Merge pull request #1005 from OWASP/renovate/google-auth-library-10.x… #253
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- # yamllint disable rule:line-length | |
| name: "Preview Deployment" | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| push: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| packages: write | |
| pull-requests: write | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_PREFIX: ghcr.io/${{ github.repository_owner }} | |
| jobs: | |
| set-tag: | |
| name: "Determine Tag" | |
| runs-on: ubuntu-latest | |
| outputs: | |
| tag: ${{ steps.set-tag.outputs.tag }} | |
| steps: | |
| - name: Set output tag | |
| id: set-tag | |
| run: | | |
| if [ "${{ github.event_name }}" == "pull_request" ]; then | |
| echo "tag=pr-${{ github.event.number }}" >> $GITHUB_OUTPUT | |
| else | |
| echo "tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT | |
| fi | |
| build-and-publish: | |
| name: "Build and Publish Preview Images" | |
| runs-on: ubuntu-latest | |
| needs: set-tag | |
| strategy: | |
| matrix: | |
| component: | |
| - wrongsecrets-balancer | |
| - cleaner | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.IMAGE_PREFIX }}/${{ matrix.component }} | |
| tags: | | |
| type=raw,value=${{ needs.set-tag.outputs.tag }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: ./${{ matrix.component }} | |
| file: ./${{ matrix.component }}/Dockerfile | |
| # Only push if it's a push to main OR a PR from the same repo (not a fork) | |
| # External contributors from forks can't write to the org's container registry | |
| push: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| platforms: linux/amd64,linux/arm64 | |
| generate-preview-instructions: | |
| name: "Generate Preview Instructions" | |
| runs-on: ubuntu-latest | |
| needs: [set-tag, build-and-publish] | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| - name: Install yq | |
| run: | | |
| sudo snap install yq | |
| - name: Generate preview values | |
| id: values | |
| run: | | |
| # Create a preview values file | |
| cat > preview-values.yaml << EOF | |
| balancer: | |
| repository: ${{ env.IMAGE_PREFIX }}/wrongsecrets-balancer | |
| tag: ${{ needs.set-tag.outputs.tag }} | |
| wrongsecretsCleanup: | |
| repository: ${{ env.IMAGE_PREFIX }}/cleaner | |
| tag: ${{ needs.set-tag.outputs.tag }} | |
| # Preview configuration | |
| ingress: | |
| enabled: true | |
| hosts: | |
| - host: >- | |
| preview-${{ needs.set-tag.outputs.tag }}.wrongsecrets.local | |
| paths: | |
| - "/" | |
| EOF | |
| # Output the content for use in the comment | |
| echo "values<<EOF" >> $GITHUB_OUTPUT | |
| cat preview-values.yaml >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| - name: Create deployment instructions | |
| id: instructions | |
| env: | |
| IMAGE_PREFIX: ${{ env.IMAGE_PREFIX }} | |
| TAG: ${{ needs.set-tag.outputs.tag }} | |
| PR_NUMBER: ${{ github.event.number }} | |
| REPO_OWNER: ${{ github.repository_owner }} | |
| VALUES_CONTENT: ${{ steps.values.outputs.values }} | |
| IS_FORK: ${{ github.event.pull_request.head.repo.full_name != github.repository }} | |
| run: | | |
| # yamllint disable rule:line-length | |
| if [ "${IS_FORK}" = "true" ]; then | |
| cat > instructions.md << EOF | |
| ## 🚀 Preview Build Complete! | |
| Your pull request has been built successfully. However, since this is from a fork, preview images cannot be pushed to the organization's container registry. | |
| ### Testing Your Changes | |
| To test your changes, you can build and deploy locally: | |
| \`\`\`bash | |
| # Clone this PR | |
| git fetch origin pull/${PR_NUMBER}/head:pr-${PR_NUMBER} | |
| git checkout pr-${PR_NUMBER} | |
| # Build and deploy locally | |
| ./build-and-deploy.sh | |
| # Or for minikube | |
| ./build-and-deploy-minikube.sh | |
| # Port forward to access locally | |
| kubectl port-forward service/wrongsecrets-balancer 3000:3000 | |
| \`\`\` | |
| ### Alternative: Manual Build | |
| \`\`\`bash | |
| # Build images locally | |
| cd wrongsecrets-balancer | |
| docker build -t my-wrongsecrets-balancer:test . | |
| cd ../cleaner | |
| docker build -t my-cleaner:test . | |
| # Deploy with custom images using Helm | |
| helm repo add wrongsecrets https://owasp.org/wrongsecrets-ctf-party | |
| helm repo update | |
| helm install my-preview wrongsecrets/wrongsecrets-ctf-party \\ | |
| --set balancer.repository=my-wrongsecrets-balancer \\ | |
| --set balancer.tag=test \\ | |
| --set wrongsecretsCleanup.repository=my-cleaner \\ | |
| --set wrongsecretsCleanup.tag=test \\ | |
| --set balancer.imagePullPolicy=Never \\ | |
