shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-03 13:08:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0a3afeddc8a077dd90b472b04dcafe4ca1cd54eb
coder/.github/workflows/pr-deploy.yaml
T
dependabot[bot] 6b141d76de ci: bump the github-actions group with 6 updates (#18938) 
Bumps the github-actions group with 6 updates:

| Package | From | To |
| --- | --- | --- |
|
[step-security/harden-runner](https://github.com/step-security/harden-runner)
| `2.12.2` | `2.13.0` |
|
[google-github-actions/auth](https://github.com/google-github-actions/auth)
| `2.1.10` | `2.1.11` |
|
[google-github-actions/setup-gcloud](https://github.com/google-github-actions/setup-gcloud)
| `2.1.4` | `2.1.5` |
|
[google-github-actions/get-gke-credentials](https://github.com/google-github-actions/get-gke-credentials)
| `2.3.3` | `2.3.4` |
| [github/codeql-action](https://github.com/github/codeql-action) |
`3.29.2` | `3.29.3` |
|
[umbrelladocs/action-linkspector](https://github.com/umbrelladocs/action-linkspector)
| `1.3.6` | `1.3.7` |

Updates `step-security/harden-runner` from 2.12.2 to 2.13.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/step-security/harden-runner/releases">step-security/harden-runner's
releases</a>.</em></p>
<blockquote>
<h2>v2.13.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Improved job markdown summary</li>
<li>Https monitoring for all domains (included with the enterprise
tier)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/step-security/harden-runner/compare/v2...v2.13.0">https://github.com/step-security/harden-runner/compare/v2...v2.13.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/step-security/harden-runner/commit/ec9f2d5744a09debf3a187a3f4f675c53b671911"><code>ec9f2d5</code></a>
Merge pull request <a
href="https://redirect.github.com/step-security/harden-runner/issues/565">#565</a>
from step-security/rc-24</li>
<li><a
href="https://github.com/step-security/harden-runner/commit/04bcbc31cfcefe0cf4720832008735021cec5ec4"><code>04bcbc3</code></a>
update agent</li>
<li><a
href="https://github.com/step-security/harden-runner/commit/7c7a56fcaa124ab72fff1cc3e81257f264fd7317"><code>7c7a56f</code></a>
feat: get job summary from API</li>
<li>See full diff in <a
href="https://github.com/step-security/harden-runner/compare/6c439dc8bdf85cadbbce9ed30d1c7b959517bc49...ec9f2d5744a09debf3a187a3f4f675c53b671911">compare
view</a></li>
</ul>
</details>
<br />

Updates `google-github-actions/auth` from 2.1.10 to 2.1.11
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/google-github-actions/auth/releases">google-github-actions/auth's
releases</a>.</em></p>
<blockquote>
<h2>v2.1.11</h2>
<h2>What's Changed</h2>
<ul>
<li>Update troubleshooting docs for Python by <a
href="https://github.com/sethvargo"><code>@​sethvargo</code></a> in <a
href="https://redirect.github.com/google-github-actions/auth/pull/488">google-github-actions/auth#488</a></li>
<li>Add linters by <a
href="https://github.com/sethvargo"><code>@​sethvargo</code></a> in <a
href="https://redirect.github.com/google-github-actions/auth/pull/499">google-github-actions/auth#499</a></li>
<li>Update deps by <a
href="https://github.com/sethvargo"><code>@​sethvargo</code></a> in <a
href="https://redirect.github.com/google-github-actions/auth/pull/500">google-github-actions/auth#500</a></li>
<li>Release: v2.1.11 by <a
href="https://github.com/google-github-actions-bot"><code>@​google-github-actions-bot</code></a>
in <a
href="https://redirect.github.com/google-github-actions/auth/pull/501">google-github-actions/auth#501</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/google-github-actions/auth/compare/v2.1.10...v2.1.11">https://github.com/google-github-actions/auth/compare/v2.1.10...v2.1.11</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/google-github-actions/auth/commit/140bb5113ffb6b65a7e9b937a81fa96cf5064462"><code>140bb51</code></a>
Release: v2.1.11 (<a
href="https://redirect.github.com/google-github-actions/auth/issues/501">#501</a>)</li>
<li><a
href="https://github.com/google-github-actions/auth/commit/ab3132e2ad698521ee1355566103fa838732e48c"><code>ab3132e</code></a>
Update deps (<a
href="https://redirect.github.com/google-github-actions/auth/issues/500">#500</a>)</li>
