coder/.github/workflows/pr-deploy.yaml

# This action will trigger when
# 1. when the workflow is manually triggered
# 2. ./scripts/deploy_pr.sh is run locally
# 3. when a PR is updated
name: Deploy PR
on:
  push:
    branches-ignore:
      - main
      - "temp-cherry-pick-*"
  workflow_dispatch:
    inputs:
      experiments:
        description: "Experiments to enable"
        required: false
        type: string
        default: "*"
      build:
        description: "Force new build"
        required: false
        type: boolean
        default: false
      deploy:
        description: "Force new deployment"
        required: false
        type: boolean
        default: false

env:
  REPO: ghcr.io/coder/coder-preview

permissions:
  contents: read

jobs:
  check_pr:
    runs-on: ubuntu-latest
    outputs:
      PR_OPEN: ${{ steps.check_pr.outputs.pr_open }}
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Check if PR is open
        id: check_pr
        run: |
          set -euo pipefail
          pr_open=true
          if [[ "$(gh pr view --json state | jq -r '.state')" != "OPEN" ]]; then
            echo "PR doesn't exist or is closed."
            pr_open=false
          fi
          echo "pr_open=$pr_open" >> $GITHUB_OUTPUT
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  get_info:
    needs: check_pr
    if: ${{ needs.check_pr.outputs.PR_OPEN == 'true' }}
    outputs:
      PR_NUMBER: ${{ steps.pr_info.outputs.PR_NUMBER }}
      PR_TITLE: ${{ steps.pr_info.outputs.PR_TITLE }}
      PR_URL: ${{ steps.pr_info.outputs.PR_URL }}
      CODER_BASE_IMAGE_TAG: ${{ steps.set_tags.outputs.CODER_BASE_IMAGE_TAG }}
      CODER_IMAGE_TAG: ${{ steps.set_tags.outputs.CODER_IMAGE_TAG }}
      NEW: ${{ steps.check_deployment.outputs.NEW }}
      BUILD: ${{ steps.build_conditionals.outputs.first_or_force_build == 'true' || steps.build_conditionals.outputs.automatic_rebuild == 'true' }}

    runs-on: "ubuntu-latest"
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - name: Get PR number, title, and branch name
        id: pr_info
        run: |
          set -euo pipefail
          PR_NUMBER=$(gh pr view --json number | jq -r '.number')
          PR_TITLE=$(gh pr view --json title | jq -r '.title')
          PR_URL=$(gh pr view --json url | jq -r '.url')
          echo "PR_URL=$PR_URL" >> $GITHUB_OUTPUT
          echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT
          echo "PR_TITLE=$PR_TITLE" >> $GITHUB_OUTPUT
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Set required tags
        id: set_tags
        run: |
          set -euo pipefail
          echo "CODER_BASE_IMAGE_TAG=$CODER_BASE_IMAGE_TAG" >> $GITHUB_OUTPUT
          echo "CODER_IMAGE_TAG=$CODER_IMAGE_TAG" >> $GITHUB_OUTPUT
        env:
          CODER_BASE_IMAGE_TAG: ghcr.io/coder/coder-preview-base:pr${{ steps.pr_info.outputs.PR_NUMBER }}
          CODER_IMAGE_TAG: ghcr.io/coder/coder-preview:pr${{ steps.pr_info.outputs.PR_NUMBER }}

      - name: Set up kubeconfig
        run: |
          set -euo pipefail
          mkdir -p ~/.kube
          echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG_BASE64 }}" | base64 --decode > ~/.kube/config
          chmod 600 ~/.kube/config
          export KUBECONFIG=~/.kube/config

      - name: Check if the helm deployment already exists
        id: check_deployment
        run: |
          set -euo pipefail
          if helm status "pr${{ steps.pr_info.outputs.PR_NUMBER }}" --namespace "pr${{ steps.pr_info.outputs.PR_NUMBER }}" > /dev/null 2>&1; then
            echo "Deployment already exists. Skipping deployment."
            NEW=false
          else
            echo "Deployment doesn't exist."
            NEW=true
          fi
          echo "NEW=$NEW" >> $GITHUB_OUTPUT

      - name: Check changed files
        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        id: filter
        with:
          base: ${{ github.ref }}
          filters: |
            all:
              - "**"
            ignored:
              - "docs/**"
              - "README.md"
              - "examples/web-server/**"
              - "examples/monitoring/**"
              - "examples/lima/**"
              - ".github/**"
              - "offlinedocs/**"
              - ".devcontainer/**"
              - "helm/**"
              - "*[^g][^o][^.][^s][^u][^m]*"
              - "*[^g][^o][^.][^m][^o][^d]*"
              - "*[^M][^a][^k][^e][^f][^i][^l][^e]*"
              - "scripts/**/*[^D][^o][^c][^k][^e][^r][^f][^i][^l][^e]*"
              - "scripts/**/*[^D][^o][^c][^k][^e][^r][^f][^i][^l][^e][.][b][^a][^s][^e]*"

