fix(ci): run workflows in target repository context

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>

.github/workflows/build.yml

@@ -6,9 +6,9 @@ name: test, build
 
 on:
   push:
-    branches: [main]
+    branches: [ main ]
   pull_request:
-    branches: [main]
+    branches: [ main ]
 
 jobs:
   build:
@@ -20,9 +20,11 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
+
       - name: Get yarn cache directory path
         id: yarn-cache-dir-path
         run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
+
       - name: Cache yarn cache
         uses: actions/cache@v3
         id: yarn-cache
@@ -31,13 +33,17 @@ jobs:
           key: ${{ runner.os }}-${{ matrix.node }}-yarn-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             ${{ runner.os }}-yarn-${{ matrix.node }}
+
       - name: Set up NodeJS
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node }}
+
       - name: Install dependencies
         run: yarn install --immutable
+
       - name: Test Project
         run: yarn test:ci
+
       - name: Build project
         run: yarn build:mock

.github/workflows/deploy-main.yml

@@ -8,6 +8,10 @@ on:
   push:
     branches: [ main ]
 
+env:
+  NETLIFY_VERSION: 12.0.11
+  NODE_VERSION: 18
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
@@ -25,17 +29,26 @@ jobs:
         id: yarn-cache
         with:
           path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
-          key: ${{ runner.os }}-18-yarn-${{ hashFiles('**/yarn.lock') }}
+          key: ${{ runner.os }}-${{ env.NODE_VERSION }}-yarn-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
-            ${{ runner.os }}-yarn-18
+            ${{ runner.os }}-yarn-${{ env.NODE_VERSION }}
 
       - name: Set up NodeJS
         uses: actions/setup-node@v3
         with:
-          node-version: 18
+          node-version: ${{ env.NODE_VERSION }}
 
-      - name: Patch files
-        run: bash netlify/patch-files.sh "https://hedgedoc.dev/"
+      - name: Patch intro.md to include netlify banner.
+        run: cp netlify/intro.md public/public/intro.md
+
+      - name: Patch motd.md to include privacy policy.
+        run: cp netlify/motd.md public/public/motd.md
+
+      - name: Patch version.json to include git hash
+        run: jq ".version = \"0.0.0+${GITHUB_SHA:0:8}\"" src/version.json > src/_version.json && mv src/_version.json src/version.json
+
+      - name: Patch base URL
+        run: echo "HD_EDITOR_BASE_URL=\"https://hedgedoc.dev/\"" >> .env.production
 
       - name: Install dependencies
         run: yarn install --immutable
@@ -46,7 +59,10 @@ jobs:
       - name: Remove Next.js cache to avoid it being deployed
         run: rm -r .next/cache
 
+      - name: Install netlify CLI
+        run: "npm install -g netlify-cli@${{ env.NETLIFY_VERSION }}"
+
       - name: Run netlify CLI deployment
         env:
           NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-        run: bash netlify/deploy-main.sh "${{ github.event.head_commit.id }}" "${{ github.event.head_commit.message }}"
+        run: "netlify deploy --build --prod --message \"${{ github.event.head_commit.id }}: ${{ github.event.head_commit.message }}\""

.github/workflows/deploy-pr.yml

@@ -5,13 +5,30 @@
 name: deploy
 
 on:
-  pull_request:
+  pull_request_target:
+    branches: [ main ]
+    types:
+      - labeled
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+
+permissions:
+  contents: read
+  deployments: write
+
+env:
+  NETLIFY_VERSION: 12.0.11
+  NODE_VERSION: 18
 
 jobs:
   deploy:
-    if: github.event.pull_request.draft == false
+    if: github.event.pull_request.draft == false || contains( github.event.pull_request.labels.*.name, 'FORCE DEPLOY').
     runs-on: ubuntu-latest
     name: Deploys to netlify
+    env:
+      DEPLOY_URL: "https://${{ github.event.number }}--hedgedoc-ui-test.netlify.app/"
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
@@ -25,17 +42,26 @@ jobs:
         id: yarn-cache
         with:
           path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
-          key: ${{ runner.os }}-18-yarn-${{ hashFiles('**/yarn.lock') }}
+          key: ${{ runner.os }}-${{ env.NODE_VERSION }}-yarn-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
-            ${{ runner.os }}-yarn-18
+            ${{ runner.os }}-yarn-${{ env.NODE_VERSION }}
 