<li><a
href="https://github.com/google-github-actions/auth/commit/25b96bac992fdf64486c6fd3fd3d9c4cddb3a812"><code>25b96ba</code></a>
Add linters (<a
href="https://redirect.github.com/google-github-actions/auth/issues/499">#499</a>)</li>
<li><a
href="https://github.com/google-github-actions/auth/commit/0920706a19e9d22c3d0da43d1db5939c6ad837a8"><code>0920706</code></a>
Update troubleshooting docs for Python (<a
href="https://redirect.github.com/google-github-actions/auth/issues/488">#488</a>)</li>
<li>See full diff in <a
href="https://github.com/google-github-actions/auth/compare/ba79af03959ebeac9769e648f473a284504d9193...140bb5113ffb6b65a7e9b937a81fa96cf5064462">compare
view</a></li>
</ul>
</details>
<br />

Updates `google-github-actions/setup-gcloud` from 2.1.4 to 2.1.5
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/google-github-actions/setup-gcloud/releases">google-github-actions/setup-gcloud's
releases</a>.</em></p>
<blockquote>
<h2>v2.1.5</h2>
<h2>What's Changed</h2>
<ul>
<li>security: bump undici from 5.28.5 to 5.29.0 in the npm_and_yarn
group by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/google-github-actions/setup-gcloud/pull/711">google-github-actions/setup-gcloud#711</a></li>
<li>Update linters by <a
href="https://github.com/sethvargo"><code>@​sethvargo</code></a> in <a
href="https://redirect.github.com/google-github-actions/setup-gcloud/pull/715">google-github-actions/setup-gcloud#715</a></li>
<li>Update deps by <a
href="https://github.com/sethvargo"><code>@​sethvargo</code></a> in <a
href="https://redirect.github.com/google-github-actions/setup-gcloud/pull/716">google-github-actions/setup-gcloud#716</a></li>
<li>Release: v2.1.5 by <a
href="https://github.com/google-github-actions-bot"><code>@​google-github-actions-bot</code></a>
in <a
href="https://redirect.github.com/google-github-actions/setup-gcloud/pull/717">google-github-actions/setup-gcloud#717</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/google-github-actions/setup-gcloud/compare/v2.1.4...v2.1.5">https://github.com/google-github-actions/setup-gcloud/compare/v2.1.4...v2.1.5</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/google-github-actions/setup-gcloud/commit/6a7c903a70c8625ed6700fa299f5ddb4ca6022e9"><code>6a7c903</code></a>
Release: v2.1.5 (<a
href="https://redirect.github.com/google-github-actions/setup-gcloud/issues/717">#717</a>)</li>
<li><a
href="https://github.com/google-github-actions/setup-gcloud/commit/e838bc6edfe3907980c74d5aad506fd6e173b0d6"><code>e838bc6</code></a>
Update deps (<a
href="https://redirect.github.com/google-github-actions/setup-gcloud/issues/716">#716</a>)</li>
<li><a
href="https://github.com/google-github-actions/setup-gcloud/commit/98d8f78fcc2354c736499a506ad9e7be3f4c2640"><code>98d8f78</code></a>
Update linters (<a
href="https://redirect.github.com/google-github-actions/setup-gcloud/issues/715">#715</a>)</li>
<li><a
href="https://github.com/google-github-actions/setup-gcloud/commit/a8b58010a5b2a061afd605f50e88629c9ec7536b"><code>a8b5801</code></a>
security: bump undici from 5.28.5 to 5.29.0 in the npm_and_yarn group
(<a
href="https://redirect.github.com/google-github-actions/setup-gcloud/issues/711">#711</a>)</li>
<li>See full diff in <a
href="https://github.com/google-github-actions/setup-gcloud/compare/77e7a554d41e2ee56fc945c52dfd3f33d12def9a...6a7c903a70c8625ed6700fa299f5ddb4ca6022e9">compare
view</a></li>
</ul>
</details>
<br />

Updates `google-github-actions/get-gke-credentials` from 2.3.3 to 2.3.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/google-github-actions/get-gke-credentials/releases">google-github-actions/get-gke-credentials's
releases</a>.</em></p>
<blockquote>
<h2>v2.3.4</h2>
<h2>What's Changed</h2>
<ul>
<li>security: bump undici from 5.28.5 to 5.29.0 in the npm_and_yarn
group by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/google-github-actions/get-gke-credentials/pull/333">google-github-actions/get-gke-credentials#333</a></li>
<li>Update linters by <a
href="https://github.com/sethvargo"><code>@​sethvargo</code></a> in <a
href="https://redirect.github.com/google-github-actions/get-gke-credentials/pull/334">google-github-actions/get-gke-credentials#334</a></li>
