ci: Allow blog builds from unprivileged forks

2024-12-18 12:24:35 -05:00 · 2024-11-15 23:11:30 -06:00 · 2024-11-15 23:11:30 -06:00 · 7c3424f001
commit 7c3424f001
parent 155691f94b
3 changed files with 44 additions and 7 deletions
--- a/.github/workflows/build-blog.yml
+++ b/.github/workflows/build-blog.yml
@ -65,6 +65,10 @@ jobs:
        with:
          cache: "pipenv"

+      - name: Install Python (no pipenv)
+        if: ${{ !inputs.privileged }}
+        uses: actions/setup-python@v5
+
      - name: Install Python Dependencies
        if: inputs.privileged
        run: |
@ -72,10 +76,22 @@ jobs:
          pipenv install
          sudo apt install pngquant

-      - name: Build Website
+      - name: Install Python Dependencies (Unprivileged)
+        if: ${{ !inputs.privileged }}
+        run: |
+          pip install mkdocs-material mkdocs-rss-plugin mkdocs-glightbox mkdocs-macros-plugin
+          sudo apt install pngquant
+
+      - name: Build Website (Privileged)
+        if: inputs.privileged
        run: |
          pipenv run mkdocs build --config-file mkdocs.blog.yml

+      - name: Build Website (Unprivileged)
+        if: ${{ !inputs.privileged }}
+        run: |
+          BUILD_INSIDERS=false mkdocs build --config-file mkdocs.blog.yml
+
      - name: Package Website
        run: |
          tar -czf site-build-blog.tar.gz site
--- a/.github/workflows/build-pr.yml
+++ b/.github/workflows/build-pr.yml
@ -19,12 +19,19 @@ jobs:
    env:
      ACTIONS_SSH_KEY: ${{ secrets.ACTIONS_SSH_KEY }}
    steps:
+      - name: Save PR metadata
+        run: |
+          mkdir -p ./metadata
+          echo ${{ github.event.number }} > ./metadata/NR
+          echo ${{ github.event.pull_request.head.sha }} > ./metadata/SHA
+
      - name: Set submodules for fork
        if: env.ACTIONS_SSH_KEY == ''
        id: submodules-fork
        run: |
          echo 'submodules={"repo":["brand","i18n"]}' >> "$GITHUB_OUTPUT"
          echo "privileged=false" >> "$GITHUB_OUTPUT"
+          echo "false" > ./metadata/PRIVILEGED

      - name: Set submodules for main repo
        if: env.ACTIONS_SSH_KEY != ''
@ -32,12 +39,7 @@ jobs:
        run: |
          echo 'submodules={"repo":["brand","i18n","mkdocs-material-insiders"]}' >> "$GITHUB_OUTPUT"
          echo "privileged=true" >> "$GITHUB_OUTPUT"
-
-      - name: Save PR metadata
-        run: |
-          mkdir -p ./metadata
-          echo ${{ github.event.number }} > ./metadata/NR
-          echo ${{ github.event.pull_request.head.sha }} > ./metadata/SHA
+          echo "true" > ./metadata/PRIVILEGED

      - name: Upload metadata as artifact
        uses: actions/upload-artifact@v4
--- a/.github/workflows/publish-pr.yml
+++ b/.github/workflows/publish-pr.yml
@ -22,6 +22,7 @@ jobs:
    outputs:
      pr_number: ${{ steps.metadata.outputs.pr_number }}
      sha: ${{ steps.metadata.outputs.sha }}
+      privileged: ${{ steps.metadata.outputs.privileged }}

    steps:
      - name: Download Website Build Artifact
@ -86,6 +87,7 @@ jobs:
          unzip metadata.zip -d metadata
          echo "pr_number=$(cat metadata/NR)" >> "$GITHUB_OUTPUT"
          echo "sha=$(cat metadata/SHA)" >> "$GITHUB_OUTPUT"
+          echo "privileged=$(cat metadata/PRIVILEGED)" >> "$GITHUB_OUTPUT"

  deploy_netlify:
    needs: metadata
@ -122,6 +124,7 @@ jobs:
      address: ${{ needs.deploy_garage.outputs.address }}
    steps:
      - uses: thollander/actions-comment-pull-request@v2.5.0
+        if: ${{ needs.metadata.outputs.privileged == 'true' }}
        with:
          pr_number: ${{ needs.metadata.outputs.pr_number }}
          message: |
@ -132,3 +135,19 @@ jobs:
            | <span aria-hidden="true">🔨</span> Latest commit | ${{ needs.metadata.outputs.sha }} |
            | <span aria-hidden="true">😎</span> Preview | ${{ env.address }} |
          comment_tag: deployment
+
+      - uses: thollander/actions-comment-pull-request@v2.5.0
+        if: ${{ needs.metadata.outputs.privileged == 'false' }}
+        with:
+          pr_number: ${{ needs.metadata.outputs.pr_number }}
+          message: |
+            ### <span aria-hidden="true">✅</span> Your preview is ready!
+
+            |  Name | Link |
+            | :---: | ---- |
+            | <span aria-hidden="true">🔨</span> Latest commit | ${{ needs.metadata.outputs.sha }} |
+            | <span aria-hidden="true">😎</span> Preview | ${{ env.address }} |
+
+            Please note that this preview was built from an untrusted source, so it was not granted access to all mkdocs-material features.
+            Maintainers should ensure this PR has been reviewed locally with a full build before merging.
+          comment_tag: deployment