Allow trusted preview hosts #86
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy | |
| on: | |
| pull_request: | |
| types: [labeled, synchronize] | |
| push: | |
| branches: [main] | |
| release: | |
| types: [published] | |
| concurrency: | |
| group: deploy-${{ github.event_name }}-${{ github.event.pull_request.number || github.ref_name }} | |
| cancel-in-progress: true | |
| jobs: | |
| plan: | |
| name: Plan deploy | |
| runs-on: ubuntu-latest | |
| outputs: | |
| environments: ${{ steps.plan.outputs.environments }} | |
| ref: ${{ steps.plan.outputs.ref }} | |
| steps: | |
| - id: plan | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| ACTION: ${{ github.event.action }} | |
| ADDED_LABEL: ${{ github.event.label.name }} | |
| PR_LABELS: ${{ toJSON(github.event.pull_request.labels.*.name) }} | |
| PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| RELEASE_TAG: ${{ github.event.release.tag_name }} | |
| run: | | |
| set -euo pipefail | |
| # Environments a PR label is allowed to target (development only). | |
| ALLOWED='["westend.li","dotli.dev","paseoli.dev","westendli.dev","testnet.li"]' | |
| case "$EVENT_NAME" in | |
| release) | |
| echo 'environments=["paseo.li","testnet.li"]' >> "$GITHUB_OUTPUT" | |
| echo "ref=$RELEASE_TAG" >> "$GITHUB_OUTPUT" | |
| ;; | |
| push) | |
| echo 'environments=["paseoli.dev"]' >> "$GITHUB_OUTPUT" | |
| echo "ref=" >> "$GITHUB_OUTPUT" | |
| ;; | |
| pull_request) | |
| # On `labeled` only the just-added label triggers a deploy; on | |
| # `synchronize` (new commit) consider all labels currently on the PR. | |
| if [ "$ACTION" = "labeled" ]; then | |
| CANDIDATES="$(jq -nc --arg l "$ADDED_LABEL" '[$l]')" | |
| else | |
| CANDIDATES="$PR_LABELS" | |
| fi | |
| ENVS="$(jq -nc --argjson cands "$CANDIDATES" --argjson allowed "$ALLOWED" ' | |
| [ $cands[] | |
| | select(type == "string" and startswith("deploy: ")) | |
| | ltrimstr("deploy: ") | |
| | select(IN($allowed[])) ] | |
| | unique')" | |
| echo "environments=$ENVS" >> "$GITHUB_OUTPUT" | |
| echo "ref=$PR_HEAD_SHA" >> "$GITHUB_OUTPUT" | |
| ;; | |
| esac | |
| quality-gate: | |
| name: Quality Gate | |
| needs: plan | |
| if: needs.plan.outputs.environments != '[]' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 | |
| with: | |
| bun-version: "1.3.13" | |
| - run: bun install --frozen-lockfile | |
| - name: Check formatting | |
| run: bunx --bun prettier --check "**/*.{ts,tsx,md}" | |
| - name: Lint | |
| run: bunx --bun turbo run lint | |
| - name: Type check | |
| run: bunx --bun turbo run typecheck | |
| - name: Unit tests | |
| run: bunx --bun turbo run test | |
| deploy: | |
| name: Deploy ${{ matrix.environment }} | |
| needs: [plan, quality-gate] | |
| runs-on: ubuntu-latest | |
| environment: ${{ matrix.environment }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| environment: ${{ fromJSON(needs.plan.outputs.environments) }} | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| ref: ${{ needs.plan.outputs.ref || github.sha }} | |
| - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 | |
| with: | |
| bun-version: "1.3.13" | |
| - run: bun install --frozen-lockfile | |
| # Sync every workspace package.json to the release tag | |
| - name: Sync package versions to release tag | |
| if: github.event_name == 'release' | |
| run: bun scripts/set-version.ts "${{ github.event.release.tag_name }}" | |
| - run: bunx --bun turbo run build:prod | |
| env: | |
| VITE_APP_URL: ${{ vars.APP_URL }} | |
| VITE_APP_DEBUG: ${{ vars.APP_DEBUG }} | |
| VITE_COMMIT_SHA: ${{ github.sha }} | |
| VITE_SENTRY_DSN: ${{ secrets.SENTRY_DSN }} | |
| VITE_METRICS: ${{ secrets.VITE_METRICS }} | |
| VITE_NETWORKS: ${{ vars.NETWORKS }} | |
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
| - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0 | |
| with: | |
| ssh-private-key: ${{ secrets.DEPLOY_SSH_KEY }} | |
| - run: ssh-keyscan ${{ secrets.DEPLOY_HOST }} >> ~/.ssh/known_hosts | |
| - name: Deploy | |
| run: make ci-deploy | |
| env: | |
| DEPLOY_USER: ${{ secrets.DEPLOY_USER }} | |
| DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }} | |
| DEPLOY_PATH: ${{ secrets.DEPLOY_PATH }} |