Public Repo Azure Preview Environments (#25206)

* add public deploy workflow, update destroy to work on pull_request_target

Co-authored-by: Peter Bengtsson <mail@peterbe.com>

.dockerignore

@@ -10,3 +10,5 @@ tests/
 lib/rest/static/dereferenced
 # Folder is cloned during the preview + prod workflows, the assets are merged into other locations for use before the build
 docs-early-access/
+# During the preview deploy untrusted user code may be cloned into this directory
+user-code/

.github/workflows/azure-preview-env-deploy.yml

@@ -1,12 +1,13 @@
 name: Azure - Deploy Preview Environment
 
-# **What it does**: Build and deploy to an Azure preview environment
-# **Why we have it**: It's our preview environment deploy mechanism, only applicable to docs-internal
+# **What it does**: Build and deploy an Azure preview environment for this PR
+# **Why we have it**: It's our preview environment deploy mechanism, to docs-internal and docs public repo
 # **Who does it impact**: All contributors.
 
-# This whole workflow is only guaranteed to be secure in the *private
-# repo* and because we repo-sync these files over the to the public one,
-# IT'S IMPORTANT THAT THIS WORKFLOW IS ONLY ENABLED IN docs-internal!
+# !!!
+# ! This worflow has access to secrets, runs in the public repository, and clones untrusted user code.
+# ! Modify with extreme caution
+# !!!
 
 on:
   # The advantage of 'pull_request' over 'pull_request_target' is that we
@@ -15,13 +16,17 @@ on:
   # From a security point of view, its arguably safer this way because
   # unlike 'pull_request_target', these only have secrets if the pull
   # request creator has permission to access secrets.
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
     inputs:
       PR_NUMBER:
         description: 'PR Number'
         type: string
         required: true
+      COMMIT_REF:
+        description: 'The commit SHA to build'
+        type: string
+        required: true
 
 permissions:
   contents: read
@@ -34,7 +39,6 @@ concurrency:
 
 jobs:
   build-and-deploy-azure-preview:
-    if: ${{ github.repository == 'github/docs-internal' }}
     name: Build and deploy Azure preview environment
     runs-on: ubuntu-latest
     timeout-minutes: 15
@@ -47,7 +51,11 @@ jobs:
       url: ${{ env.APP_URL }}
     env:
       PR_NUMBER: ${{ github.event.number || github.event.inputs.PR_NUMBER }}
-      ENABLE_EARLY_ACCESS: ${{ github.repository == 'github/docs-internal' }}
+      COMMIT_REF: ${{ github.event.pull_request.head.sha || github.event.inputs.COMMIT_REF }}
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      IS_INTERNAL_BUILD: ${{ github.repository == 'github/docs-internal' }}
+      # This may also run in forked repositories, not just 'github/docs'
+      IS_PUBLIC_BUILD: ${{ github.repository != 'github/docs-internal' }}
 
     steps:
       - name: 'Az CLI login'
@@ -65,10 +73,19 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25
 
-      - name: Check out repo
+      - if: ${{ env.IS_PUBLIC_BUILD }}
+        name: Check out main branch
         uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
+          ref: 'main'
+          persist-credentials: 'false'
+          lfs: 'true'
+
+      - if: ${{ env.IS_INTERNAL_BUILD }}
+        name: Check out PR code
+        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
+        with:
+          ref: ${{ env.COMMIT_REF }}
           # To prevent issues with cloning early access content later
           persist-credentials: 'false'
           lfs: 'true'
@@ -84,14 +101,14 @@ jobs:
       - name: 'Set env vars'
         run: |
           # Image tag is unique to each workflow run so that it always triggers a new deployment
-          echo "DOCKER_IMAGE=${{ secrets.NONPROD_REGISTRY_SERVER }}/${IMAGE_REPO}:${{ github.event.pull_request.head.sha }}-${{ github.run_number }}-${{ github.run_attempt }}" >> $GITHUB_ENV
+          echo "DOCKER_IMAGE=${{ secrets.NONPROD_REGISTRY_SERVER }}/${IMAGE_REPO}:${{ env.COMMIT_REF }}-${{ github.run_number }}-${{ github.run_attempt }}" >> $GITHUB_ENV
 