      - name: Print number of changed files
        run: |
          set -euo pipefail
          echo "Total number of changed files: ${{ steps.filter.outputs.all_count }}"
          echo "Number of ignored files: ${{ steps.filter.outputs.ignored_count }}"

      - name: Build conditionals
        id: build_conditionals
        run: |
          set -euo pipefail
          # build if the workflow is manually triggered and the deployment doesn't exist (first build or force rebuild)
          echo "first_or_force_build=${{ (github.event_name == 'workflow_dispatch' && steps.check_deployment.outputs.NEW == 'true') || github.event.inputs.build == 'true' }}" >> $GITHUB_OUTPUT
          # build if the deployment already exist and there are changes in the files that we care about (automatic updates)
          echo "automatic_rebuild=${{ steps.check_deployment.outputs.NEW == 'false' && steps.filter.outputs.all_count > steps.filter.outputs.ignored_count }}" >> $GITHUB_OUTPUT

  comment-pr:
    needs: get_info
    if: needs.get_info.outputs.BUILD == 'true' || github.event.inputs.deploy == 'true'
    runs-on: "ubuntu-latest"
    permissions:
      pull-requests: write # needed for commenting on PRs
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
        with:
          egress-policy: audit

      - name: Find Comment
        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
        id: fc
        with:
          issue-number: ${{ needs.get_info.outputs.PR_NUMBER }}
          comment-author: "github-actions[bot]"
          body-includes: ":rocket:"
          direction: last

      - name: Comment on PR
        id: comment_id
        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
        with:
          comment-id: ${{ steps.fc.outputs.comment-id }}
          issue-number: ${{ needs.get_info.outputs.PR_NUMBER }}
          edit-mode: replace
          body: |
            ---
            :rocket: Deploying PR ${{ needs.get_info.outputs.PR_NUMBER }} ...
            ---
          reactions: eyes
          reactions-edit-mode: replace

  build:
    needs: get_info
    # Run build job only if there are changes in the files that we care about or if the workflow is manually triggered with --build flag
    if: needs.get_info.outputs.BUILD == 'true'
    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
    permissions:
      # Necessary to push docker images to ghcr.io.
      packages: write
    # This concurrency only cancels build jobs if a new build is triggred. It will avoid cancelling the current deployemtn in case of docs changes.
    concurrency:
      group: build-${{ github.workflow }}-${{ github.ref }}-${{ needs.get_info.outputs.BUILD }}
      cancel-in-progress: true
    env:
      DOCKER_CLI_EXPERIMENTAL: "enabled"
      CODER_IMAGE_TAG: ${{ needs.get_info.outputs.CODER_IMAGE_TAG }}
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - name: Setup Node
        uses: ./.github/actions/setup-node

      - name: Setup Go
        uses: ./.github/actions/setup-go

      - name: Setup sqlc
        uses: ./.github/actions/setup-sqlc

      - name: GHCR Login
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push Linux amd64 Docker image
        run: |
          set -euo pipefail
          go mod download
          make gen/mark-fresh
          export DOCKER_IMAGE_NO_PREREQUISITES=true
          version="$(./scripts/version.sh)"
          export CODER_IMAGE_BUILD_BASE_TAG="$(CODER_IMAGE_BASE=coder-base ./scripts/image_tag.sh --version "$version")"
          make -j build/coder_linux_amd64
          ./scripts/build_docker.sh \
            --arch amd64 \
            --target ${{ env.CODER_IMAGE_TAG }} \
            --version $version \
            --push \
            build/coder_linux_amd64

  deploy:
    needs: [build, get_info]
    # Run deploy job only if build job was successful or skipped
    if: |
      always() && (needs.build.result == 'success' || needs.build.result == 'skipped') &&
      (needs.get_info.outputs.BUILD == 'true' || github.event.inputs.deploy == 'true')
    runs-on: "ubuntu-latest"
    permissions:
      pull-requests: write # needed for commenting on PRs
    env:
      CODER_IMAGE_TAG: ${{ needs.get_info.outputs.CODER_IMAGE_TAG }}
      PR_NUMBER: ${{ needs.get_info.outputs.PR_NUMBER }}
      PR_TITLE: ${{ needs.get_info.outputs.PR_TITLE }}
      PR_URL: ${{ needs.get_info.outputs.PR_URL }}
      PR_HOSTNAME: "pr${{ needs.get_info.outputs.PR_NUMBER }}.${{ secrets.PR_DEPLOYMENTS_DOMAIN }}"
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
        with:
          egress-policy: audit

