From 327d9353f7dc121b67888db7d1df9477362c1caa Mon Sep 17 00:00:00 2001 From: "Leslie H." Date: Wed, 3 Jul 2024 12:18:10 -0400 Subject: [PATCH] Add comments and cleanup --- .github/workflows/fly-build.yml | 5 +++++ .github/workflows/fly-cleanup.yml | 18 +++++++++--------- .github/workflows/fly-deploy.yml | 8 ++++++-- .github/workflows/fly-destroy.yml | 8 ++++---- 4 files changed, 24 insertions(+), 15 deletions(-) diff --git a/.github/workflows/fly-build.yml b/.github/workflows/fly-build.yml index 6ddfa852617..26c5fee5a63 100644 --- a/.github/workflows/fly-build.yml +++ b/.github/workflows/fly-build.yml @@ -1,3 +1,5 @@ +# fly-deploy will be triggered on completion of this workflow to actually deploy the code to fly.io. + name: fly.io Build on: pull_request: @@ -28,6 +30,9 @@ jobs: echo PR_NUMBER=${{ github.event.number }} >> ./pr-info.txt echo PR_SOURCE=${{ github.event.pull_request.head.repo.full_name }}-${{ github.event.pull_request.head.ref }} >> ./pr-info.txt echo PR_SHASUM=${{ github.event.pull_request.head.sha }} >> ./pr-info.txt + # PR_SOURCE looks like /-. + # For example, if the GitHub user "foo" forked grist-core as "grist-bar", and makes a PR from their branch named "baz", + # it will be "foo/grist-bar-baz". deploy.js later replaces "/" with "-", making it "foo-grist-bar-baz". - name: Upload artifact uses: actions/upload-artifact@v4 with: diff --git a/.github/workflows/fly-cleanup.yml b/.github/workflows/fly-cleanup.yml index bc5e5b29b0f..6250e589aeb 100644 --- a/.github/workflows/fly-cleanup.yml +++ b/.github/workflows/fly-cleanup.yml @@ -12,12 +12,12 @@ env: jobs: clean: - name: Clean stale deployed apps - runs-on: ubuntu-latest - if: github.repository_owner == 'gristlabs' - steps: - - uses: actions/checkout@v3 - - uses: superfly/flyctl-actions/setup-flyctl@master - with: - version: 0.2.72 - - run: node buildtools/fly-deploy.js clean + name: Clean stale deployed apps + runs-on: ubuntu-latest + if: github.repository_owner == 'gristlabs' + steps: + - uses: actions/checkout@v3 + - uses: superfly/flyctl-actions/setup-flyctl@master + with: + version: 0.2.72 + - run: node buildtools/fly-deploy.js clean diff --git a/.github/workflows/fly-deploy.yml b/.github/workflows/fly-deploy.yml index 22c3998a6ce..5a4c0711826 100644 --- a/.github/workflows/fly-deploy.yml +++ b/.github/workflows/fly-deploy.yml @@ -1,3 +1,7 @@ +# Follow-up of fly-build, with access to secrets for making deployments. +# This workflow runs in the target repo context. It does not, and should never execute user-supplied code. +# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + name: fly.io Deploy on: workflow_run: @@ -18,7 +22,7 @@ jobs: uses: superfly/flyctl-actions/setup-flyctl@master with: version: 0.2.72 - - name: Download artifact + - name: Download artifacts uses: actions/github-script@v7 with: script: | @@ -38,7 +42,7 @@ jobs: }); var fs = require('fs'); fs.writeFileSync('${{github.workspace}}/docker-image.zip', Buffer.from(download.data)); - - name: Extract artifact + - name: Extract artifacts id: extract_artifacts run: | unzip docker-image.zip diff --git a/.github/workflows/fly-destroy.yml b/.github/workflows/fly-destroy.yml index 03b7fccb0a9..d8a69377ae9 100644 --- a/.github/workflows/fly-destroy.yml +++ b/.github/workflows/fly-destroy.yml @@ -1,3 +1,7 @@ +# This workflow runs in the target repo context, as it is triggered via pull_request_target. +# It does not, and should not have access to code in the PR. +# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + name: fly.io Destroy on: pull_request_target: @@ -23,10 +27,6 @@ jobs: uses: superfly/flyctl-actions/setup-flyctl@master with: version: 0.2.72 - - name: Dump GitHub context - env: - GITHUB_CONTEXT: ${{ toJson(github) }} - run: echo "$GITHUB_CONTEXT" - name: Destroy fly.io app env: FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}