<li>Update deps by <a
href="https://github.com/sethvargo"><code>@​sethvargo</code></a> in <a
href="https://redirect.github.com/google-github-actions/get-gke-credentials/pull/335">google-github-actions/get-gke-credentials#335</a></li>
<li>Release: v2.3.4 by <a
href="https://github.com/google-github-actions-bot"><code>@​google-github-actions-bot</code></a>
in <a
href="https://redirect.github.com/google-github-actions/get-gke-credentials/pull/336">google-github-actions/get-gke-credentials#336</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/google-github-actions/get-gke-credentials/compare/v2.3.3...v2.3.4">https://github.com/google-github-actions/get-gke-credentials/compare/v2.3.3...v2.3.4</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/google-github-actions/get-gke-credentials/commit/8e574c49425fa7efed1e74650a449bfa6a23308a"><code>8e574c4</code></a>
Release: v2.3.4 (<a
href="https://redirect.github.com/google-github-actions/get-gke-credentials/issues/336">#336</a>)</li>
<li><a
href="https://github.com/google-github-actions/get-gke-credentials/commit/820551c1d9b3734a98590d5020e3a479a3600019"><code>820551c</code></a>
Update deps (<a
href="https://redirect.github.com/google-github-actions/get-gke-credentials/issues/335">#335</a>)</li>
<li><a
href="https://github.com/google-github-actions/get-gke-credentials/commit/503071673e50fd4fe5973d69174dc780288d61e9"><code>5030716</code></a>
Update linters (<a
href="https://redirect.github.com/google-github-actions/get-gke-credentials/issues/334">#334</a>)</li>
<li><a
href="https://github.com/google-github-actions/get-gke-credentials/commit/36f99de330d5a168c801b87721b96719a0a9ada0"><code>36f99de</code></a>
security: bump undici from 5.28.5 to 5.29.0 in the npm_and_yarn group
(<a
href="https://redirect.github.com/google-github-actions/get-gke-credentials/issues/333">#333</a>)</li>
<li>See full diff in <a
href="https://github.com/google-github-actions/get-gke-credentials/compare/d0cee45012069b163a631894b98904a9e6723729...8e574c49425fa7efed1e74650a449bfa6a23308a">compare
view</a></li>
</ul>
</details>
<br />

Updates `github/codeql-action` from 3.29.2 to 3.29.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v3.29.3</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>3.29.3 - 21 Jul 2025</h2>
<p>No user facing changes.</p>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v3.29.3/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>3.29.3 - 21 Jul 2025</h2>
<p>No user facing changes.</p>
<h2>3.29.2 - 30 Jun 2025</h2>
<ul>
<li>Experimental: When the <code>quality-queries</code> input for the
<code>init</code> action is provided with an argument, separate
<code>.quality.sarif</code> files are produced and uploaded for each
language with the results of the specified queries. Do not use this in
production as it is part of an internal experiment and subject to change
at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/2935">#2935</a></li>
</ul>
<h2>3.29.1 - 27 Jun 2025</h2>
<ul>
<li>Fix bug in PR analysis where user-provided <code>include</code>
query filter fails to exclude non-included queries. <a
href="https://redirect.github.com/github/codeql-action/pull/2938">#2938</a></li>
<li>Update default CodeQL bundle version to 2.22.1. <a
href="https://redirect.github.com/github/codeql-action/pull/2950">#2950</a></li>
</ul>
<h2>3.29.0 - 11 Jun 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.22.0. <a
href="https://redirect.github.com/github/codeql-action/pull/2925">#2925</a></li>
<li>Bump minimum CodeQL bundle version to 2.16.6. <a
href="https://redirect.github.com/github/codeql-action/pull/2912">#2912</a></li>
</ul>
<h2>3.28.20 - 21 July 2025</h2>
<ul>
<li>Remove support for combining SARIF files from a single upload for
GHES 3.18, see <a
href="https://github.blog/changelog/2024-05-06-code-scanning-will-stop-combining-runs-from-a-single-upload/">the
changelog post</a>. <a
href="https://redirect.github.com/github/codeql-action/pull/2959">#2959</a></li>
</ul>
<h2>3.28.19 - 03 Jun 2025</h2>
<ul>
<li>The CodeQL Action no longer includes its own copy of the extractor
for the <code>actions</code> language, which is currently in public
preview.
