-
Notifications
You must be signed in to change notification settings - Fork 3
216 lines (182 loc) · 7.85 KB
/
deploy.yml
File metadata and controls
216 lines (182 loc) · 7.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
name: Deploy
##############################################################################
# WARNING!
# The deploy workflow (re-)uses information retrieved from the original
# commit which triggered the workflow, such as the branch name, the committer,
# and the commit message.
#
# This type of data should always be regarded as **untrusted** input and when
# these `github....` variables are used directly within the `run` context,
# they can lead to script injection and unintended execution of commands.
#
# To mitigate the risk of these type of script injection attacks, untrusted
# data is first set as a step-specific interim environment variable and only
# after that the environment variable (not the github variables directly)
# is used in the `run` context.
#
# This complies with the current best practices regarding defending against
# these type of attacks as per January 2022.
# For more information, see:
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
##############################################################################
on:
# Trigger the workflow whenever a new tag is created — both final releases and RC tags
# should land in the dist repo so internal consumers can install any tagged version.
push:
tags:
- '**'
# Allow manually triggering the workflow.
workflow_dispatch:
# Cancels all previous workflow runs for the same branch that have not yet completed.
concurrency:
# The concurrency group contains the workflow name and the branch name.
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
DIST_ORG: 'Yoast-dist'
DIST_DEFAULT_BRANCH: 'main'
jobs:
prepare:
name: "Prepare the artifact"
# Don't run on forks.
if: github.repository_owner == 'Yoast'
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install PHP
uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
with:
php-version: 7.4
coverage: none
env:
fail-fast: true
# https://github.com/actions/setup-node
- name: Set up node and disable caching of dependencies
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '14'
# Explicitly NOT using the cache functionality to prevent cache poisoning for deployments.
cache: ''
package-manager-cache: false
- name: "Debug info: show tooling versions"
run: |
php -v
node --version
npm --version
yarn --version
grunt --version
git --version
# The Grunt artifact creation will run `composer install` twice (first: no-dev, then dev).
# Explicitly NOT using the cache functionality via the `ramsey.composer-install` action runner to prevent cache poisoning for deployments.
- name: Yarn install
run: yarn install
- name: "Grunt: set package version (tags only)"
if: ${{ github.event_name == 'push' && github.ref_type == 'tag' }}
env:
REF_NAME: ${{ github.ref_name }}
run: grunt set-version -new-version="$REF_NAME"
- name: "Grunt: update package version (tags only)"
if: ${{ github.event_name == 'push' && github.ref_type == 'tag' }}
run: grunt update-version
- name: "Grunt: create artifact"
run: grunt artifact
- name: "Debug info: show contents of artifacts directory"
run: tree -aC ./artifact
- name: "Debug info: check git status"
run: git status -b -v -u
# Retention is normally 90 days, but this artifact is only for review
# and use in the next step, so no need to keep it for more than a day.
- name: Upload the artifact folder
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
if: ${{ success() }}
with:
name: deploy-artifact
path: ./artifact
if-no-files-found: error
retention-days: 1
deploy:
name: "Deploy to dist"
# Don't run on forks.
if: github.repository_owner == 'Yoast'
needs: prepare
runs-on: ubuntu-latest
steps:
- name: "Set variables: target branch, commit title"
id: set_vars
env:
REF_NAME: ${{ github.ref_name }}
run: |
if [[ "${{ github.event_name }}" == 'push' && "${{ github.ref_type }}" == 'tag' ]]; then
echo "BRANCH=${{ env.DIST_DEFAULT_BRANCH }}" >> "$GITHUB_OUTPUT"
echo "TITLE=Release $REF_NAME" >> "$GITHUB_OUTPUT"
else # = manually triggered.
echo "BRANCH=$REF_NAME" >> "$GITHUB_OUTPUT"
echo "TITLE=Manual deploy for $REF_NAME" >> "$GITHUB_OUTPUT"
fi
- name: Checkout Yoast Dist repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: ${{ env.DIST_ORG }}/${{ github.event.repository.name }}
ref: ${{ env.DIST_DEFAULT_BRANCH }}
# Personal Access Token for (push) access to the dist version of the repo.
token: ${{ secrets.YOASTBOT_CI_PAT_DIST }}
fetch-depth: 0
persist-credentials: true
- name: "Create branch/Switch to branch"
if: ${{ steps.set_vars.outputs.BRANCH != env.DIST_DEFAULT_BRANCH }}
run: git checkout ${{ steps.set_vars.outputs.BRANCH }} 2>/dev/null || git checkout -b ${{ steps.set_vars.outputs.BRANCH }}
# Clean out all files to make sure that deleted files will actually
# be deleted when the artifact gets put in place.
- name: Remove all files
run: |
# Enable extended pattern matching.
shopt -s extglob
# Remove everything, except the ".git" directory.
rm -vrf !(.git/*)
# Disable extended pattern matching.
shopt -u extglob
# After the previous step, only the `.git` directory and its contents should remain.
- name: "Debug info: show contents of root directory after cleaning"
run: tree -aC .
# The artifact will be unpacked into the root directory of the repository.
- name: Download and unpack the prepared artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: deploy-artifact
- name: "Debug info: show contents of root directory after artifact insertion"
run: tree -aC .
- name: "Debug info: check git status"
run: git status -b -v -u
- name: Set Git config
env:
ACTOR: ${{ github.actor }}
run: |
git config user.name 'GitHub Action'
git config user.email "$ACTOR@users.noreply.github.com"
- name: Stage files
run: git add -A
- name: Commit the files
env:
COMMITTER: ${{ github.event.head_commit.committer.username }}
COMMIT_MSG: ${{ github.event.head_commit.message }}
COMMIT_URL: ${{ github.event.head_commit.url }}
COMMIT_TIME: ${{ github.event.head_commit.timestamp }}
run: |
git commit -m "${{ steps.set_vars.outputs.TITLE }}" \
-m "Last commit: $COMMIT_URL" \
-m "Timestamp for last commit: $COMMIT_TIME" \
-m "Committer for last commit: @$COMMITTER" \
-m "" \
-m "Commit message last commit:" \
-m "---------------------------" \
-m "$COMMIT_MSG"
- name: "Tag the commit (releases only)"
if: ${{ github.event_name == 'push' && github.ref_type == 'tag' }}
env:
REF_NAME: ${{ github.ref_name }}
run: git tag "$REF_NAME" "$(git rev-parse HEAD)"
- name: Push to target branch
run: git push -u origin ${{ steps.set_vars.outputs.BRANCH }} --tags -v