Comments (2)
Investigations done in week 2024-04-17
Work done with @benjaminParisel
All tests have been done in the https://github.com/process-analytics/github-actions-playground/ repository with a fake site.
Experiment a solution with 2 steps as described in https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
- first step build the site and upload an artifact (pull_request event)
- 2nd step (workflow_run event). The current implementation of the surge-preview action wasn't able to detect the PR number in this case. We have experiment a fix in benjaminParisel/surge-preview#1
This custom implementation has been tested in a PR created from a fork repo, see process-analytics/github-actions-playground#349. It has also been tested with PR created from the target repository, see process-analytics/github-actions-playground#350.
We have checked that the teardown could be managed in a specific workflow like in process-analytics/github-actions-playground#351
A contribution has been proposed to the official surge-preview action afc163/surge-preview#294 which is based on our experiment.
Next steps
To have a fully working solution
- use the official surge-preview (or our own fork) including the proposed fix
- decide if we want to manage the teardown in each PR. We have an workflow in the documentation-site repo that teardown old deployments --> decision: no, this simplifies the maintenance;
- update our
surge-preview-tools
(in the bonitasoft/actions repo) action to make it support workflow_run to get the PR number (same implementation as in the proposed fix) (see bonitasoft/actions#131) - validate that the 2 steps build/deploy reusable workflows work. See #703
- Notice that currently, the site is already uploaded as a workflow artifact. However, it doesn't use a fixed name. It currently include a part which relates to the job id. This is required when the action that build the site is used in the documentation-site repository: they are 2 jobs in the same workflow which upload the artifact so they cannot have the same name, see #676.
- This will require that the documentation-site repository provides new shared actions or reusable workflows (see #700) to manage the multi-steps solutions (build then deploy, then create a PR comment with the details of changes). Currently, it provides a single actions that manages everything. See also #700.
- Manage PR content links in a dedicated reusable workflow: #715
- This provides a better separation of concerns.
- It also allows direct use of the existing custom action to be executed in a pull_request event context.
- This will require managing an additional workflow in all content repositories, which will increase maintenance a little, but using a “reusable workflow” will limit the cost (mainly the cost at installation time).
- It will be called in workflows triggered by the pull_request_target event (there is no build but only a check of files modified by the PR).
- do tests to build the site in a documentation content repository (for example, with
labs
): bonitasoft/bonita-labs-doc#159 + test with bonitasoft/bonita-labs-doc#160 - Apply the changes to all content repositories
from bonita-documentation-site.
All tasks are completed, so closing
from bonita-documentation-site.
Related Issues (20)
- Make the GH_TOKEN optional in the "build-and-publish-pr-preview" action HOT 1
- Tool: detect links in the documentation content that lead to HTTP 404 errors
- PR Preview: generate links from xref to other component versions
- Send a slack message when the teardown of old surge domains fails
- Documentation content repositories: place images in the right folder HOT 3
- Links in documentation to github codebase are broken as long as technical branche is not created HOT 1
- Bump the version of Node.js required to build
- Improve the management of contributions done from fork repositories
- "Publish PR preview" comments: list changes of the navbar (aka taxonomy on the left of the page)
- Surge token in GH Actions: switch for GH secrets to the use of KSM secrets manager
- The "Contribution Checks" fails to create PR comment when the PR is created from a fork repository HOT 1
- Provide an ascidoc attribute 'page-hide-components' to hide a list of components HOT 1
- Convert build/publish preview actions to reusable workflow
- Antora contribution check action fails when PR contains deleted file
- Find alternative to the hack introduced in the "changes list" reusable workflow
- `undefined/undefined` listed in the "Check the pages that have been modified" PR comment
- The PR preview on surge is displaying the content of another PR HOT 3
- Preview link generated in comment for contribution is wrong when we use subfolder HOT 1
- Evaluate whether it's worth having a reusable workflow to teardown the surge preview is worth it
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bonita-documentation-site.