      - name: Set up kubeconfig
        run: |
          set -euo pipefail
          mkdir -p ~/.kube
          echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG_BASE64 }}" | base64 --decode > ~/.kube/config
          chmod 600 ~/.kube/config
          export KUBECONFIG=~/.kube/config

      - name: Check if image exists
        run: |
          set -euo pipefail
          foundTag=$(
            gh api /orgs/coder/packages/container/coder-preview/versions |
            jq -r --arg tag "pr${{ env.PR_NUMBER }}" '.[] |
            select(.metadata.container.tags == [$tag]) |
            .metadata.container.tags[0]'
          )
          if [ -z "$foundTag" ]; then
            echo "Image not found"
            echo "${{ env.CODER_IMAGE_TAG }} not found in ghcr.io/coder/coder-preview"
            exit 1
          else
            echo "Image found"
            echo "$foundTag tag found in ghcr.io/coder/coder-preview"
          fi
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Add DNS record to Cloudflare
        if: needs.get_info.outputs.NEW == 'true'
        run: |
          curl -X POST "https://api.cloudflare.com/client/v4/zones/${{ secrets.PR_DEPLOYMENTS_ZONE_ID }}/dns_records" \
            -H "Authorization: Bearer ${{ secrets.PR_DEPLOYMENTS_CLOUDFLARE_API_TOKEN }}" \
            -H "Content-Type:application/json" \
            --data '{"type":"CNAME","name":"*.${{ env.PR_HOSTNAME }}","content":"${{ env.PR_HOSTNAME }}","ttl":1,"proxied":false}'

      - name: Create PR namespace
        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
        run: |
          set -euo pipefail
          # try to delete the namespace, but don't fail if it doesn't exist
          kubectl delete namespace "pr${{ env.PR_NUMBER }}" || true
          kubectl create namespace "pr${{ env.PR_NUMBER }}"

      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Check and Create Certificate
        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
        run: |
          # Using kubectl to check if a Certificate resource already exists
          # we are doing this to avoid letsenrypt rate limits
          if ! kubectl get certificate pr${{ env.PR_NUMBER }}-tls -n pr-deployment-certs > /dev/null 2>&1; then
            echo "Certificate doesn't exist. Creating a new one."
            envsubst < ./.github/pr-deployments/certificate.yaml | kubectl apply -f -
          else
            echo "Certificate exists. Skipping certificate creation."
          fi
          echo "Copy certificate from pr-deployment-certs to pr${{ env.PR_NUMBER }} namespace"
          until kubectl get secret pr${{ env.PR_NUMBER }}-tls -n pr-deployment-certs &> /dev/null
          do
            echo "Waiting for secret pr${{ env.PR_NUMBER }}-tls to be created..."
            sleep 5
          done
          (
            kubectl get secret pr${{ env.PR_NUMBER }}-tls -n pr-deployment-certs -o json |
            jq 'del(.metadata.namespace,.metadata.creationTimestamp,.metadata.resourceVersion,.metadata.selfLink,.metadata.uid,.metadata.managedFields)' |
            kubectl -n pr${{ env.PR_NUMBER }} apply -f -
          )

      - name: Set up PostgreSQL database
        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
        run: |
          helm repo add bitnami https://charts.bitnami.com/bitnami
          helm install coder-db bitnami/postgresql \
            --namespace pr${{ env.PR_NUMBER }} \
            --set auth.username=coder \
            --set auth.password=coder \
            --set auth.database=coder \
            --set persistence.size=10Gi
          kubectl create secret generic coder-db-url -n pr${{ env.PR_NUMBER }} \
            --from-literal=url="postgres://coder:coder@coder-db-postgresql.pr${{ env.PR_NUMBER }}.svc.cluster.local:5432/coder?sslmode=disable"

      - name: Create a service account, role, and rolebinding for the PR namespace
        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
        run: |
          set -euo pipefail
          # Create service account, role, rolebinding
          envsubst < ./.github/pr-deployments/rbac.yaml | kubectl apply -f -

      - name: Create values.yaml
        env:
          EXPERIMENTS: ${{ github.event.inputs.experiments }}
          PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_ID: ${{ secrets.PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_ID }}
          PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_SECRET: ${{ secrets.PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_SECRET }}
        run: |
          set -euo pipefail
          envsubst < ./.github/pr-deployments/values.yaml > ./pr-deploy-values.yaml