       - name: Set up NodeJS
         uses: actions/setup-node@v3
         with:
-          node-version: 18
+          node-version: ${{ env.NODE_VERSION }}
 
-      - name: Patch files
-        run: bash netlify/patch-files.sh "https://${{ github.event.number }}--hedgedoc-ui-test.netlify.app/"
+      - name: Patch intro.md to include netlify banner.
+        run: cp netlify/intro.md public/public/intro.md
+
+      - name: Patch motd.md to include privacy policy.
+        run: cp netlify/motd.md public/public/motd.md
+
+      - name: Patch version.json to include git hash
+        run: jq ".version = \"0.0.0+${GITHUB_SHA:0:8}\"" src/version.json > src/_version.json && mv src/_version.json src/version.json
+
+      - name: Patch base URL
+        run: echo "HD_EDITOR_BASE_URL=\"${{ env.DEPLOY_URL }}\"" >> .env.production
 
       - name: Install dependencies
         run: yarn install --immutable
@@ -56,11 +82,13 @@ jobs:
           override: true
           ref: ${{ github.head_ref }}
 
-      - name: Run netlify CLI deployment
+      - name: Install netlify CLI
+        run: "npm install -g netlify-cli@${{ env.NETLIFY_VERSION }}"
+
+      - name: Run netlify CLI
         env:
           NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-        run: bash netlify/deploy-pr.sh "${{ github.event.number }}" "${{ github.event.pull_request.title }}"
-        id: netlify-result
+        run: "netlify deploy --build --context deploy-preview --alias \"${{ github.event.number }}\" --json --message \"PR #${{ github.event.number }}\""
 
       - name: Mark GitHub deployment as finished
         if: always()
@@ -68,9 +96,8 @@ jobs:
         with:
           step: finish
           token: ${{ secrets.GITHUB_TOKEN }}
-          env_url: ${{ steps.netlify-result.outputs.url }}
+          env_url: ${{ env.DEPLOY_URL }}
           env: ${{ steps.github-deployment.outputs.env }}
-          logs: ${{ steps.netlify-result.outputs.logs }}
           status: ${{ job.status }}
           deployment_id: ${{ steps.github-deployment.outputs.deployment_id }}
           override: true

.github/workflows/e2e.yml

@@ -7,9 +7,15 @@ name: e2e
 on:
   push:
     branches: [ main ]
-  pull_request:
+  pull_request_target:
     branches: [ main ]
 
+permissions:
+  contents: read
+
+env:
+  NODE_VERSION: 18
+
 jobs:
   build-frontend:
     runs-on: ubuntu-latest
@@ -36,15 +42,15 @@ jobs:
         if: steps.build-cache.outputs.cache-hit != 'true'
         with:
           path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
-          key: ${{ runner.os }}-18-yarn-${{ hashFiles('**/yarn.lock') }}
+          key: ${{ runner.os }}-${{ env.NODE_VERSION }}-yarn-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
-            ${{ runner.os }}-yarn-18
+            ${{ runner.os }}-yarn-${{ env.NODE_VERSION }}
 
       - name: Set up NodeJS
         if: steps.build-cache.outputs.cache-hit != 'true'
         uses: actions/setup-node@v3
         with:
-          node-version: 18
+          node-version: ${{ env.NODE_VERSION }}
 
       - name: Install dependencies
         if: steps.build-cache.outputs.cache-hit != 'true'
@@ -93,9 +99,15 @@ jobs:
         id: yarn-cache
         with:
           path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
-          key: ${{ runner.os }}-16-yarn-${{ hashFiles('**/yarn.lock') }}
+          key: ${{ runner.os }}-${{ env.NODE_VERSION }}-yarn-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
-            ${{ runner.os }}-yarn-16
+            ${{ runner.os }}-yarn-${{ env.NODE_VERSION }}
+
+      - name: Set up NodeJS
+        if: steps.build-cache.outputs.cache-hit != 'true'
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ env.NODE_VERSION }}
 
       - name: Install dependencies
         run: yarn install --immutable

.github/workflows/lint.yml

@@ -6,9 +6,12 @@ name: lint
 
 on:
   push:
-    branches: [main]
+    branches: [ main ]
   pull_request:
-    branches: [main]
+    branches: [ main ]
+
+env:
+  NODE_VERSION: 18
 
 jobs:
   lint:
@@ -27,14 +30,14 @@ jobs:
         id: yarn-cache
         with:
           path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
-          key: ${{ runner.os }}-18-yarn-${{ hashFiles('**/yarn.lock') }}
+          key: ${{ runner.os }}-${{ env.NODE_VERSION }}-yarn-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
-            ${{ runner.os }}-yarn-18
+            ${{ runner.os }}-yarn-${{ env.NODE_VERSION }}
 