| --set wrongsecretsCleanup.imagePullPolicy=Never | |
| \`\`\` | |
| ### Why Can't Images Be Pushed? | |
| External contributors don't have write permissions to the organization's GitHub Container Registry. This is a security measure to protect the organization's packages. | |
| --- | |
| *This preview was automatically generated for PR #${PR_NUMBER}* | |
| EOF | |
| else | |
| cat > instructions.md << EOF | |
| ## 🚀 Preview Deployment Ready! | |
| Your pull request has been built and is ready for preview deployment. | |
| Here's how to test your changes: | |
| ### Container Images Built | |
| - **Balancer**: \`${IMAGE_PREFIX}/wrongsecrets-balancer:${TAG}\` | |
| - **Cleaner**: \`${IMAGE_PREFIX}/cleaner:${TAG}\` | |
| ### Quick Deploy with Helm | |
| \`\`\`bash | |
| # Add the wrongsecrets helm repository | |
| helm repo add wrongsecrets https://owasp.org/wrongsecrets-ctf-party | |
| helm repo update | |
| # Deploy with preview images | |
| helm install my-preview wrongsecrets/wrongsecrets-ctf-party \\ | |
| --set balancer.repository=${IMAGE_PREFIX}/wrongsecrets-balancer \\ | |
| --set balancer.tag=${TAG} \\ | |
| --set wrongsecretsCleanup.repository=${IMAGE_PREFIX}/cleaner \\ | |
| --set wrongsecretsCleanup.tag=${TAG} \\ | |
| --set imagePullPolicy=Always | |
| # Port forward to access locally | |
| kubectl port-forward service/wrongsecrets-balancer 3000:3000 | |
| \`\`\` | |
| ### Deploy with Custom Values | |
| <details> | |
| <summary>Click to see preview-values.yaml</summary> | |
| \`\`\`yaml | |
| ${VALUES_CONTENT} | |
| \`\`\` | |
| </details> | |
| \`\`\`bash | |
| # Save the above values to preview-values.yaml, then: | |
| helm install my-preview wrongsecrets/wrongsecrets-ctf-party \\ | |
| -f preview-values.yaml | |
| \`\`\` | |
| ### Deploy with Local Build Scripts | |
| \`\`\`bash | |
| # Clone this PR | |
| git fetch origin pull/${PR_NUMBER}/head:pr-${PR_NUMBER} | |
| git checkout pr-${PR_NUMBER} | |
| # Use the existing deployment script with custom images | |
| ./build-and-deploy.sh | |
| \`\`\` | |
| ### Test the Changes | |
| 1. Access the application at http://localhost:3000 | |
| 2. Create a team and verify functionality | |
| 3. Test any new features or bug fixes | |
| ### Container Registry | |
| The preview images are available at: | |
| - https://github.com/${REPO_OWNER}/wrongsecrets-ctf-party/pkgs/container/wrongsecrets-balancer | |
| - https://github.com/${REPO_OWNER}/wrongsecrets-ctf-party/pkgs/container/cleaner | |
| --- | |
| *This preview was automatically generated for PR #${PR_NUMBER}* | |
| EOF | |
| fi | |
| # yamllint enable rule:line-length | |
| echo "content<<EOF" >> $GITHUB_OUTPUT | |
| cat instructions.md >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| - name: Comment on PR | |
| uses: actions/github-script@v7 | |
| env: | |
| INSTRUCTIONS_CONTENT: ${{ steps.instructions.outputs.content }} | |
| with: | |
| script: | | |
| const { owner, repo } = context.repo; | |
| const issue_number = context.issue.number; | |
| // Find existing preview comment | |
| const comments = await github.rest.issues.listComments({ | |
| owner, | |
| repo, | |
| issue_number, | |
| }); | |
| const existingComment = comments.data.find(comment => | |
| comment.user.login === 'github-actions[bot]' && | |
| comment.body.includes('🚀 Preview Deployment Ready!') | |
| ); | |
| const body = process.env.INSTRUCTIONS_CONTENT; | |
| if (existingComment) { | |
| // Update existing comment | |
| await github.rest.issues.updateComment({ | |
| owner, | |
| repo, | |
| comment_id: existingComment.id, | |
| body | |
| }); | |
| } else { | |
| // Create new comment | |
| await github.rest.issues.createComment({ | |
| owner, | |
| repo, | |
| issue_number, | |
| body | |
| }); | |
| } | |
| notify-main-branch: | |
| name: "Notify Main Branch Build" | |
| runs-on: ubuntu-latest | |
| needs: [set-tag, build-and-publish] | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| steps: | |
| - name: Create main branch notification | |
| run: | | |
| # yamllint disable rule:line-length | |
| echo "## 🚀 Main Branch Preview Images Updated!" | |
| echo "" | |
| echo "New preview images have been built for the main branch:" | |
| echo "" | |
| echo "- **Balancer**: \`${{ env.IMAGE_PREFIX }}/wrongsecrets-balancer:${{ needs.set-tag.outputs.tag }}\`" | |
| echo "- **Cleaner**: \`${{ env.IMAGE_PREFIX }}/cleaner:${{ needs.set-tag.outputs.tag }}\`" | |
| echo "" | |
| echo "These can be used for testing the latest main branch changes." | |
| # yamllint enable rule:line-length |