shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
06cfe2705a43839a4f90f27a0543acf3090ad57d
coder/.github/workflows/pr-deploy.yaml
T
dependabot[bot] 06cfe2705a ci: bump the github-actions group with 3 updates (#22125) 
Bumps the github-actions group with 3 updates:
[step-security/harden-runner](https://github.com/step-security/harden-runner),
[depot/setup-action](https://github.com/depot/setup-action) and
[depot/build-push-action](https://github.com/depot/build-push-action).

Updates `step-security/harden-runner` from 2.14.1 to 2.14.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/step-security/harden-runner/releases">step-security/harden-runner's
releases</a>.</em></p>
<blockquote>
<h2>v2.14.2</h2>
<h2>What's Changed</h2>
<p>Security fix: Fixed a medium severity vulnerability where outbound
network connections using sendto, sendmsg, and sendmmsg socket system
calls could bypass audit logging when using egress-policy: audit. This
issue only affects the Community Tier in audit mode; block mode and
Enterprise Tier were not affected. See <a
href="https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq">GHSA-cpmj-h4f6-r6pq</a>
for details.</p>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/step-security/harden-runner/compare/v2.14.1...v2.14.2">https://github.com/step-security/harden-runner/compare/v2.14.1...v2.14.2</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/step-security/harden-runner/commit/5ef0c079ce82195b2a36a210272d6b661572d83e"><code>5ef0c07</code></a>
Merge pull request <a
href="https://redirect.github.com/step-security/harden-runner/issues/635">#635</a>
from step-security/rc-34</li>
<li><a
href="https://github.com/step-security/harden-runner/commit/eb43c7b3fd5a30c42ff1ab84b494f1cc6c7cc3b6"><code>eb43c7b</code></a>
update agent</li>
<li>See full diff in <a
href="https://github.com/step-security/harden-runner/compare/e3f713f2d8f53843e71c69a996d56f51aa9adfb9...5ef0c079ce82195b2a36a210272d6b661572d83e">compare
view</a></li>
</ul>
</details>
<br />

Updates `depot/setup-action` from 1.6.0 to 1.7.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/depot/setup-action/releases">depot/setup-action's
releases</a>.</em></p>
<blockquote>
<h2>v1.7.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Update release workflow to ubuntu-latest (<a
href="https://redirect.github.com/depot/setup-action/issues/19">#19</a>)
<a
href="https://github.com/jacobwgillespie"><code>@​jacobwgillespie</code></a></li>
</ul>
<h2>v1.7.0</h2>
<h2>What's Changed</h2>
<ul>
<li>chore: update node to v24 (<a
href="https://redirect.github.com/depot/setup-action/issues/18">#18</a>)
<a
href="https://github.com/WitoDelnat"><code>@​WitoDelnat</code></a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/depot/setup-action/commit/15c09a5f77a0840ad4bce955686522a257853461"><code>15c09a5</code></a>
Merge pull request <a
href="https://redirect.github.com/depot/setup-action/issues/19">#19</a>
from depot/jacobwgillespie-patch-1</li>
<li><a
href="https://github.com/depot/setup-action/commit/3194a53ed0aa42e00bc88f2411ab49d3f60219ba"><code>3194a53</code></a>
Update release workflow to ubuntu-latest</li>
<li><a
href="https://github.com/depot/setup-action/commit/c0b08c3ba30137f89e75961508b587484558ff0f"><code>c0b08c3</code></a>
Merge pull request <a
href="https://redirect.github.com/depot/setup-action/issues/18">#18</a>
