chore(workflows/preview_build): PR の更新毎に gh-pages /gen/pull/<番号>/ にプレビューをアップロード

akinomyoga · akinomyoga · commit dca7653047ec · 2025-01-13T18:44:52.000+09:00
cpprefjp#1273 (comment) PR 内容の変換結果を https://cpprefjp.github.io/site/gen/pull/<番号> か ら閲覧することができるようにする。
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -2,6 +2,13 @@ name: build
 
 on:
   workflow_dispatch:
+  workflow_call:
+    inputs:
+      arguments:
+        description: "build.sh に渡すコマンドライン引数"
+        default: ''
+        required: false
+        type: string
   push:
     branches:
       - master
@@ -14,13 +21,11 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - name: Register SSH key
-      env:
-        CPPREFJP_GITHUB_IO_SECRETS: ${{ secrets.CPPREFJP_GITHUB_IO_SECRETS }}
+    - id: vars
       run: |
-        mkdir -p $HOME/.ssh
-        echo "$CPPREFJP_GITHUB_IO_SECRETS" > $HOME/.ssh/id_ed25519
-        chmod 600 $HOME/.ssh/id_ed25519
+        echo "base_repo=${{ startsWith(inputs.arguments, '--pull ') && github.event.pull_request.base.repo.full_name || github.event.repository.full_name }}" >> "$GITHUB_OUTPUT"
+        echo "head_repo=${{ startsWith(inputs.arguments, '--pull ') && github.event.pull_request.head.repo.full_name || github.event.repository.full_name }}" >> "$GITHUB_OUTPUT"
+        echo "head_ref=${{ startsWith(inputs.arguments, '--pull ') && github.event.pull_request.head.ref || github.ref }}" >> "$GITHUB_OUTPUT"
 
     # site_generator
     - uses: actions/checkout@v4
@@ -38,19 +43,14 @@ jobs:
     - run: git submodule update -i
       working-directory: site_generator/kunai
 
-    # cpprefjp.github.io
-    - uses: actions/checkout@v4
-      with:
-        repository: cpprefjp/cpprefjp.github.io
-        path: site_generator/cpprefjp/cpprefjp.github.io
-
     # site
     - uses: actions/checkout@v4
       with:
-        repository: cpprefjp/site
-        path: site_generator/cpprefjp/site
+        repository: ${{ steps.vars.outputs.head_repo }}
         # atom 生成のために全履歴が必要
         fetch-depth: 0
+        ref: ${{ steps.vars.outputs.head_ref }}
+        path: site_generator/cpprefjp/site
     - run: git submodule update -i
       working-directory: site_generator/cpprefjp/site
 
@@ -66,10 +66,61 @@ jobs:
         python-version: 3.11
         # 3.12でUndefined symbolエラーがでた
 
+    # build.sh - base の build.sh を使う必要がある。もし PR head の
+    # build.sh を使うと、pull_request_target で呼び出された時に PR
+    # head の build.sh に悪意のあるコードが埋め込まれていると秘密鍵な
+    # ど盗まれてしまう。
+    - name: Check out build.sh
+      uses: actions/checkout@v4
+      with:
+        repository: ${{ steps.vars.outputs.base_repo }}
+        ref: master
+        sparse-checkout: .github
+        path: .trusted
+
+    # Deploy 用
+    - name: "(Deploy) Register SSH key"
+      if: inputs.arguments == ''
+      env:
+        CPPREFJP_GITHUB_IO_SECRETS: ${{ secrets.CPPREFJP_GITHUB_IO_SECRETS }}
+      run: |
+        mkdir -p $HOME/.ssh
+        echo "$CPPREFJP_GITHUB_IO_SECRETS" > $HOME/.ssh/id_ed25519
+        chmod 600 $HOME/.ssh/id_ed25519
+
+    # Deploy 用
+    - name: "(Deploy) Check out cpprefjp.github.io"
+      if: inputs.arguments == ''
+      uses: actions/checkout@v4
+      with:
+        repository: cpprefjp/cpprefjp.github.io
+        path: site_generator/cpprefjp/cpprefjp.github.io
+
+    # Preview 用
+    - name: "(Preview build) Check out gh-pages"
+      if: startsWith(inputs.arguments, '--pull ')
+      continue-on-error: true
+      uses: actions/checkout@v4
+      with:
+        repository: ${{ github.event.pull_request.base.repo.full_name }}
+        ref: gh-pages
+        path: site_generator/cpprefjp/gh-pages
+
     # あとはスクリプトで頑張る
-    - run: ./cpprefjp/site/.github/workflows/script/build.sh
+    - name: Run script build.sh
+      run: ../.trusted/.github/workflows/script/build.sh ${{ inputs.arguments }}
       working-directory: site_generator
 
