Add Pull Request deployment workflow

.github/workflows/build.yml

@@ -0,0 +1,104 @@
+# Copyright (c) 2024 Jonah Aragon <jonah@triplebit.net>
+
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+
+name: Build Website
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
+      repo:
+        required: true
+        type: string
+      lang:
+        required: true
+        type: string
+      i18n:
+        required: true
+        type: boolean
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    continue-on-error: ${{ inputs.i18n }}
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ inputs.repo }}
+          ref: ${{ inputs.ref }}
+          persist-credentials: 'false'
+
+      - uses: actions/download-artifact@v4
+        with:
+          path: modules
+
+      - run: |
+          rmdir modules/mkdocs-material
+          mv modules/mkdocs-material-insiders modules/mkdocs-material
+          rmdir theme/assets/brand
+          mv modules/brand theme/assets/brand
+
+      - if: inputs.i18n
+        run: |
+          cp -rl modules/i18n/i18n .
+          cp -rl modules/i18n/includes .
+          cp -rl modules/i18n/theme .
+
+      - name: Python setup
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.8'
+          cache: 'pipenv'
+
+      - name: Cache files
+        uses: actions/cache@v4.0.2
+        with:
+          key: ${{ inputs.ref }}
+          path: .cache
+
+      - name: Install Python dependencies
+        run: |
+          pip install pipenv
+          pipenv install
+          sudo apt install pngquant
+
+      - name: Build website
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CARDS: false
+          CONTEXT: deploy-preview
+          NETLIFY: true
+        run: |
+          pipenv run mkdocs build --config-file config/mkdocs.${{ inputs.lang }}.yml
+          cp -r static/* site/
+          pipenv run mkdocs --version
+          tar -czvf site-build-${{ inputs.lang }}.tar.gz site
+
+      - name: Upload tar.gz file
+        uses: actions/upload-artifact@v4
+        with:
+          name: site-build-${{ inputs.lang }}.tar.gz
+          path: site-build-${{ inputs.lang }}.tar.gz

.github/workflows/cleanup.yml

@@ -0,0 +1,49 @@
+# Copyright (c) 2024 Jonah Aragon <jonah@triplebit.net>
+
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+
+name: Cleanup Artifacts
+
+on:
+  workflow_call:
+
+jobs:
+  brand:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: geekyeggo/delete-artifact@v5
+        with:
+          name: brand
+          failOnError: false
+
+  i18n:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: geekyeggo/delete-artifact@v5
+        with:
+          name: i18n
+          failOnError: false
+
+  mkdocs-material-insiders:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: geekyeggo/delete-artifact@v5
+        with:
+          name: mkdocs-material-insiders
+          failOnError: false

.github/workflows/deploy.yml

@@ -0,0 +1,72 @@
+# Copyright (c) 2024 Jonah Aragon <jonah@triplebit.net>
+
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+
+name: Cleanup Artifacts
+
+on:
+  workflow_call:
+    inputs:
+      netlify:
+        type: boolean
+      netlify_alias:
+        type: string
+    outputs:
+      netlify_address:
+        value: ${{ jobs.netlify.outputs.address }}
+    secrets:
+      NETLIFY_TOKEN:
+
+jobs:
+  netlify:
+    if: inputs.netlify
+    runs-on: ubuntu-latest
+    outputs:
+      address: ${{ steps.deployment.outputs.address }}
+
+    environment:
+      name: preview-netlify
+      url: ${{ steps.deployment.outputs.address }}
+
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: site-build-*
+          merge-multiple: true
+
+      - run: |
+          for file in *.tar.gz; do tar -zxf "$file"; done
+          wget https://raw.githubusercontent.com/privacyguides/privacyguides.org/main/netlify.toml
+          ls -la site/
+
+      - uses: actions/setup-node@v4
+
+      - run: |
+          npm install netlify-cli -g
+
+      - name: Limit length of Netlify alias to 12
+        run: echo "SHORT_ALIAS=`echo ${{ inputs.netlify_alias }} | cut -c1-12`" >> $GITHUB_ENV
+
+      - id: deployment
+        env:
+          NETLIFY_SITE_ID: ${{ vars.NETLIFY_SITE }}
+          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_TOKEN }}
+        run: |
+          netlify deploy --dir=site --alias=${{ env.SHORT_ALIAS }}
+          echo "address=https://${{ env.SHORT_ALIAS }}--${{ vars.NETLIFY_SITE }}.netlify.app/" >> "$GITHUB_OUTPUT"