from depot/wito/dep-2955-update-our-actions-to-use-nod...</li>
<li><a
href="https://github.com/depot/setup-action/commit/23e67ebf8b5a313459580616cd34c7787607ac86"><code>23e67eb</code></a>
chore: update action dependencies</li>
<li><a
href="https://github.com/depot/setup-action/commit/0886069e678860faf0d22c46e9f154d35beaa529"><code>0886069</code></a>
chore: update node to v24</li>
<li>See full diff in <a
href="https://github.com/depot/setup-action/compare/b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5...15c09a5f77a0840ad4bce955686522a257853461">compare
view</a></li>
</ul>
</details>
<br />

Updates `depot/build-push-action` from 1.16.2 to 1.17.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/depot/build-push-action/releases">depot/build-push-action's
releases</a>.</em></p>
<blockquote>
<h2>v1.17.0</h2>
<h2>What's Changed</h2>
<ul>
<li>chore: update node to v24 (<a
href="https://redirect.github.com/depot/build-push-action/issues/46">#46</a>)
<a
href="https://github.com/WitoDelnat"><code>@​WitoDelnat</code></a></li>
<li>Fix typo (<a
href="https://redirect.github.com/depot/build-push-action/issues/45">#45</a>)
<a href="https://github.com/gavrie"><code>@​gavrie</code></a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/depot/build-push-action/commit/5f3b3c2e5a00f0093de47f657aeaefcedff27d18"><code>5f3b3c2</code></a>
Merge pull request <a
href="https://redirect.github.com/depot/build-push-action/issues/46">#46</a>
from depot/wito/dep-2955-update-our-actions-to-use-nod...</li>
<li><a
href="https://github.com/depot/build-push-action/commit/1c8a5de5bf842e36234a9f65b76b66173541193f"><code>1c8a5de</code></a>
chore: update actions dependency</li>
<li><a
href="https://github.com/depot/build-push-action/commit/88deb2d202089ac6bada8368187086a1d5cb6daa"><code>88deb2d</code></a>
chore: update node to v24</li>
<li><a
href="https://github.com/depot/build-push-action/commit/eb4edcff909a80720d31732b633e4691b0c7cf02"><code>eb4edcf</code></a>
Merge pull request <a
href="https://redirect.github.com/depot/build-push-action/issues/45">#45</a>
from gavrie/fix-typo</li>
<li><a
href="https://github.com/depot/build-push-action/commit/b7a09de6c74816aaa562b09c2d4082c63c68629a"><code>b7a09de</code></a>
Fix typo</li>
<li>See full diff in <a
href="https://github.com/depot/build-push-action/compare/9785b135c3c76c33db102e45be96a25ab55cd507...5f3b3c2e5a00f0093de47f657aeaefcedff27d18">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-16 13:24:16 +00:00

529 lines
20 KiB
YAML
Raw Blame History

# This action will trigger when
# 1. when the workflow is manually triggered
# 2. ./scripts/deploy_pr.sh is run locally
# 3. when a PR is updated
name: Deploy PR
on:
push:
branches-ignore:
- main
- "temp-cherry-pick-*"
workflow_dispatch:
inputs:
experiments:
description: "Experiments to enable"
required: false
type: string
default: "*"
build:
description: "Force new build"
required: false
type: boolean
default: false
deploy:
description: "Force new deployment"
required: false
type: boolean
default: false
env:
REPO: ghcr.io/coder/coder-preview
permissions:
contents: read
jobs:
check_pr:
runs-on: ubuntu-latest
outputs:
PR_OPEN: ${{ steps.check_pr.outputs.pr_open }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Check if PR is open
id: check_pr
run: |
set -euo pipefail
pr_open=true
if [[ "$(gh pr view --json state | jq -r '.state')" != "OPEN" ]]; then
echo "PR doesn't exist or is closed."
