QT/sure
1
0
Fork 0
mirror of https://github.com/we-promise/sure.git synced 2026-06-04 10:19:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci(preview): stabilize image push and readiness diagnostics (#2084)

Browse Source 
* ci(preview): rewrite image config before registry push

Point the trusted preview deploy config at the loaded CI image before Wrangler validates the worker config for the Cloudflare registry push. This keeps the existing trusted deploy boundary intact while fixing the post-2062 image-push ordering regression.

* ci(preview): require trusted readiness diagnostics

* ci(preview): use nonce for diagnostics events

* ci(preview): retain diagnostics timing anchors
This commit is contained in:
ghost
2026-06-01 01:51:29 -07:00
committed by GitHub
parent 3311759ec2
commit 1af880aa2a
4 changed files with 211 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
.github/workflows/preview-deploy.yml vendored
View File

@@ -203,8 +203,15 @@ jobs:
cp trusted/workers/preview/wrangler.toml "$preview_dir/wrangler.toml"
cp -R trusted/workers/preview/src "$preview_dir/src"
diagnostics_nonce="$(openssl rand -hex 32)"
sed -i "s/\${PR_NUMBER}/${PR_NUMBER}/g" "$preview_dir/wrangler.toml"
sed -i "s/\${PR_NUMBER}/${PR_NUMBER}/g" "$preview_dir/src/index.ts"
sed -i "s/\${PREVIEW_DIAGNOSTICS_NONCE}/${diagnostics_nonce}/g" "$preview_dir/src/index.ts"
if grep -F "\${PREVIEW_DIAGNOSTICS_NONCE}" "$preview_dir/src/index.ts" >/dev/null; then
echo "Preview diagnostics nonce placeholder was not replaced" >&2
exit 1
fi
cd "$preview_dir"
npm ci --ignore-scripts --no-audit --no-fund
@@ -236,10 +243,31 @@ jobs:
set -euo pipefail
cd "$RUNNER_TEMP/sure-preview-worker"
config_path="$RUNNER_TEMP/sure-preview-worker/wrangler.toml"
image_tag="sure-preview-pr-${PR_NUMBER}:${HEAD_SHA}"
push_log="$RUNNER_TEMP/wrangler-containers-push.log"
clean_log="$RUNNER_TEMP/wrangler-containers-push.clean.log"
# wrangler containers push validates wrangler.toml, so point the trusted
# config at the loaded CI image before replacing it with the registry ref.
LOCAL_IMAGE_TAG="$image_tag" node - "$config_path" <<'NODE'
const fs = require('node:fs');
const configPath = process.argv[2];
const imageTag = process.env.LOCAL_IMAGE_TAG;
if (!/^sure-preview-pr-[1-9][0-9]*:[a-f0-9]{40}$/.test(imageTag || '')) {
throw new Error('Expected local preview image tag for wrangler containers push');
}
const original = fs.readFileSync(configPath, 'utf8');
const updated = original.replace(/image = "[^"]+"/, `image = ${JSON.stringify(imageTag)}`);
if (updated === original) {
throw new Error('Expected wrangler.toml to contain an image entry to rewrite before push');
}
fs.writeFileSync(configPath, updated);
NODE
./node_modules/.bin/wrangler containers push "$image_tag" 2>&1 | tee "$push_log"
perl -pe 's/\e\[[0-9;]*[A-Za-z]//g' "$push_log" > "$clean_log"
image_ref=$(grep -Eo 'registry\.cloudflare\.com/[^[:space:]]+' "$clean_log" | tail -n 1 | tr -d '\r')
@@ -331,7 +359,7 @@ jobs:
diagnostics_file="$RUNNER_TEMP/preview-diagnostics.json"
last_error=""
for attempt in $(seq 1 20); do
for attempt in $(seq 1 40); do
if curl -fsS --connect-timeout 5 --max-time 15 "$PREVIEW_URL/_container_status" -o "$diagnostics_file"; then
if jq -e '.previewReady == true or .previewFailed == true' "$diagnostics_file" >/dev/null; then
break
@@ -357,8 +385,20 @@ jobs:
exit 1
fi
if ! jq -e '.previewReady == true' "$diagnostics_file" >/dev/null; then
echo "Preview diagnostics from _container_status did not reach previewReady=true:" >&2
jq -c . "$diagnostics_file" >&2
exit 1
fi
if ! jq -e '.timings.previewReadyAt != null and .timings.secondsToPreviewReady != null' "$diagnostics_file" >/dev/null; then
echo "Preview diagnostics are missing readiness timing fields:" >&2
jq -c . "$diagnostics_file" >&2
exit 1
fi
- name: Upload preview diagnostics
if: success()
if: always() && steps.deploy.outputs.preview_url != ''
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: preview-diagnostics-pr-${{ env.PR_NUMBER }}-${{ env.HEAD_SHA }}