-
Notifications
You must be signed in to change notification settings - Fork 0
261 lines (221 loc) · 12.1 KB
/
build-and-deploy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
#
# GitHub Actions workflow: Builds the site and uploads it to the target server.
#
# For more details on workflows, see README.md.
#
# See also: https://gohugo.io/hosting-and-deployment/hosting-on-github/
#
name: Build and Deploy
# When to run this workflow
#
# See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
# See: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#on
#
# TIP: Don't use "schedule" triggers as this will cause the workflow to be disabled after 60 days of inactivity
# (and afterward the workflow must be manually reenabled).
on:
# Trigger the workflow on push to the main branch (deploy to production).
push:
branches:
- main
# NOTE: The preview branch is for tests without pull request (as GitHub Action sometimes work differently for pushes
# and pull requests).
- preview
# Trigger the workflow for any pull requests (deploy to preview, if "local" PR; don't deploy if PR from fork).
pull_request:
# Allow manual run of this workflow (https://docs.github.com/en/actions/using-workflows/manually-running-a-workflow)
workflow_dispatch:
# Permissions for GITHUB_TOKEN for this workflow.
#
# See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
#
# NOTE: Because we run with minimal permissions, we use "@vX" (instead of "@hash") for non-GitHub steps below.
# Usually you would use "@hash" as a security measure to pin a specific version. However, since we run with
# minimal permissions here, malicious code can't do much harm (most likely). For more details, see:
# https://blog.gitguardian.com/github-actions-security-cheat-sheet/#use-specific-action-version-tags
permissions:
contents: read
env:
# The Hugo version to use: https://github.com/gohugoio/hugo/releases
# NOTE: It sometimes happens that new Hugo versions break the site. So I've decided to always
# "pin" the Hugo version (instead of using the latest version). This way, the Hugo version
# can be updated with a pull request where I can test the new version.
# IMPORTANT: Always USE A PULL REQUEST TO UPDATE THE HUGO VERSION to be able to fix all problems
# before pushing the result to production!!!
HUGO_VERSION: 0.127.0
# Set "DEPLOY_STATE" to "production" if this workflow was triggered by a push to the main branch.
# Set "DEPLOY_STATE" to "preview" in any other case (i.e. pull requests).
DEPLOY_STAGE: ${{ github.ref == 'refs/heads/main' && 'production' || 'preview' }}
# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#concurrency
concurrency:
# Makes this workflow part of the "deploy" concurrency group. (Note that this text can be chosen arbitrarily.)
# NOTE: Unfortunately, we can't use "env.DEPLOY_STAGE" as "env." is not supported.
group: deploy-${{ github.ref == 'refs/heads/main' && 'production' || 'preview' }}
# Do NOT cancel in-progress runs as we want to allow these deployments to complete.
cancel-in-progress: false
# NOTE: Jobs run in parallel by default.
# https://docs.github.com/en/actions/using-jobs/using-jobs-in-a-workflow
jobs:
build-and-deploy:
# Name the job
name: Build & Deploy
# Set the type of machine to run on
# See: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idruns-on
runs-on: ubuntu-latest
env:
# The directory in which Hugo stores the generated site.
# NOTE: '${{ runner.temp }}' isn't available here so we have to use '${{ github.workspace }}'.
PUBLISH_DIR: '${{ github.workspace }}/public/'
# The directory in which to store diffable files (i.e. the generated site which can be more easily diffed
# especially across branches).
DIFF_PUBLISH_DIR: '${{ github.workspace }}/public-diff/'
# Hugo build parameters used by all build steps.
HUGO_COMMON_BUILD_PARAMS: --printPathWarnings --logLevel info --panicOnWarning
steps:
###########################################################################
#
# Setup Steps
#
###########################################################################
- name: Install Hugo CLI
# This snippet is taken from: https://gohugo.io/hosting-and-deployment/hosting-on-github/
# NOTE: We can't use "snap" for this as it doesn't support installing old versions, if they're not provided by the package authors.
# Note, though, that this call is extremely fast (way faster than using snap), most likely because the source is also hosted
# by GitHub.
run: |
wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb
sudo dpkg -i ${{ runner.temp }}/hugo.deb
# See: https://github.com/marketplace/actions/setup-node-js-environment
- name: Setup NodeJS environment
uses: actions/setup-node@v4
with:
node-version: 'latest'
# See: https://github.com/marketplace/actions/checkout
- name: Clone Git repository
uses: actions/checkout@v4
with:
lfs: true
submodules: true
# IMPORTANT: Fetch the whole history. This is how Hugo determines the (publish) dates for the articles!!!
fetch-depth: 0
# Use this to dump the complete "github" context for the build log.
# - name: Dump GitHub context
# env:
# GITHUB_CONTEXT: ${{ toJson(github) }}
# run: echo "$GITHUB_CONTEXT"
- name: Download node modules (assets)
run: npm install
working-directory: themes/devlog-theme/assets
- name: Download node modules (utils)
run: npm install
working-directory: themes/devlog-theme/_utils
###########################################################################
#
# Build Steps
#
###########################################################################
- name: Build site (preview)
if: ${{ env.DEPLOY_STAGE == 'preview' }}
# NOTE: We don't use "--minify" here so that the output remains better readable/diffable.
run: hugo --destination '${{ env.PUBLISH_DIR }}' ${{ env.HUGO_COMMON_BUILD_PARAMS }} --buildDrafts --baseURL 'https://preview.manski.net'
env:
# Disable search engine crawling for the preview stage.
HUGO_PARAMS_robots: 'noindex,nofollow'
# For pull requests, the git branch name can't be determined by reading ".git/HEAD". So we have to specify it here explicitly.
