Add comments and cleanup

gristlabs · Jul 3, 2024 · 1444424 · 1444424
1 parent 5462ae1
commit 1444424
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 15 deletions.
diff --git a/.github/workflows/fly-build.yml b/.github/workflows/fly-build.yml
@@ -1,3 +1,5 @@
+# fly-deploy will be triggered on completion of this workflow to actually deploy the code to fly.io.
+
 name: fly.io Build
 on:
   pull_request:
@@ -28,6 +30,9 @@ jobs:
           echo PR_NUMBER=${{ github.event.number }} >> ./pr-info.txt
           echo PR_SOURCE=${{ github.event.pull_request.head.repo.full_name }}-${{ github.event.pull_request.head.ref }} >> ./pr-info.txt
           echo PR_SHASUM=${{ github.event.pull_request.head.sha }} >> ./pr-info.txt
+        # PR_SOURCE looks like <owner>/<repo>-<branch>.
+        # For example, if the GitHub user "foo" forked grist-core as "grist-bar", and makes a PR from their branch named "baz",
+        # it will be "foo/grist-bar-baz". deploy.js later replaces "/" with "-", making it "foo-grist-bar-baz".
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:

diff --git a/.github/workflows/fly-cleanup.yml b/.github/workflows/fly-cleanup.yml
@@ -12,12 +12,12 @@ env:
 
 jobs:
   clean:
-      name: Clean stale deployed apps
-      runs-on: ubuntu-latest
-      if: github.repository_owner == 'gristlabs'
-      steps:
-        - uses: actions/checkout@v3
-        - uses: superfly/flyctl-actions/setup-flyctl@master
-          with:
-            version: 0.2.72
-        - run: node buildtools/fly-deploy.js clean
+    name: Clean stale deployed apps
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'gristlabs'
+    steps:
+      - uses: actions/checkout@v3
+      - uses: superfly/flyctl-actions/setup-flyctl@master
+        with:
+          version: 0.2.72
+      - run: node buildtools/fly-deploy.js clean
diff --git a/.github/workflows/fly-deploy.yml b/.github/workflows/fly-deploy.yml
@@ -1,3 +1,7 @@
+# Follow-up of fly-build, with access to secrets for making deployments.
+# This workflow runs in the target repo context. It does not, and should never execute user-supplied code.
+# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+
 name: fly.io Deploy
 on:
   workflow_run:
@@ -18,7 +22,7 @@ jobs:
         uses: superfly/flyctl-actions/setup-flyctl@master
         with:
           version: 0.2.72
-      - name: Download artifact
+      - name: Download artifacts
         uses: actions/github-script@v7
         with:
           script: |
@@ -38,7 +42,7 @@ jobs:
             });
             var fs = require('fs');
             fs.writeFileSync('${{github.workspace}}/docker-image.zip', Buffer.from(download.data));
-      - name: Extract artifact
+      - name: Extract artifacts
         id: extract_artifacts
         run: |
           unzip docker-image.zip

diff --git a/.github/workflows/fly-destroy.yml b/.github/workflows/fly-destroy.yml
@@ -1,3 +1,7 @@
+# This workflow runs in the target repo context, as it is triggered via pull_request_target.
+# It does not, and should not have access to code in the PR.
+# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+
 name: fly.io Destroy
 on:
   pull_request_target:
@@ -23,13 +27,10 @@ jobs:
         uses: superfly/flyctl-actions/setup-flyctl@master
         with:
           version: 0.2.72
-      - name: Dump GitHub context
-        env:
-          GITHUB_CONTEXT: ${{ toJson(github) }}
-        run: echo "$GITHUB_CONTEXT"
       - name: Destroy fly.io app
         env:
           FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
           BRANCH_NAME: ${{ github.event.pull_request.head.repo.full_name }}-${{ github.event.pull_request.head.ref }}
+          # See fly-build for what BRANCH_NAME looks like.
         id: fly_destroy
         run: node buildtools/fly-deploy.js destroy