The <code>actions</code> extractor has been included in the CodeQL CLI
since v2.20.6. If your workflow has enabled the <code>actions</code>
language <em>and</em> you have pinned
your <code>tools:</code> property to a specific version of the CodeQL
CLI earlier than v2.20.6, you will need to update to at least CodeQL
v2.20.6 or disable
<code>actions</code> analysis.</li>
<li>Update default CodeQL bundle version to 2.21.4. <a
href="https://redirect.github.com/github/codeql-action/pull/2910">#2910</a></li>
</ul>
<h2>3.28.18 - 16 May 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.21.3. <a
href="https://redirect.github.com/github/codeql-action/pull/2893">#2893</a></li>
<li>Skip validating SARIF produced by CodeQL for improved performance.
<a
href="https://redirect.github.com/github/codeql-action/pull/2894">#2894</a></li>
<li>The number of threads and amount of RAM used by CodeQL can now be
set via the <code>CODEQL_THREADS</code> and <code>CODEQL_RAM</code>
runner environment variables. If set, these environment variables
override the <code>threads</code> and <code>ram</code> inputs
respectively. <a
href="https://redirect.github.com/github/codeql-action/pull/2891">#2891</a></li>
</ul>
<h2>3.28.17 - 02 May 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.21.2. <a
href="https://redirect.github.com/github/codeql-action/pull/2872">#2872</a></li>
</ul>
<h2>3.28.16 - 23 Apr 2025</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/d6bbdef45e766d081b84a2def353b0055f728d3e"><code>d6bbdef</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2977">#2977</a>
from github/update-v3.29.3-7710ed11e</li>
<li><a
href="https://github.com/github/codeql-action/commit/210cc9bfa2103f4b7c4701ee383183b944c62578"><code>210cc9b</code></a>
Update changelog for v3.29.3</li>
<li><a
href="https://github.com/github/codeql-action/commit/7710ed11e398ea99c7f7004c2b2e0f580458db42"><code>7710ed1</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2970">#2970</a>
from github/cklin/diff-informed-feature-enable</li>
<li><a
href="https://github.com/github/codeql-action/commit/6a49a8cbce6ecbd74ea251a48dbc84e64ce3be4d"><code>6a49a8c</code></a>
build: refresh js files</li>
<li><a
href="https://github.com/github/codeql-action/commit/3aef4108d1730e17b6fd24f8b9c49d8fcc87d46d"><code>3aef410</code></a>
Add diff-informed-analysis-utils.test.ts</li>
<li><a
href="https://github.com/github/codeql-action/commit/614b64c6ec97a4ad54f7c99c5becbf593144dbfb"><code>614b64c</code></a>
Diff-informed analysis: disable for GHES below 3.19</li>
<li><a
href="https://github.com/github/codeql-action/commit/aefb854fe5563f4650638224c839c6e9b33c25b5"><code>aefb854</code></a>
Feature.DiffInformedQueries: default to true</li>
<li><a
href="https://github.com/github/codeql-action/commit/03a2a17e75d20e4ff461b43f161fb2b52165f632"><code>03a2a17</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2967">#2967</a>
from github/cklin/overlay-feature-flags</li>
<li><a
href="https://github.com/github/codeql-action/commit/07455ed3c36f739ad76d1c4e55f8b49550f74344"><code>07455ed</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2972">#2972</a>
from github/koesie10/ghes-satisfies</li>
<li><a
href="https://github.com/github/codeql-action/commit/3fb562ddcce3ca92b83ea1bb7abaa579a1ab882d"><code>3fb562d</code></a>
build: refresh js files</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/181d5eefc20863364f96762470ba6f862bdef56b...d6bbdef45e766d081b84a2def353b0055f728d3e">compare
view</a></li>
</ul>
</details>
<br />

Updates `umbrelladocs/action-linkspector` from 1.3.6 to 1.3.7
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/umbrelladocs/action-linkspector/releases">umbrelladocs/action-linkspector's
releases</a>.</em></p>
<blockquote>
<h2>Release v1.3.7</h2>
<p>v1.3.7: PR <a
href="https://redirect.github.com/umbrelladocs/action-linkspector/issues/47">#47</a>