pr_open=false
fi
echo "pr_open=$pr_open" >> "$GITHUB_OUTPUT"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
get_info:
needs: check_pr
if: ${{ needs.check_pr.outputs.PR_OPEN == 'true' }}
outputs:
PR_NUMBER: ${{ steps.pr_info.outputs.PR_NUMBER }}
PR_TITLE: ${{ steps.pr_info.outputs.PR_TITLE }}
PR_URL: ${{ steps.pr_info.outputs.PR_URL }}
CODER_BASE_IMAGE_TAG: ${{ steps.set_tags.outputs.CODER_BASE_IMAGE_TAG }}
CODER_IMAGE_TAG: ${{ steps.set_tags.outputs.CODER_IMAGE_TAG }}
NEW: ${{ steps.check_deployment.outputs.NEW }}
BUILD: ${{ steps.build_conditionals.outputs.first_or_force_build == 'true' || steps.build_conditionals.outputs.automatic_rebuild == 'true' }}
runs-on: "ubuntu-latest"
steps:
- name: Harden Runner
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Get PR number, title, and branch name
id: pr_info
run: |
set -euo pipefail
PR_NUMBER=$(gh pr view --json number | jq -r '.number')
PR_TITLE=$(gh pr view --json title | jq -r '.title')
PR_URL=$(gh pr view --json url | jq -r '.url')
{
echo "PR_URL=$PR_URL"
echo "PR_NUMBER=$PR_NUMBER"
echo "PR_TITLE=$PR_TITLE"
} >> "$GITHUB_OUTPUT"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Set required tags
id: set_tags
run: |
set -euo pipefail
echo "CODER_BASE_IMAGE_TAG=$CODER_BASE_IMAGE_TAG" >> "$GITHUB_OUTPUT"
echo "CODER_IMAGE_TAG=$CODER_IMAGE_TAG" >> "$GITHUB_OUTPUT"
env:
CODER_BASE_IMAGE_TAG: ghcr.io/coder/coder-preview-base:pr${{ steps.pr_info.outputs.PR_NUMBER }}
CODER_IMAGE_TAG: ghcr.io/coder/coder-preview:pr${{ steps.pr_info.outputs.PR_NUMBER }}
- name: Set up kubeconfig
run: |
set -euo pipefail
mkdir -p ~/.kube
echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG_BASE64 }}" | base64 --decode > ~/.kube/config
chmod 600 ~/.kube/config
export KUBECONFIG=~/.kube/config
- name: Check if the helm deployment already exists
id: check_deployment
run: |
set -euo pipefail
if helm status "pr${PR_NUMBER}" --namespace "pr${PR_NUMBER}" > /dev/null 2>&1; then
echo "Deployment already exists. Skipping deployment."
NEW=false
else
echo "Deployment doesn't exist."
NEW=true
fi
echo "NEW=$NEW" >> "$GITHUB_OUTPUT"
env:
PR_NUMBER: ${{ steps.pr_info.outputs.PR_NUMBER }}
- name: Check changed files
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
with:
base: ${{ github.ref }}
filters: |
all:
- "**"
ignored:
- "docs/**"
- "README.md"
- "examples/web-server/**"
- "examples/monitoring/**"
- "examples/lima/**"
- ".github/**"
- "offlinedocs/**"
- ".devcontainer/**"
- "helm/**"
- "*[^g][^o][^.][^s][^u][^m]*"
- "*[^g][^o][^.][^m][^o][^d]*"
- "*[^M][^a][^k][^e][^f][^i][^l][^e]*"
- "scripts/**/*[^D][^o][^c][^k][^e][^r][^f][^i][^l][^e]*"
- "scripts/**/*[^D][^o][^c][^k][^e][^r][^f][^i][^l][^e][.][b][^a][^s][^e]*"
- name: Print number of changed files
run: |
set -euo pipefail
echo "Total number of changed files: ${ALL_COUNT}"
echo "Number of ignored files: ${IGNORED_COUNT}"
env:
ALL_COUNT: ${{ steps.filter.outputs.all_count }}
IGNORED_COUNT: ${{ steps.filter.outputs.ignored_count }}
- name: Build conditionals
id: build_conditionals
run: |
set -euo pipefail
# build if the workflow is manually triggered and the deployment doesn't exist (first build or force rebuild)
echo "first_or_force_build=${{ (github.event_name == 'workflow_dispatch' && steps.check_deployment.outputs.NEW == 'true') || github.event.inputs.build == 'true' }}" >> "$GITHUB_OUTPUT"
# build if the deployment already exist and there are changes in the files that we care about (automatic updates)
echo "automatic_rebuild=${{ steps.check_deployment.outputs.NEW == 'false' && steps.filter.outputs.all_count > steps.filter.outputs.ignored_count }}" >> "$GITHUB_OUTPUT"
comment-pr:
needs: get_info
if: needs.get_info.outputs.BUILD == 'true' || github.event.inputs.deploy == 'true'
runs-on: "ubuntu-latest"
permissions:
pull-requests: write # needed for commenting on PRs
steps:
- name: Harden Runner
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit
- name: Find Comment
uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
id: fc
with:
issue-number: ${{ needs.get_info.outputs.PR_NUMBER }}
comment-author: "github-actions[bot]"
body-includes: ":rocket:"
direction: last
- name: Comment on PR
id: comment_id
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ needs.get_info.outputs.PR_NUMBER }}
edit-mode: replace
body: |
---
:rocket: Deploying PR ${{ needs.get_info.outputs.PR_NUMBER }} ...
