ci(preview): stabilize Cloudflare preview deployments (#2062)

* ci(preview): stabilize Cloudflare preview deployments * ci(preview): bound diagnostics and cover artifact fallback * ci(preview): isolate artifact deploy permissions * ci(preview): tidy deployment comment rendering * ci(preview): harden preview manifest generation * ci(preview): fail on preview diagnostics failure
2026-06-04 10:19:03 +00:00 · 2026-05-31 04:30:03 -07:00
parent ca8cbaa201
commit 5f8452d63b
6 changed files with 845 additions and 138 deletions
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -38,6 +38,7 @@ jobs:
          set -euo pipefail

          image_archive="$RUNNER_TEMP/sure-preview-image.tar.gz"
+          manifest_file="$RUNNER_TEMP/sure-preview-image.manifest.json"

          docker build \
            --platform linux/amd64 \
@@ -48,7 +49,27 @@ jobs:

          docker image inspect "${IMAGE_TAG}" >/dev/null
          docker save "${IMAGE_TAG}" | gzip -1 > "$image_archive"
-          sha256sum "$image_archive" | awk '{print $1}' > "$RUNNER_TEMP/sure-preview-image.sha256"
+          archive_sha256="$(sha256sum "$image_archive" | awk '{print $1}')"
+          image_id="$(docker image inspect --format '{{.Id}}' "${IMAGE_TAG}")"
+
+          printf '%s\n' "$archive_sha256" > "$RUNNER_TEMP/sure-preview-image.sha256"
+          ARCHIVE_SHA256="$archive_sha256" IMAGE_ID="$image_id" node - "$manifest_file" <<'NODE'
+          const fs = require('node:fs');
+
+          const manifestPath = process.argv[2];
+          const manifest = {
+            artifactVersion: 1,
+            archivePath: 'sure-preview-image.tar.gz',
+            archiveSha256: process.env.ARCHIVE_SHA256,
+            headSha: process.env.HEAD_SHA,
+            imageId: process.env.IMAGE_ID,
+            imageTag: process.env.IMAGE_TAG,
+            prNumber: process.env.PR_NUMBER,
+          };
+
+          fs.writeFileSync(manifestPath, `${JSON.stringify(manifest, null, 2)}\n`);
+          NODE
+          jq -e . "$manifest_file" >/dev/null

      - name: Upload preview image artifact
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
@@ -57,5 +78,6 @@ jobs:
          path: |
            ${{ runner.temp }}/sure-preview-image.tar.gz
            ${{ runner.temp }}/sure-preview-image.sha256
+            ${{ runner.temp }}/sure-preview-image.manifest.json
          if-no-files-found: error
          retention-days: 3