- Update linkspector version to 0.4.7</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/UmbrellaDocs/action-linkspector/commit/874d01cae9fd488e3077b08952093235bd626977"><code>874d01c</code></a>
Merge pull request <a
href="https://redirect.github.com/umbrelladocs/action-linkspector/issues/47">#47</a>
from UmbrellaDocs/update-linkspector-version</li>
<li><a
href="https://github.com/UmbrellaDocs/action-linkspector/commit/bfc5bc55f5a8fc268165639b78b3ce6ae64915ad"><code>bfc5bc5</code></a>
Update linkspector version to 0.4.7</li>
<li>See full diff in <a
href="https://github.com/umbrelladocs/action-linkspector/compare/3a951c1f0dca72300c2320d0eb39c2bafe429ab1...874d01cae9fd488e3077b08952093235bd626977">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-07-21 13:21:37 +00:00

512 lines
20 KiB
YAML
Raw Blame History

# This action will trigger when
# 1. when the workflow is manually triggered
# 2. ./scripts/deploy_pr.sh is run locally
# 3. when a PR is updated
name: Deploy PR
on:
push:
branches-ignore:
- main
- "temp-cherry-pick-*"
workflow_dispatch:
inputs:
experiments:
description: "Experiments to enable"
required: false
type: string
default: "*"
build:
description: "Force new build"
required: false
type: boolean
default: false
deploy:
description: "Force new deployment"
required: false
type: boolean
default: false
env:
REPO: ghcr.io/coder/coder-preview
permissions:
contents: read
jobs:
check_pr:
runs-on: ubuntu-latest
outputs:
PR_OPEN: ${{ steps.check_pr.outputs.pr_open }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Check if PR is open
id: check_pr
run: |
set -euo pipefail
pr_open=true
if [[ "$(gh pr view --json state | jq -r '.state')" != "OPEN" ]]; then
echo "PR doesn't exist or is closed."
pr_open=false
fi
echo "pr_open=$pr_open" >> $GITHUB_OUTPUT
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
get_info:
needs: check_pr
if: ${{ needs.check_pr.outputs.PR_OPEN == 'true' }}
outputs:
PR_NUMBER: ${{ steps.pr_info.outputs.PR_NUMBER }}
PR_TITLE: ${{ steps.pr_info.outputs.PR_TITLE }}
PR_URL: ${{ steps.pr_info.outputs.PR_URL }}
CODER_BASE_IMAGE_TAG: ${{ steps.set_tags.outputs.CODER_BASE_IMAGE_TAG }}
CODER_IMAGE_TAG: ${{ steps.set_tags.outputs.CODER_IMAGE_TAG }}
NEW: ${{ steps.check_deployment.outputs.NEW }}
BUILD: ${{ steps.build_conditionals.outputs.first_or_force_build == 'true' || steps.build_conditionals.outputs.automatic_rebuild == 'true' }}
runs-on: "ubuntu-latest"
steps:
- name: Harden Runner
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Get PR number, title, and branch name
id: pr_info
run: |
set -euo pipefail
PR_NUMBER=$(gh pr view --json number | jq -r '.number')
PR_TITLE=$(gh pr view --json title | jq -r '.title')
PR_URL=$(gh pr view --json url | jq -r '.url')
echo "PR_URL=$PR_URL" >> $GITHUB_OUTPUT
echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT
echo "PR_TITLE=$PR_TITLE" >> $GITHUB_OUTPUT
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Set required tags
id: set_tags
run: |
set -euo pipefail
echo "CODER_BASE_IMAGE_TAG=$CODER_BASE_IMAGE_TAG" >> $GITHUB_OUTPUT
echo "CODER_IMAGE_TAG=$CODER_IMAGE_TAG" >> $GITHUB_OUTPUT
env:
CODER_BASE_IMAGE_TAG: ghcr.io/coder/coder-preview-base:pr${{ steps.pr_info.outputs.PR_NUMBER }}
CODER_IMAGE_TAG: ghcr.io/coder/coder-preview:pr${{ steps.pr_info.outputs.PR_NUMBER }}
- name: Set up kubeconfig
run: |
set -euo pipefail
mkdir -p ~/.kube
echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG_BASE64 }}" | base64 --decode > ~/.kube/config
chmod 600 ~/.kube/config
export KUBECONFIG=~/.kube/config
- name: Check if the helm deployment already exists
id: check_deployment
run: |
set -euo pipefail
if helm status "pr${{ steps.pr_info.outputs.PR_NUMBER }}" --namespace "pr${{ steps.pr_info.outputs.PR_NUMBER }}" > /dev/null 2>&1; then
echo "Deployment already exists. Skipping deployment."
NEW=false
else
echo "Deployment doesn't exist."