---
reactions: eyes
reactions-edit-mode: replace
build:
needs: get_info
# Run build job only if there are changes in the files that we care about or if the workflow is manually triggered with --build flag
if: needs.get_info.outputs.BUILD == 'true'
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
permissions:
# Necessary to push docker images to ghcr.io.
packages: write
# This concurrency only cancels build jobs if a new build is triggred. It will avoid cancelling the current deployemtn in case of docs changes.
concurrency:
group: build-${{ github.workflow }}-${{ github.ref }}-${{ needs.get_info.outputs.BUILD }}
cancel-in-progress: true
env:
DOCKER_CLI_EXPERIMENTAL: "enabled"
CODER_IMAGE_TAG: ${{ needs.get_info.outputs.CODER_IMAGE_TAG }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Setup Node
uses: ./.github/actions/setup-node
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Setup sqlc
uses: ./.github/actions/setup-sqlc
- name: GHCR Login
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push Linux amd64 Docker image
run: |
set -euo pipefail
go mod download
make gen/mark-fresh
export DOCKER_IMAGE_NO_PREREQUISITES=true
version="$(./scripts/version.sh)"
CODER_IMAGE_BUILD_BASE_TAG="$(CODER_IMAGE_BASE=coder-base ./scripts/image_tag.sh --version "$version")"
export CODER_IMAGE_BUILD_BASE_TAG
make -j build/coder_linux_amd64
./scripts/build_docker.sh \
--arch amd64 \
--target "${CODER_IMAGE_TAG}" \
--version "$version" \
--push \
build/coder_linux_amd64
deploy:
needs: [build, get_info]
# Run deploy job only if build job was successful or skipped
if: |
always() && (needs.build.result == 'success' || needs.build.result == 'skipped') &&
(needs.get_info.outputs.BUILD == 'true' || github.event.inputs.deploy == 'true')
runs-on: "ubuntu-latest"
permissions:
pull-requests: write # needed for commenting on PRs
env:
CODER_IMAGE_TAG: ${{ needs.get_info.outputs.CODER_IMAGE_TAG }}
PR_NUMBER: ${{ needs.get_info.outputs.PR_NUMBER }}
PR_TITLE: ${{ needs.get_info.outputs.PR_TITLE }}
PR_URL: ${{ needs.get_info.outputs.PR_URL }}
PR_HOSTNAME: "pr${{ needs.get_info.outputs.PR_NUMBER }}.${{ secrets.PR_DEPLOYMENTS_DOMAIN }}"
steps:
- name: Harden Runner
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit
- name: Set up kubeconfig
run: |
set -euo pipefail
mkdir -p ~/.kube
echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG_BASE64 }}" | base64 --decode > ~/.kube/config
chmod 600 ~/.kube/config
export KUBECONFIG=~/.kube/config
- name: Check if image exists
run: |
set -euo pipefail
foundTag=$(
gh api /orgs/coder/packages/container/coder-preview/versions |
jq -r --arg tag "pr${PR_NUMBER}" '.[] |
select(.metadata.container.tags == [$tag]) |
.metadata.container.tags[0]'
)
if [ -z "$foundTag" ]; then
echo "Image not found"
echo "${CODER_IMAGE_TAG} not found in ghcr.io/coder/coder-preview"
exit 1
else
echo "Image found"
echo "$foundTag tag found in ghcr.io/coder/coder-preview"
fi
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Add DNS record to Cloudflare
if: needs.get_info.outputs.NEW == 'true'
run: |
curl -X POST "https://api.cloudflare.com/client/v4/zones/${{ secrets.PR_DEPLOYMENTS_ZONE_ID }}/dns_records" \
-H "Authorization: Bearer ${{ secrets.PR_DEPLOYMENTS_CLOUDFLARE_API_TOKEN }}" \
-H "Content-Type:application/json" \
--data '{"type":"CNAME","name":"*.'"${PR_HOSTNAME}"'","content":"'"${PR_HOSTNAME}"'","ttl":1,"proxied":false}'