       - name: Set up NodeJS
         uses: actions/setup-node@v3
         with:
-          node-version: 18
+          node-version: ${{ env.NODE_VERSION }}
 
       - name: Install dependencies
         run: yarn install --immutable

.github/workflows/reuse.yml

@@ -6,9 +6,9 @@ name: REUSE Compliance Check
 
 on:
   push:
-    branches: [main]
+    branches: [ main ]
   pull_request:
-    branches: [main]
+    branches: [ main ]
 
 jobs:
   reuse:

netlify/deploy-main.sh

@@ -1,23 +0,0 @@
-#!/bin/bash
-
-#
-# SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
-#
-# SPDX-License-Identifier: AGPL-3.0-only
-#
-
-json=$($(dirname "$0")/netlify-cli.sh deploy --build --prod --json --message "${1:0:8}: $2")
-
-if [ $? -ne 0 ]; then
-    echo "Error while executing netlify! Will try again without json..."
-    $(dirname "$0")/netlify-cli.sh deploy --build --prod --message "${1:0:8}: $2"
-    exit 1
-fi
-
-echo "${json}"
-
-url=$(echo "${json}" | jq -r .deploy_url)
-logs=$(echo "${json}" | jq -r .logs)
-
-echo "::set-output name=url::${url}"
-echo "::set-output name=logs::${logs}"

netlify/deploy-pr.sh

@@ -1,23 +0,0 @@
-#!/bin/bash
-
-#
-# SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
-#
-# SPDX-License-Identifier: AGPL-3.0-only
-#
-
-json=$($(dirname "$0")/netlify-cli.sh deploy --build --context deploy-preview --alias "$1" --json --message "[#$1] $2")
-
-if [ $? -ne 0 ]; then
-    echo "Error while executing netlify! Will try again without json..."
-    $(dirname "$0")/netlify-cli.sh deploy --build --context deploy-preview --alias "$1" --message "[#$1] $2"
-    exit 1
-fi
-
-echo "${json}"
-
-url=$(echo "${json}" | jq -r .deploy_url)
-logs=$(echo "${json}" | jq -r .logs)
-
-echo "::set-output name=url::${url}"
-echo "::set-output name=logs::${logs}"

netlify/netlify-cli.sh

@@ -1,10 +0,0 @@
-#!/bin/bash
-
-#
-# SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
-#
-# SPDX-License-Identifier: AGPL-3.0-only
-#
-
-NETLIFY_VERSION=12.0.11
-exec npx --yes netlify-cli@${NETLIFY_VERSION} $@

netlify/patch-files.sh

@@ -1,18 +0,0 @@
-#!/bin/bash
-#
-# SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
-#
-# SPDX-License-Identifier: AGPL-3.0-only
-#
-
-set -e
-
-echo 'Patch intro.md to include netlify banner.'
-cp netlify/intro.md public/public/intro.md
-echo 'Patch motd.md to include privacy policy.'
-cp netlify/motd.md public/public/motd.md
-echo 'Patch version.json to include git hash'
-jq ".version = \"0.0.0+${GITHUB_SHA:0:8}\"" src/version.json > src/_version.json
-mv src/_version.json src/version.json
-echo "Patch base URL"
-echo HD_EDITOR_BASE_URL="${1}" >> .env.production

renovate.json

@@ -93,13 +93,24 @@
   "regexManagers": [
     {
       "fileMatch": [
-        "netlify-cli.sh$"
+        ".github/workflows/deploy-main.yml$",
+        ".github/workflows/deploy-pr.yml$"
       ],
       "matchStrings": [
         "NETLIFY_VERSION=(?<currentValue>.*?)\\n"
       ],
       "datasourceTemplate" : "npm",
       "depNameTemplate" : "netlify-cli"
+    },
+    {
+      "fileMatch": [
+        ".github/workflows/deploy-main.yml$",
+        ".github/workflows/deploy-pr.yml$"
+      ],
+      "matchStrings": [
+        "NODE_VERSION=(?<currentValue>.*?)\\n"
+      ],
+      "datasourceTemplate" : "node"
     }
   ]
 }