NEW=true
fi
echo "NEW=$NEW" >> $GITHUB_OUTPUT
- name: Check changed files
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
with:
base: ${{ github.ref }}
filters: |
all:
- "**"
ignored:
- "docs/**"
- "README.md"
- "examples/web-server/**"
- "examples/monitoring/**"
- "examples/lima/**"
- ".github/**"
- "offlinedocs/**"
- ".devcontainer/**"
- "helm/**"
- "*[^g][^o][^.][^s][^u][^m]*"
- "*[^g][^o][^.][^m][^o][^d]*"
- "*[^M][^a][^k][^e][^f][^i][^l][^e]*"
- "scripts/**/*[^D][^o][^c][^k][^e][^r][^f][^i][^l][^e]*"
- "scripts/**/*[^D][^o][^c][^k][^e][^r][^f][^i][^l][^e][.][b][^a][^s][^e]*"
- name: Print number of changed files
run: |
set -euo pipefail
echo "Total number of changed files: ${{ steps.filter.outputs.all_count }}"
echo "Number of ignored files: ${{ steps.filter.outputs.ignored_count }}"
- name: Build conditionals
id: build_conditionals
run: |
set -euo pipefail
# build if the workflow is manually triggered and the deployment doesn't exist (first build or force rebuild)
echo "first_or_force_build=${{ (github.event_name == 'workflow_dispatch' && steps.check_deployment.outputs.NEW == 'true') || github.event.inputs.build == 'true' }}" >> $GITHUB_OUTPUT
# build if the deployment already exist and there are changes in the files that we care about (automatic updates)
echo "automatic_rebuild=${{ steps.check_deployment.outputs.NEW == 'false' && steps.filter.outputs.all_count > steps.filter.outputs.ignored_count }}" >> $GITHUB_OUTPUT
comment-pr:
needs: get_info
if: needs.get_info.outputs.BUILD == 'true' || github.event.inputs.deploy == 'true'
runs-on: "ubuntu-latest"
permissions:
pull-requests: write # needed for commenting on PRs
steps:
- name: Harden Runner
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- name: Find Comment
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
id: fc
with:
issue-number: ${{ needs.get_info.outputs.PR_NUMBER }}
comment-author: "github-actions[bot]"
body-includes: ":rocket:"
direction: last
- name: Comment on PR
id: comment_id
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ needs.get_info.outputs.PR_NUMBER }}
edit-mode: replace
body: |
---
:rocket: Deploying PR ${{ needs.get_info.outputs.PR_NUMBER }} ...
---
reactions: eyes
reactions-edit-mode: replace
build:
needs: get_info
# Run build job only if there are changes in the files that we care about or if the workflow is manually triggered with --build flag
if: needs.get_info.outputs.BUILD == 'true'
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
permissions:
# Necessary to push docker images to ghcr.io.
packages: write
# This concurrency only cancels build jobs if a new build is triggred. It will avoid cancelling the current deployemtn in case of docs changes.
concurrency:
group: build-${{ github.workflow }}-${{ github.ref }}-${{ needs.get_info.outputs.BUILD }}
cancel-in-progress: true
env:
DOCKER_CLI_EXPERIMENTAL: "enabled"
CODER_IMAGE_TAG: ${{ needs.get_info.outputs.CODER_IMAGE_TAG }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Setup Node
uses: ./.github/actions/setup-node
- name: Setup Go
uses: ./.github/actions/setup-go
- name: Setup sqlc
uses: ./.github/actions/setup-sqlc
- name: GHCR Login
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push Linux amd64 Docker image
run: |
set -euo pipefail
go mod download
make gen/mark-fresh
export DOCKER_IMAGE_NO_PREREQUISITES=true
version="$(./scripts/version.sh)"
export CODER_IMAGE_BUILD_BASE_TAG="$(CODER_IMAGE_BASE=coder-base ./scripts/image_tag.sh --version "$version")"
make -j build/coder_linux_amd64
./scripts/build_docker.sh \
--arch amd64 \
--target ${{ env.CODER_IMAGE_TAG }} \
--version $version \
--push \
build/coder_linux_amd64
deploy:
needs: [build, get_info]
# Run deploy job only if build job was successful or skipped
if: |
always() && (needs.build.result == 'success' || needs.build.result == 'skipped') &&
(needs.get_info.outputs.BUILD == 'true' || github.event.inputs.deploy == 'true')
runs-on: "ubuntu-latest"
permissions:
pull-requests: write # needed for commenting on PRs
env:
CODER_IMAGE_TAG: ${{ needs.get_info.outputs.CODER_IMAGE_TAG }}
PR_NUMBER: ${{ needs.get_info.outputs.PR_NUMBER }}
PR_TITLE: ${{ needs.get_info.outputs.PR_TITLE }}
PR_URL: ${{ needs.get_info.outputs.PR_URL }}
PR_HOSTNAME: "pr${{ needs.get_info.outputs.PR_NUMBER }}.${{ secrets.PR_DEPLOYMENTS_DOMAIN }}"
steps:
- name: Harden Runner
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- name: Set up kubeconfig
run: |
set -euo pipefail
mkdir -p ~/.kube
echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG_BASE64 }}" | base64 --decode > ~/.kube/config