-      - if: ${{ env.ENABLE_EARLY_ACCESS }}
+      - if: ${{ env.IS_INTERNAL_BUILD }}
         name: Determine which docs-early-access branch to clone
         id: 'check-early-access'
         uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
         env:
-          BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+          BRANCH_NAME: ${{ env.BRANCH_NAME }}
         with:
           github-token: ${{ secrets.DOCUBOT_REPO_PAT }}
           result-encoding: string
@@ -116,7 +133,7 @@ jobs:
               return 'main'
             }
 
-      - if: ${{ env.ENABLE_EARLY_ACCESS }}
+      - if: ${{ env.IS_INTERNAL_BUILD }}
         name: Clone docs-early-access
         uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
         with:
@@ -125,10 +142,25 @@ jobs:
           path: docs-early-access
           ref: ${{ steps.check-early-access.outputs.result }}
 
-      - if: ${{ env.ENABLE_EARLY_ACCESS }}
+      - if: ${{ env.IS_INTERNAL_BUILD }}
         name: Merge docs-early-access repo's folders
         run: .github/actions-scripts/merge-early-access.sh
 
+      - if: ${{ env.IS_PUBLIC_BUILD }}
+        name: Check out user code to temp directory
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+        with:
+          path: ./user-code
+          ref: ${{ env.COMMIT_REF }}
+
+      # Move acceptable user changes into our main branch checkout
+      - if: ${{ env.IS_PUBLIC_BUILD }}
+        name: Move acceptable user changes
+        run: |
+          rsync -rptovR ./user-code/content/./**/*.md ./content
+          rsync -rptovR ./user-code/assets/./**/*.png ./assets
+          rsync -rptovR ./user-code/data/./**/*.{yml,md} ./data
+
       # In addition to making the final image smaller, we also save time by not sending unnecessary files to the docker build context
       - name: 'Prune for preview env'
         run: .github/actions-scripts/prune-for-preview-env.sh

.github/workflows/azure-preview-env-destroy.yml

@@ -5,7 +5,7 @@ name: Azure - Destroy Preview Env
 # **Who does it impact**: All contributors.
 
 on:
-  pull_request:
+  pull_request_target:
     types:
       - closed
       - locked
@@ -16,10 +16,12 @@ on:
         type: string
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   destory-azure-preview-env:
     name: Destroy
-    if: ${{ github.repository == 'github/docs-internal' }}
     runs-on: ubuntu-latest
     timeout-minutes: 5
     env:
@@ -59,5 +61,6 @@ jobs:
       # Remove all GitHub deployments from this environment and remove the environment
       - uses: strumwolf/delete-deployment-environment@45c821e46baa405e25410700fe2e9643929706a0
         with:
+          # The token provided by the workflow does not have the permissions to delete created environments
           token: ${{ secrets.DOCUBOT_REPO_PAT }}
           environment: preview-env-${{ env.PR_NUMBER }}

.github/workflows/main-preview-docker-cache.yml

@@ -24,8 +24,6 @@ jobs:
     timeout-minutes: 15
     env:
       ENABLE_EARLY_ACCESS: ${{ github.repository == 'github/docs-internal' }}
-      NONPROD_REGISTRY_USERNAME: ghdocs
-      NONPROD_REGISTRY_NAME: ghdocs
       DOCKER_IMAGE_CACHE_REF: ${{ secrets.NONPROD_REGISTRY_SERVER }}/${{ github.repository }}:main-preview
 
     steps:
@@ -38,7 +36,7 @@ jobs:
         uses: azure/docker-login@81744f9799e7eaa418697cb168452a2882ae844a
         with:
           login-server: ${{ secrets.NONPROD_REGISTRY_SERVER }}
-          username: ${{ env.NONPROD_REGISTRY_USERNAME }}
+          username: ${{ secrets.NONPROD_REGISTRY_USERNAME }}
           password: ${{ secrets.NONPROD_REGISTRY_PASSWORD }}
 
       - name: Set up Docker Buildx

.gitignore

@@ -17,3 +17,7 @@ blc_output.log
 blc_output_internal.log
 broken_links.md
 lib/redirects/.redirects-cache_*.json
+
+# During the preview deploy untrusted user code may be cloned into this directory
+# We ignore it from git to keep things deterministic
+user-code/

Dockerfile

@@ -23,7 +23,7 @@ FROM base as all_deps
 
 COPY --chown=node:node package.json package-lock.json ./
 
-RUN npm ci --no-optional
+RUN npm ci --no-optional --registry https://registry.npmjs.org/
 
 # For Next.js v12+
 # This the appropriate necessary extra for node:16-alpine