.github/workflows/download-repo.yml

@@ -0,0 +1,50 @@
+# Copyright (c) 2024 Jonah Aragon <jonah@triplebit.net>
+
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+
+name: Download repository
+
+on:
+  workflow_call:
+    inputs:
+      repo:
+        required: true
+        type: string
+    secrets:
+      ACTIONS_SSH_KEY:
+        required: true
+
+jobs:
+  download:
+    runs-on: ubuntu-latest
+    environment:
+      name: actions-ssh
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          repository: 'privacyguides/${{ inputs.repo }}'
+          path: ${{ inputs.repo }}
+          ssh-key: ${{ secrets.ACTIONS_SSH_KEY }}
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ inputs.repo }}
+          path: ${{ inputs.repo }}
+          retention-days: 1

.github/workflows/mirror.yml

@@ -29,6 +29,9 @@ concurrency:
 jobs:
   gitlab:
     runs-on: ubuntu-latest
+    environment:
+      name: actions-ssh
+      url: https://gitlab.com/privacyguides/privacyguides.org
     steps:
       - name: Mirror to GitLab
         uses: wearerequired/git-mirror-action@v1
@@ -40,6 +43,9 @@ jobs:
 
   codeberg:
     runs-on: ubuntu-latest
+    environment:
+      name: actions-ssh
+      url: https://codeberg.org/privacyguides/privacyguides.org
     steps:
       - name: Mirror to Codeberg
         uses: wearerequired/git-mirror-action@v1
@@ -51,6 +57,9 @@ jobs:
 
   sourcehut:
     runs-on: ubuntu-latest
+    environment:
+      name: actions-ssh
+      url: https://git.sr.ht/~jonaharagon/privacyguides.org
     steps:
       - name: Mirror to SourceHut
         uses: wearerequired/git-mirror-action@v1

.github/workflows/preview-pr.yml

@@ -0,0 +1,86 @@
+# Copyright (c) 2024 Jonah Aragon <jonah@triplebit.net>
+
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+
+name: Build Pull Request Preview
+
+on:
+  pull_request_target:
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  downloadSubmodules:
+    strategy:
+      matrix:
+        repo: [mkdocs-material-insiders, brand, i18n]
+    uses: ./.github/workflows/download-repo.yml
+    with:
+      repo: ${{ matrix.repo }}
+    secrets:
+      ACTIONS_SSH_KEY: ${{ secrets.ACTIONS_SSH_KEY }}
+
+  build:
+    needs: downloadSubmodules
+    strategy:
+      matrix:
+        lang: [es, fr, he, it, nl, ru, zh-Hant]
+        i18n: [true]
+        include:
+          - lang: en
+            i18n: false
+      fail-fast: false
+    permissions:
+      contents: read
+    uses: ./.github/workflows/build.yml
+    with:
+      ref: ${{github.event.pull_request.head.ref}}
+      repo: ${{github.event.pull_request.head.repo.full_name}}
+      lang: ${{ matrix.lang }}
+      i18n: ${{ matrix.i18n }}
+
+  deploy:
+    needs: build
+    uses: ./.github/workflows/deploy.yml
+    with:
+      netlify: true
+      netlify_alias: ${{ github.event.pull_request.head.sha }}
+    secrets:
+      NETLIFY_TOKEN: ${{ secrets.NETLIFY_TOKEN }}
+
+  comment:
+    permissions:
+      pull-requests: write
+    needs: deploy
+    runs-on: ubuntu-latest
+    env:
+      address: ${{ needs.deploy.outputs.netlify_address }}
+    steps:
+
+      - uses: thollander/actions-comment-pull-request@v2
+        with:
+          message: |
+            This is a test :eyes: ${{ env.address }}
+          comment_tag: deployment
+
+  cleanup:
+    needs: deploy
+    uses: ./.github/workflows/cleanup.yml

.github/workflows/release.yml

@@ -29,6 +29,8 @@ jobs:
   production:
     name: Push release to production
     runs-on: ubuntu-latest
+    environment:
+      name: actions-ssh
     permissions:
       contents: write
 
@@ -47,6 +49,8 @@ jobs:
   build:
     name: Create release packages
     runs-on: ubuntu-latest
+    environment:
+      name: actions-ssh
 
     steps:
       - name: Checkout repository