chmod 600 ~/.kube/config
export KUBECONFIG=~/.kube/config
- name: Check if image exists
run: |
set -euo pipefail
foundTag=$(
gh api /orgs/coder/packages/container/coder-preview/versions |
jq -r --arg tag "pr${{ env.PR_NUMBER }}" '.[] |
select(.metadata.container.tags == [$tag]) |
.metadata.container.tags[0]'
)
if [ -z "$foundTag" ]; then
echo "Image not found"
echo "${{ env.CODER_IMAGE_TAG }} not found in ghcr.io/coder/coder-preview"
exit 1
else
echo "Image found"
echo "$foundTag tag found in ghcr.io/coder/coder-preview"
fi
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Add DNS record to Cloudflare
if: needs.get_info.outputs.NEW == 'true'
run: |
curl -X POST "https://api.cloudflare.com/client/v4/zones/${{ secrets.PR_DEPLOYMENTS_ZONE_ID }}/dns_records" \
-H "Authorization: Bearer ${{ secrets.PR_DEPLOYMENTS_CLOUDFLARE_API_TOKEN }}" \
-H "Content-Type:application/json" \
--data '{"type":"CNAME","name":"*.${{ env.PR_HOSTNAME }}","content":"${{ env.PR_HOSTNAME }}","ttl":1,"proxied":false}'
- name: Create PR namespace
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
run: |
set -euo pipefail
# try to delete the namespace, but don't fail if it doesn't exist
kubectl delete namespace "pr${{ env.PR_NUMBER }}" || true
kubectl create namespace "pr${{ env.PR_NUMBER }}"
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Check and Create Certificate
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
run: |
# Using kubectl to check if a Certificate resource already exists
# we are doing this to avoid letsenrypt rate limits
if ! kubectl get certificate pr${{ env.PR_NUMBER }}-tls -n pr-deployment-certs > /dev/null 2>&1; then
echo "Certificate doesn't exist. Creating a new one."
envsubst < ./.github/pr-deployments/certificate.yaml | kubectl apply -f -
else
echo "Certificate exists. Skipping certificate creation."
fi
echo "Copy certificate from pr-deployment-certs to pr${{ env.PR_NUMBER }} namespace"
until kubectl get secret pr${{ env.PR_NUMBER }}-tls -n pr-deployment-certs &> /dev/null
do
echo "Waiting for secret pr${{ env.PR_NUMBER }}-tls to be created..."
sleep 5
done
(
kubectl get secret pr${{ env.PR_NUMBER }}-tls -n pr-deployment-certs -o json |
jq 'del(.metadata.namespace,.metadata.creationTimestamp,.metadata.resourceVersion,.metadata.selfLink,.metadata.uid,.metadata.managedFields)' |
kubectl -n pr${{ env.PR_NUMBER }} apply -f -
)
- name: Set up PostgreSQL database
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
helm install coder-db bitnami/postgresql \
--namespace pr${{ env.PR_NUMBER }} \
--set auth.username=coder \
--set auth.password=coder \
--set auth.database=coder \
--set persistence.size=10Gi
kubectl create secret generic coder-db-url -n pr${{ env.PR_NUMBER }} \
--from-literal=url="postgres://coder:coder@coder-db-postgresql.pr${{ env.PR_NUMBER }}.svc.cluster.local:5432/coder?sslmode=disable"
- name: Create a service account, role, and rolebinding for the PR namespace
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
run: |
set -euo pipefail
# Create service account, role, rolebinding
envsubst < ./.github/pr-deployments/rbac.yaml | kubectl apply -f -
- name: Create values.yaml
env:
EXPERIMENTS: ${{ github.event.inputs.experiments }}
PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_ID: ${{ secrets.PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_ID }}
PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_SECRET: ${{ secrets.PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_SECRET }}
run: |
set -euo pipefail
envsubst < ./.github/pr-deployments/values.yaml > ./pr-deploy-values.yaml
- name: Install/Upgrade Helm chart
run: |
set -euo pipefail
helm dependency update --skip-refresh ./helm/coder
helm upgrade --install "pr${{ env.PR_NUMBER }}" ./helm/coder \
--namespace "pr${{ env.PR_NUMBER }}" \
--values ./pr-deploy-values.yaml \
--force
- name: Install coder-logstream-kube
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
run: |
helm repo add coder-logstream-kube https://helm.coder.com/logstream-kube
helm upgrade --install coder-logstream-kube coder-logstream-kube/coder-logstream-kube \
--namespace "pr${{ env.PR_NUMBER }}" \
--set url="https://${{ env.PR_HOSTNAME }}"
- name: Get Coder binary
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
run: |
set -euo pipefail
DEST="${HOME}/coder"
URL="https://${{ env.PR_HOSTNAME }}/bin/coder-linux-amd64"
mkdir -p "$(dirname ${DEST})"
COUNT=0
until $(curl --output /dev/null --silent --head --fail "$URL"); do
printf '.'