- name: Create PR namespace
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
run: |
set -euo pipefail
# try to delete the namespace, but don't fail if it doesn't exist
kubectl delete namespace "pr${PR_NUMBER}" || true
kubectl create namespace "pr${PR_NUMBER}"
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Check and Create Certificate
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
run: |
# Using kubectl to check if a Certificate resource already exists
# we are doing this to avoid letsenrypt rate limits
if ! kubectl get certificate "pr${PR_NUMBER}-tls" -n pr-deployment-certs > /dev/null 2>&1; then
echo "Certificate doesn't exist. Creating a new one."
envsubst < ./.github/pr-deployments/certificate.yaml | kubectl apply -f -
else
echo "Certificate exists. Skipping certificate creation."
fi
echo "Copy certificate from pr-deployment-certs to pr${PR_NUMBER} namespace"
until kubectl get secret "pr${PR_NUMBER}-tls" -n pr-deployment-certs &> /dev/null
do
echo "Waiting for secret pr${PR_NUMBER}-tls to be created..."
sleep 5
done
(
kubectl get secret "pr${PR_NUMBER}-tls" -n pr-deployment-certs -o json |
jq 'del(.metadata.namespace,.metadata.creationTimestamp,.metadata.resourceVersion,.metadata.selfLink,.metadata.uid,.metadata.managedFields)' |
kubectl -n "pr${PR_NUMBER}" apply -f -
)
- name: Set up PostgreSQL database
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
helm install coder-db bitnami/postgresql \
--namespace "pr${PR_NUMBER}" \
--set image.repository=bitnamilegacy/postgresql \
--set auth.username=coder \
--set auth.password=coder \
--set auth.database=coder \
--set persistence.size=10Gi
kubectl create secret generic coder-db-url -n "pr${PR_NUMBER}" \
--from-literal=url="postgres://coder:coder@coder-db-postgresql.pr${PR_NUMBER}.svc.cluster.local:5432/coder?sslmode=disable"
- name: Create a service account, role, and rolebinding for the PR namespace
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
run: |
set -euo pipefail
# Create service account, role, rolebinding
envsubst < ./.github/pr-deployments/rbac.yaml | kubectl apply -f -
- name: Create values.yaml
env:
EXPERIMENTS: ${{ github.event.inputs.experiments }}
PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_ID: ${{ secrets.PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_ID }}
PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_SECRET: ${{ secrets.PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_SECRET }}
run: |
set -euo pipefail
envsubst < ./.github/pr-deployments/values.yaml > ./pr-deploy-values.yaml
- name: Install/Upgrade Helm chart
run: |
set -euo pipefail
helm dependency update --skip-refresh ./helm/coder
helm upgrade --install "pr${PR_NUMBER}" ./helm/coder \
--namespace "pr${PR_NUMBER}" \
--values ./pr-deploy-values.yaml \
--force
- name: Install coder-logstream-kube
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
run: |
helm repo add coder-logstream-kube https://helm.coder.com/logstream-kube
helm upgrade --install coder-logstream-kube coder-logstream-kube/coder-logstream-kube \
--namespace "pr${PR_NUMBER}" \
--set url="https://${PR_HOSTNAME}"
- name: Get Coder binary
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
run: |
set -euo pipefail
DEST="${HOME}/coder"
URL="https://${PR_HOSTNAME}/bin/coder-linux-amd64"
mkdir -p "$(dirname "$DEST")"
COUNT=0
until curl --output /dev/null --silent --head --fail "$URL"; do
printf '.'