+    # Preview 用
+    - name: "(Preview build) Publish result in gh-pages"
+      if: startsWith(inputs.arguments, '--pull ')
+      uses: peaceiris/actions-gh-pages@v4
+      with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        publish_dir: ./site_generator/cpprefjp/gh-pages
+        commit_message: |
+          Preview PR ${{ github.event.number }}: ${{ github.event.pull_request.head.sha }} <=
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -1,6 +1,6 @@
 name: check
 
-on: [push, pull_request, workflow_dispatch]
+on: [push, pull_request_target, workflow_dispatch]
 
 jobs:
   check:
@@ -25,8 +25,17 @@ jobs:
         python -m pip install --upgrade pip
         pip install requests
     - uses: actions/checkout@v4
+      with:
+        repository: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name || github.event.repository.full_name }}
+        ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.ref || github.ref }}
+    - uses: actions/checkout@v4
+      with:
+        repository: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.base.repo.full_name || github.event.repository.full_name }}
+        ref: ${{ github.event_name == 'pull_request_target' && 'master' || github.ref }}
+        sparse-checkout: .github
+        path: .trusted
     - name: check
-      run: python3 .github/workflows/script/${{ matrix.item.script || format('{0}_check.py', matrix.item.name) }}
+      run: python3 .trusted/.github/workflows/script/${{ matrix.item.script || format('{0}_check.py', matrix.item.name) }}
 
   detect_forbidden_characters:
     # 本リポジトリでは、以下に挙げる文字の使用を禁止している：
@@ -60,3 +69,12 @@ jobs:
         path: ${{ env.REPO_DIR }}
     - name: check
       run: "! $BIN_DIR/rg -t md --vimgrep '[\u00ad\u200b]' $REPO_DIR"
+
+  preview_build:
+    if: github.event_name == 'pull_request_target'
+    needs: [check, detect_forbidden_characters]
+    uses: ./.github/workflows/build.yml
+    with:
+      arguments: --pull ${{ github.event.number }}
+    concurrency:
+      group: cpprefjp.gh-pages.lock
diff --git a/.github/workflows/script/build.sh b/.github/workflows/script/build.sh
@@ -33,14 +33,32 @@ popd
 pip3 install -r docker/requirements.txt
 python3 run.py settings.cpprefjp --concurrency=`nproc`
 
-# 生成されたサイトの中身を push
-pushd cpprefjp/cpprefjp.github.io
-  # push するために ssh のリモートを追加する
-  git remote add origin2 git@github.com:cpprefjp/cpprefjp.github.io.git
-
-  git add ./ --all
-  git config --global user.email "shigemasa7watanabe+cpprefjp@gmail.com"
-  git config --global user.name "cpprefjp-autoupdate"
-  git commit -a -m "update automatically"
-  git push origin2 master
-popd
+if (($# == 0)); then
+  # 生成されたサイトの中身を push
+  pushd cpprefjp/cpprefjp.github.io
+    # push するために ssh のリモートを追加する
+    git remote add origin2 git@github.com:cpprefjp/cpprefjp.github.io.git
+  
+    git add ./ --all
+    git config --global user.email "shigemasa7watanabe+cpprefjp@gmail.com"
+    git config --global user.name "cpprefjp-autoupdate"
+    git commit -a -m "update automatically"
+    git push origin2 master
+  popd
+
+elif [[ $1 == --pull ]]; then
+  if [[ ! $2 ]]; then
+    printf '%s\n' "build.sh: プルリクエスト番号が指定されていません" >&2
+    exit 2
+  fi
+
+  target_directory=cpprefjp/gh-pages/gen/pull/$2
+  rm -rf "$target_directory"
+  mkdir -p "$target_directory"
+  cp -r cpprefjp/cpprefjp.github.io/* "$target_directory"/
+
+else
+  printf '%s\n' "build.sh: コマンドライン引数が認識できません: $1" >&2
+  exit 2
+  
+fi