sleep 5
COUNT=$((COUNT+1))
if [ $COUNT -ge 60 ]; then
echo "Timed out waiting for URL to be available"
exit 1
fi
done
curl -fsSL "$URL" -o "${DEST}"
chmod +x "${DEST}"
"${DEST}" version
mv "${DEST}" /usr/local/bin/coder
- name: Create first user
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
id: setup_deployment
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
# create a masked random password 12 characters long
password=$(openssl rand -base64 16 | tr -d "=+/" | cut -c1-12)
# add mask so that the password is not printed to the logs
echo "::add-mask::$password"
echo "password=$password" >> $GITHUB_OUTPUT
coder login \
--first-user-username pr${{ env.PR_NUMBER }}-admin \
--first-user-email pr${{ env.PR_NUMBER }}@coder.com \
--first-user-password $password \
--first-user-trial=false \
--use-token-as-session \
https://${{ env.PR_HOSTNAME }}
# Create a user for the github.actor
# TODO: update once https://github.com/coder/coder/issues/15466 is resolved
# coder users create \
# --username ${{ github.actor }} \
# --login-type github
# promote the user to admin role
# coder org members edit-role ${{ github.actor }} organization-admin
# TODO: update once https://github.com/coder/internal/issues/207 is resolved
- name: Send Slack notification
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
run: |
curl -s -o /dev/null -X POST -H 'Content-type: application/json' \
-d \
'{
"pr_number": "'"${{ env.PR_NUMBER }}"'",
"pr_url": "'"${{ env.PR_URL }}"'",
"pr_title": "'"${{ env.PR_TITLE }}"'",
"pr_access_url": "'"https://${{ env.PR_HOSTNAME }}"'",
"pr_username": "'"pr${{ env.PR_NUMBER }}-admin"'",
"pr_email": "'"pr${{ env.PR_NUMBER }}@coder.com"'",
"pr_password": "'"${{ steps.setup_deployment.outputs.password }}"'",
"pr_actor": "'"${{ github.actor }}"'"
}' \
${{ secrets.PR_DEPLOYMENTS_SLACK_WEBHOOK }}
echo "Slack notification sent"
- name: Find Comment
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
id: fc
with:
issue-number: ${{ env.PR_NUMBER }}
comment-author: "github-actions[bot]"
body-includes: ":rocket:"
direction: last
- name: Comment on PR
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
env:
STATUS: ${{ needs.get_info.outputs.NEW == 'true' && 'Created' || 'Updated' }}
with:
issue-number: ${{ env.PR_NUMBER }}
edit-mode: replace
comment-id: ${{ steps.fc.outputs.comment-id }}
body: |
---
:heavy_check_mark: PR ${{ env.PR_NUMBER }} ${{ env.STATUS }} successfully.
:rocket: Access the credentials [here](${{ secrets.PR_DEPLOYMENTS_SLACK_CHANNEL_URL }}).
---
cc: @${{ github.actor }}
reactions: rocket
reactions-edit-mode: replace
- name: Create template and workspace
if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
run: |
set -euo pipefail
cd .github/pr-deployments/template
coder templates push -y --variable namespace=pr${{ env.PR_NUMBER }} kubernetes
# Create workspace
coder create --template="kubernetes" kube --parameter cpu=2 --parameter memory=4 --parameter home_disk_size=2 -y
coder stop kube -y
Reference in New Issue View Git Blame Copy Permalink