      - name: Install/Upgrade Helm chart
        run: |
          set -euo pipefail
          helm dependency update --skip-refresh ./helm/coder
          helm upgrade --install "pr${{ env.PR_NUMBER }}" ./helm/coder \
          --namespace "pr${{ env.PR_NUMBER }}" \
          --values ./pr-deploy-values.yaml \
          --force

      - name: Install coder-logstream-kube
        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
        run: |
          helm repo add coder-logstream-kube https://helm.coder.com/logstream-kube
          helm upgrade --install coder-logstream-kube coder-logstream-kube/coder-logstream-kube \
            --namespace "pr${{ env.PR_NUMBER }}" \
            --set url="https://${{ env.PR_HOSTNAME }}"

      - name: Get Coder binary
        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
        run: |
          set -euo pipefail

          DEST="${HOME}/coder"
          URL="https://${{ env.PR_HOSTNAME }}/bin/coder-linux-amd64"

          mkdir -p "$(dirname ${DEST})"

          COUNT=0
          until $(curl --output /dev/null --silent --head --fail "$URL"); do
              printf '.'
              sleep 5
              COUNT=$((COUNT+1))
              if [ $COUNT -ge 60 ]; then
                echo "Timed out waiting for URL to be available"
                exit 1
              fi
          done

          curl -fsSL "$URL" -o "${DEST}"
          chmod +x "${DEST}"
          "${DEST}" version
          mv "${DEST}" /usr/local/bin/coder

      - name: Create first user
        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
        id: setup_deployment
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          set -euo pipefail

          # create a masked random password 12 characters long
          password=$(openssl rand -base64 16 | tr -d "=+/" | cut -c1-12)

          # add mask so that the password is not printed to the logs
          echo "::add-mask::$password"
          echo "password=$password" >> $GITHUB_OUTPUT

          coder login \
            --first-user-username pr${{ env.PR_NUMBER }}-admin \
            --first-user-email pr${{ env.PR_NUMBER }}@coder.com \
            --first-user-password $password \
            --first-user-trial=false \
            --use-token-as-session \
            https://${{ env.PR_HOSTNAME }}

          # Create a user for the github.actor
          # TODO: update once https://github.com/coder/coder/issues/15466 is resolved
          # coder users create \
          #   --username ${{ github.actor }} \
          #   --login-type github

          # promote the user to admin role
          # coder org members edit-role ${{ github.actor }} organization-admin
          # TODO: update once https://github.com/coder/internal/issues/207 is resolved

      - name: Send Slack notification
        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
        run: |
          curl -s -o /dev/null -X POST -H 'Content-type: application/json' \
            -d \
            '{
              "pr_number": "'"${{ env.PR_NUMBER }}"'",
              "pr_url": "'"${{ env.PR_URL }}"'",
              "pr_title": "'"${{ env.PR_TITLE }}"'",
              "pr_access_url": "'"https://${{ env.PR_HOSTNAME }}"'",
              "pr_username": "'"pr${{ env.PR_NUMBER }}-admin"'",
              "pr_email": "'"pr${{ env.PR_NUMBER }}@coder.com"'",
              "pr_password": "'"${{ steps.setup_deployment.outputs.password }}"'",
              "pr_actor": "'"${{ github.actor }}"'"
            }' \
            ${{ secrets.PR_DEPLOYMENTS_SLACK_WEBHOOK }}
          echo "Slack notification sent"

      - name: Find Comment
        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
        id: fc
        with:
          issue-number: ${{ env.PR_NUMBER }}
          comment-author: "github-actions[bot]"
          body-includes: ":rocket:"
          direction: last

      - name: Comment on PR
        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
        env:
          STATUS: ${{ needs.get_info.outputs.NEW == 'true' && 'Created' || 'Updated' }}
        with:
          issue-number: ${{ env.PR_NUMBER }}
          edit-mode: replace
          comment-id: ${{ steps.fc.outputs.comment-id }}
          body: |
            ---
            :heavy_check_mark: PR ${{ env.PR_NUMBER }} ${{ env.STATUS }} successfully.
            :rocket: Access the credentials [here](${{ secrets.PR_DEPLOYMENTS_SLACK_CHANNEL_URL }}).
            ---
            cc: @${{ github.actor }}
          reactions: rocket
          reactions-edit-mode: replace

      - name: Create template and workspace
        if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
        run: |
          set -euo pipefail
          cd .github/pr-deployments/template
          coder templates push -y --variable namespace=pr${{ env.PR_NUMBER }} kubernetes

          # Create workspace
          coder create --template="kubernetes" kube --parameter cpu=2 --parameter memory=4 --parameter home_disk_size=2 -y
          coder stop kube -y