-
Notifications
You must be signed in to change notification settings - Fork 164
132 lines (117 loc) · 5.06 KB
/
Copy pathpreview.yml
File metadata and controls
132 lines (117 loc) · 5.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: Preview
# Per-PR preview deploys of the Cloudflare host to a dedicated preview account.
# Every same-repo PR gets its own isolated stack (Worker + D1 + Access app)
# behind Cloudflare Access; it is torn down when the PR closes. Fork PRs are
# skipped — they must not run with the deploy token.
#
# Required repo configuration:
# secret CLOUDFLARE_PREVIEW_API_TOKEN — scoped token (Workers/D1/R2/Access edit)
# var CLOUDFLARE_PREVIEW_ACCOUNT_ID — the preview Cloudflare account
# var PREVIEW_ACCESS_TEAM_DOMAIN — Zero Trust team domain
# var PREVIEW_ACCESS_EMAILS — comma-separated emails allowed through Access
on:
pull_request:
types: [opened, reopened, synchronize, closed]
permissions:
contents: read
pull-requests: write
concurrency:
group: preview-${{ github.event.pull_request.number }}
cancel-in-progress: ${{ github.event.action != 'closed' }}
jobs:
deploy:
name: Deploy preview
if: github.event.action != 'closed' && github.event.pull_request.head.repo.full_name == github.repository
runs-on: blacksmith-4vcpu-ubuntu-2404
steps:
- uses: actions/checkout@v4
- uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.11
- name: Cache Bun package cache
uses: useblacksmith/cache@v5
with:
path: ~/.bun/install/cache
key: ${{ runner.os }}-bun-1.3.11-${{ hashFiles('bun.lock') }}
restore-keys: |
${{ runner.os }}-bun-1.3.11-
# No prebuilt better-sqlite3 binary matches this runner, so `bun install`
# builds it from source via node-gyp, whose undici needs Node 22.10+
# (webidl.markAsUncloneable). Pin the same runtime the CI jobs use.
- uses: actions/setup-node@v4
with:
node-version: 22
- run: bun install --frozen-lockfile
- name: Deploy
id: deploy
working-directory: apps/host-cloudflare
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_PREVIEW_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ vars.CLOUDFLARE_PREVIEW_ACCOUNT_ID }}
PREVIEW_ACCESS_TEAM_DOMAIN: ${{ vars.PREVIEW_ACCESS_TEAM_DOMAIN }}
PREVIEW_ACCESS_EMAILS: ${{ vars.PREVIEW_ACCESS_EMAILS }}
run: bun scripts/preview.ts deploy --pr ${{ github.event.pull_request.number }}
- name: Comment preview URL
uses: actions/github-script@v7
env:
PREVIEW_URL: ${{ steps.deploy.outputs.url }}
with:
script: |
const marker = "<!-- executor-preview -->";
const body = [
marker,
"### Cloudflare preview",
"",
`| | |`,
`|---|---|`,
`| Console | ${process.env.PREVIEW_URL} |`,
`| MCP | \`${process.env.PREVIEW_URL}/mcp\` |`,
`| Deployed commit | ${context.payload.pull_request.head.sha} |`,
"",
"Sign-in is Cloudflare Access (one-time PIN to an allowed email). " +
"The preview has its own database and encryption key; it is destroyed when this PR closes.",
].join("\n");
const { data: comments } = await github.rest.issues.listComments({
...context.repo,
issue_number: context.issue.number,
per_page: 100,
});
const existing = comments.find((c) => c.body && c.body.startsWith(marker));
if (existing) {
await github.rest.issues.updateComment({ ...context.repo, comment_id: existing.id, body });
} else {
await github.rest.issues.createComment({ ...context.repo, issue_number: context.issue.number, body });
}
teardown:
name: Tear down preview
if: github.event.action == 'closed' && github.event.pull_request.head.repo.full_name == github.repository
runs-on: blacksmith-4vcpu-ubuntu-2404
steps:
- uses: actions/checkout@v4
- uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.11
# destroy talks straight to the Cloudflare API — no install needed.
- name: Destroy
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_PREVIEW_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ vars.CLOUDFLARE_PREVIEW_ACCOUNT_ID }}
run: bun apps/host-cloudflare/scripts/preview.ts destroy --pr ${{ github.event.pull_request.number }}
- name: Mark comment as torn down
uses: actions/github-script@v7
with:
script: |
const marker = "<!-- executor-preview -->";
const { data: comments } = await github.rest.issues.listComments({
...context.repo,
issue_number: context.issue.number,
per_page: 100,
});
const existing = comments.find((c) => c.body && c.body.startsWith(marker));
if (existing) {
await github.rest.issues.updateComment({
...context.repo,
comment_id: existing.id,
body: `${marker}\n### Cloudflare preview\n\nTorn down — the PR is closed.`,
});
}