it is destroyed when this PR closes.",
            ].join("\n");
            const { data: comments } = await github.rest.issues.listComments({
              ...context.repo,
              issue_number: context.issue.number,
              per_page: 100,
            });
            const existing = comments.find((c) => c.body && c.body.startsWith(marker));
            if (existing) {
              await github.rest.issues.updateComment({ ...context.repo, comment_id: existing.id, body });
            } else {
              await github.rest.issues.createComment({ ...context.repo, issue_number: context.issue.number, body });
            }

  teardown:
    name: Tear down preview
    if: github.event.action == 'closed' && github.event.pull_request.head.repo.full_name == github.repository
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: oven-sh/setup-bun@v2
        with:
          bun-version: 1.3.11

      # destroy talks straight to the Cloudflare API — no install needed.
      - name: Destroy
        env:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_PREVIEW_API_TOKEN }}
          CLOUDFLARE_ACCOUNT_ID: ${{ vars.CLOUDFLARE_PREVIEW_ACCOUNT_ID }}
        run: bun apps/host-cloudflare/scripts/preview.ts destroy --pr ${{ github.event.pull_request.number }}

      - name: Mark comment as torn down
        uses: actions/github-script@v7
        with:
          script: |
            const marker = "<!-- executor-preview -->";
            const { data: comments } = await github.rest.issues.listComments({
              ...context.repo,
              issue_number: context.issue.number,
              per_page: 100,
            });
            const existing = comments.find((c) => c.body && c.body.startsWith(marker));
            if (existing) {
              await github.rest.issues.updateComment({
                ...context.repo,
                comment_id: existing.id,
                body: `${marker}\n### Cloudflare preview\n\nTorn down — the PR is closed.`,
              });
            }