# NOTE: This variable is empty if this workflow was not triggered by a pull request. This means that the default behavior
# remains in effect for the "preview" branch.
HUGO_PARAMS_gitBranch: ${{ github.head_ref }}
- name: Build site (production)
if: ${{ env.DEPLOY_STAGE == 'production' }}
run: hugo --destination '${{ env.PUBLISH_DIR }}' ${{ env.HUGO_COMMON_BUILD_PARAMS }}
- name: Beautify output
run: node beautify.js '${{ env.PUBLISH_DIR }}'
working-directory: themes/devlog-theme/_utils
- name: Build search index
run: npx pagefind --site '${{ env.PUBLISH_DIR }}'
working-directory: themes/devlog-theme/_utils
###########################################################################
#
# Archive Steps
#
###########################################################################
- name: Create diffable output
run: hugo --destination '${{ env.DIFF_PUBLISH_DIR }}' ${{ env.HUGO_COMMON_BUILD_PARAMS }} ${{ env.BUILD_DRAFTS_PARAM }} --baseURL 'https://fake.manski.net'
env:
BUILD_DRAFTS_PARAM: ${{ env.DEPLOY_STAGE == 'production' && '' || '--buildDrafts' }}
HUGO_PARAMS_robots: 'diffable-value'
HUGO_PARAMS_gitBranch: 'fake-branch'
HUGO_PARAMS_enableFingerprinting: 'false'
- name: Beautify diffable output
run: node beautify.js '${{ env.DIFF_PUBLISH_DIR }}'
working-directory: themes/devlog-theme/_utils
- name: Make branch name compatible with file names
id: file-branch-name
# Based on: https://stackoverflow.com/a/58035262/614177
# For syntax, see: https://www.gnu.org/software/bash/manual/bash.html#Shell-Parameter-Expansion
# Strips "feature/" from PR branch names. Also replaces '/' with '-'.
run: echo "${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" | sed 's#^feature/##' | sed 's#/#-#' | xargs printf "branch=%s\n" >> $GITHUB_OUTPUT
#
# Store generated files in a zip file in the workflow itself. This way outputs between two workflow runs can be compared,
# if necessary.
#
# See: https://github.com/marketplace/actions/upload-a-build-artifact
#
# NOTES:
# * Artifacts are retained only up to 90 days at the moment. See: https://github.com/orgs/community/discussions/107115
# * We keep the default compression level as in our tests increasing it to 9 (max) resulted in a zip that's only
# about 10 KB smaller (5.88 MB to 5.87 MB).
#
- name: Attach generated files to workflow run
uses: actions/upload-artifact@v4
with:
name: 'published-output__#${{ github.run_number }}__${{ steps.file-branch-name.outputs.branch }}'
path: ${{ env.PUBLISH_DIR }}
if-no-files-found: error
# NOTE: We attach the diffable files as separate(!) artifact which makes it easier to compare results (as the extracted
# folder can be compared directly).
- name: Attach generated files (diffable) to workflow run
uses: actions/upload-artifact@v4
with:
name: 'diffable-output__#${{ github.run_number }}__${{ steps.file-branch-name.outputs.branch }}'
path: ${{ env.DIFF_PUBLISH_DIR }}
if-no-files-found: error
###########################################################################
#
# Deploy Steps
#
###########################################################################
# See: https://github.com/marketplace/actions/ftp-deploy
- name: Deploy site
uses: SamKirkland/[email protected]
env:
HAS_ACCESS_TO_SECRETS: ${{ secrets.ftp_username }}
# Only run this step if the workflow has access to the repository's secret. Only pull requests
# from within the repository itself have access. Pull requests from forks don't have access.
# See below.
if: ${{ env.HAS_ACCESS_TO_SECRETS }}
with:
# See: https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions
# IMPORTANT: Secrets are NOT available for pull requests from forked repositories!!!
# Meaning: We don't need to fear that a malicious pull request will overwrite our web site.
# See: https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow
server: ${{ secrets.ftp_server }}
username: ${{ secrets.ftp_username }}
password: ${{ secrets.ftp_password }}
# Use an encrypted FTP connection.
protocol: ftps
#log-level: verbose
# NOTE: This action actually compares file hashes to determine if a file needs to be uploaded.
local-dir: '${{ env.PUBLISH_DIR }}'
server-dir: ./www_${{ env.DEPLOY_STAGE }}/
state-name: ../sync-state-${{ env.DEPLOY_STAGE }}.json
# NOTE: By default, "exclude" contains "node_modules". We have to remove this exclude rule because
# we use this to ship fontawesome.
# For default, see: https://github.com/marketplace/actions/ftp-deploy#exclude-files
# NOTE: Unfortunately, you don't seem to be able to clear the exclude options because it then will simply
# use the default value again. So we keep some common sense value (even though we don't actually need to
# exclude anything).
exclude: |
**/.git*
**/.git*/**