sleep 5
COUNT=$((COUNT+1))
if [ "$COUNT" -ge 60 ]; then
echo "Timed out waiting for URL to be available"
exit 1
fi
done
curl -fsSL "$URL" -o "${DEST}"
chmod +x "${DEST}"
"${DEST}" version
sudo mv "${DEST}" /usr/local/bin/coder
- name: Create first user
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
id: setup_deployment
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
# create a masked random password 12 characters long
password=$(openssl rand -base64 16 | tr -d "=+/" | cut -c1-12)
# add mask so that the password is not printed to the logs
echo "::add-mask::$password"
echo "password=$password" >> "$GITHUB_OUTPUT"
coder login \
--first-user-username "pr${PR_NUMBER}-admin" \
--first-user-email "pr${PR_NUMBER}@coder.com" \
--first-user-password "$password" \
--first-user-trial=false \
--use-token-as-session \
"https://${PR_HOSTNAME}"
# Create a user for the github.actor
# TODO: update once https://github.com/coder/coder/issues/15466 is resolved
# coder users create \
# --username ${GITHUB_ACTOR} \
# --login-type github
# promote the user to admin role
# coder org members edit-role ${GITHUB_ACTOR} organization-admin
# TODO: update once https://github.com/coder/internal/issues/207 is resolved
- name: Send Slack notification
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
run: |
curl -s -o /dev/null -X POST -H 'Content-type: application/json' \
-d \
'{
"pr_number": "'"${PR_NUMBER}"'",
"pr_url": "'"${PR_URL}"'",
"pr_title": "'"${PR_TITLE}"'",
"pr_access_url": "'"https://${PR_HOSTNAME}"'",
"pr_username": "'"pr${PR_NUMBER}-admin"'",
"pr_email": "'"pr${PR_NUMBER}@coder.com"'",
"pr_password": "'"${PASSWORD}"'",
"pr_actor": "'"${GITHUB_ACTOR}"'"
}' \
${{ secrets.PR_DEPLOYMENTS_SLACK_WEBHOOK }}
echo "Slack notification sent"
env:
PASSWORD: ${{ steps.setup_deployment.outputs.password }}
- name: Find Comment
uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
id: fc
with:
issue-number: ${{ env.PR_NUMBER }}
comment-author: "github-actions[bot]"
body-includes: ":rocket:"
direction: last
- name: Comment on PR
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
env:
STATUS: ${{ needs.get_info.outputs.NEW == 'true' && 'Created' || 'Updated' }}
with:
issue-number: ${{ env.PR_NUMBER }}
edit-mode: replace
comment-id: ${{ steps.fc.outputs.comment-id }}
body: |
---
:heavy_check_mark: PR ${{ env.PR_NUMBER }} ${{ env.STATUS }} successfully.
:rocket: Access the credentials [here](${{ secrets.PR_DEPLOYMENTS_SLACK_CHANNEL_URL }}).
---
cc: @${{ github.actor }}
reactions: rocket
reactions-edit-mode: replace
- name: Create template and workspace
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
run: |
set -euo pipefail
cd .github/pr-deployments/template
coder templates push -y --variable "namespace=pr${PR_NUMBER}" kubernetes
# Create workspace
coder create --template="kubernetes" kube --parameter cpu=2 --parameter memory=4 --parameter home_disk_size=2 -y
coder stop kube -y
Reference in New Issue View Git Blame Copy Permalink