name: Deploy PR Preview on: workflow_run: workflows: ["Pull Request"] types: [completed] permissions: contents: read jobs: preview-gate: if: | github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' name: Validate preview deployment gates runs-on: ubuntu-latest timeout-minutes: 10 permissions: actions: read contents: read pull-requests: read outputs: artifact_name: ${{ steps.preview.outputs.artifact_name }} head_sha: ${{ steps.preview.outputs.head_sha }} is_fork: ${{ steps.preview.outputs.is_fork }} pr_number: ${{ steps.preview.outputs.pr_number }} resolution_source: ${{ steps.preview.outputs.resolution_source }} should_deploy: ${{ steps.preview.outputs.should_deploy }} steps: - name: Checkout trusted preview resolver uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: ref: ${{ github.event.repository.default_branch }} path: trusted-preview-resolver persist-credentials: false sparse-checkout: | workers/preview/deploy - name: Resolve preview request id: preview uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const { resolvePreviewRequest } = require('./trusted-preview-resolver/workers/preview/deploy/resolve_preview_request.cjs'); await resolvePreviewRequest({ github, context, core }); deployment_record: needs: preview-gate if: needs.preview-gate.outputs.should_deploy == 'true' name: Create GitHub Deployment runs-on: ubuntu-latest timeout-minutes: 5 permissions: contents: read deployments: write outputs: deployment_id: ${{ steps.deployment.outputs.result }} env: HEAD_SHA: ${{ needs.preview-gate.outputs.head_sha }} IS_FORK: ${{ needs.preview-gate.outputs.is_fork }} PR_NUMBER: ${{ needs.preview-gate.outputs.pr_number }} steps: - name: Create GitHub Deployment if: env.IS_FORK == 'false' id: deployment uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const prNumber = process.env.PR_NUMBER; const headSha = process.env.HEAD_SHA; const deployment = await github.rest.repos.createDeployment({ owner: context.repo.owner, repo: context.repo.repo, ref: headSha, environment: `preview-pr-${prNumber}`, auto_merge: false, required_contexts: [], description: 'PR Preview Deployment' }); return deployment.data.id; result-encoding: string deploy-preview: needs: [preview-gate, deployment_record] if: | always() && needs.preview-gate.outputs.should_deploy == 'true' && (needs.deployment_record.result == 'success' || needs.deployment_record.result == 'skipped') name: Deploy to Cloudflare Containers runs-on: ubuntu-latest timeout-minutes: 45 concurrency: group: preview-deploy-${{ needs.preview-gate.outputs.pr_number }} cancel-in-progress: true environment: preview permissions: actions: read contents: read outputs: preview_url: ${{ steps.deploy.outputs.preview_url }} env: ARTIFACT_NAME: ${{ needs.preview-gate.outputs.artifact_name }} HEAD_SHA: ${{ needs.preview-gate.outputs.head_sha }} IS_FORK: ${{ needs.preview-gate.outputs.is_fork }} PR_NUMBER: ${{ needs.preview-gate.outputs.pr_number }} RESOLUTION_SOURCE: ${{ needs.preview-gate.outputs.resolution_source }} steps: - name: Checkout trusted preview tooling uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: ref: ${{ github.event.repository.default_branch }} path: trusted persist-credentials: false sparse-checkout: | workers/preview - name: Download preview image artifact uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: name: ${{ env.ARTIFACT_NAME }} run-id: ${{ github.event.workflow_run.id }} github-token: ${{ github.token }} path: ${{ runner.temp }}/preview-image - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "24" - name: Verify preview image artifact checksum run: | set -euo pipefail image_archive="$RUNNER_TEMP/preview-image/sure-preview-image.tar.gz" checksum_file="$RUNNER_TEMP/preview-image/sure-preview-image.sha256" manifest_file="$RUNNER_TEMP/preview-image/sure-preview-image.manifest.json" expected_files="$(mktemp)" actual_files="$(mktemp)" test -f "$image_archive" test -f "$checksum_file" test -f "$manifest_file" printf '%s\n' \ sure-preview-image.manifest.json \ sure-preview-image.sha256 \ sure-preview-image.tar.gz | sort > "$expected_files" find "$RUNNER_TEMP/preview-image" -maxdepth 1 -type f -printf '%f\n' | sort > "$actual_files" if ! diff -u "$expected_files" "$actual_files"; then echo "Preview image artifact contained unexpected files" >&2 exit 1 fi expected_checksum="$(tr -d '[:space:]' < "$checksum_file")" actual_checksum="$(sha256sum "$image_archive" | awk '{print $1}')" if [ "$expected_checksum" != "$actual_checksum" ]; then echo "Preview image artifact checksum mismatch" >&2 exit 1 fi node - "$manifest_file" "$expected_checksum" <<'NODE' const fs = require('node:fs'); const manifestPath = process.argv[2]; const expectedChecksum = process.argv[3]; const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf8')); const expectedImageTag = `sure-preview-pr-${process.env.PR_NUMBER}:${process.env.HEAD_SHA}`; const expected = { artifactVersion: 1, archivePath: 'sure-preview-image.tar.gz', archiveSha256: expectedChecksum, headSha: process.env.HEAD_SHA, imageTag: expectedImageTag, prNumber: process.env.PR_NUMBER, }; for (const [key, value] of Object.entries(expected)) { if (manifest[key] !== value) { throw new Error(`Preview image manifest ${key} mismatch`); } } if (!/^sha256:[a-f0-9]{64}$/.test(manifest.imageId || '')) { throw new Error('Preview image manifest imageId is invalid'); } NODE - name: Prepare trusted preview deploy workspace run: | set -euo pipefail preview_dir="$RUNNER_TEMP/sure-preview-worker" rm -rf "$preview_dir" mkdir -p "$preview_dir" cp trusted/workers/preview/package.json "$preview_dir/package.json" cp trusted/workers/preview/package-lock.json "$preview_dir/package-lock.json" cp trusted/workers/preview/tsconfig.json "$preview_dir/tsconfig.json" cp trusted/workers/preview/wrangler.toml "$preview_dir/wrangler.toml" cp -R trusted/workers/preview/src "$preview_dir/src" mkdir -p "$preview_dir/deploy" cp trusted/workers/preview/deploy/redact_preview_log.sh "$preview_dir/deploy/redact_preview_log.sh" chmod 0755 "$preview_dir/deploy/redact_preview_log.sh" diagnostics_nonce="$(openssl rand -hex 32)" sed -i "s/\${PR_NUMBER}/${PR_NUMBER}/g" "$preview_dir/wrangler.toml" sed -i "s/\${PR_NUMBER}/${PR_NUMBER}/g" "$preview_dir/src/index.ts" sed -i "s/\${PREVIEW_DIAGNOSTICS_NONCE}/${diagnostics_nonce}/g" "$preview_dir/src/index.ts" if grep -F "\${PREVIEW_DIAGNOSTICS_NONCE}" "$preview_dir/src/index.ts" >/dev/null; then echo "Preview diagnostics nonce placeholder was not replaced" >&2 exit 1 fi cd "$preview_dir" npm ci --ignore-scripts --no-audit --no-fund - name: Load preview image artifact run: | set -euo pipefail image_archive="$RUNNER_TEMP/preview-image/sure-preview-image.tar.gz" manifest_file="$RUNNER_TEMP/preview-image/sure-preview-image.manifest.json" expected_image="sure-preview-pr-${PR_NUMBER}:${HEAD_SHA}" gzip -dc "$image_archive" | docker load docker image inspect "$expected_image" >/dev/null expected_image_id="$(node -e 'const fs = require("node:fs"); process.stdout.write(JSON.parse(fs.readFileSync(process.argv[1], "utf8")).imageId);' "$manifest_file")" actual_image_id="$(docker image inspect --format '{{.Id}}' "$expected_image")" if [ "$expected_image_id" != "$actual_image_id" ]; then echo "Loaded preview image ID did not match artifact manifest" >&2 exit 1 fi - name: Push preview image to Cloudflare registry id: image env: CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_PREVIEW_API_TOKEN || secrets.CLOUDFLARE_API_TOKEN }} run: | set -euo pipefail cd "$RUNNER_TEMP/sure-preview-worker" config_path="$RUNNER_TEMP/sure-preview-worker/wrangler.toml" image_tag="sure-preview-pr-${PR_NUMBER}:${HEAD_SHA}" temporary_image_ref="registry.cloudflare.com/${CLOUDFLARE_ACCOUNT_ID}/${image_tag}" push_log="$RUNNER_TEMP/wrangler-containers-push.log" clean_log="$RUNNER_TEMP/wrangler-containers-push.clean.log" push_status=0 # wrangler containers push validates wrangler.toml, so point the trusted # config at a registry-shaped ref while it pushes the verified local image. TEMPORARY_IMAGE_REF="$temporary_image_ref" node - "$config_path" <<'NODE' const fs = require('node:fs'); const configPath = process.argv[2]; const imageRef = process.env.TEMPORARY_IMAGE_REF; if (!/^registry\.cloudflare\.com\/[A-Za-z0-9_-]+\/sure-preview-pr-[1-9][0-9]*:[a-f0-9]{40}$/.test(imageRef || '')) { throw new Error('Expected registry-shaped preview image ref before wrangler containers push'); } const original = fs.readFileSync(configPath, 'utf8'); const updated = original.replace(/image = "[^"]+"/, `image = ${JSON.stringify(imageRef)}`); if (updated === original) { throw new Error('Expected wrangler.toml to contain an image entry to rewrite before push'); } fs.writeFileSync(configPath, updated); NODE set +e ./node_modules/.bin/wrangler containers push "$image_tag" 2>&1 | tee "$push_log" | ./deploy/redact_preview_log.sh push_status=${PIPESTATUS[0]} set -e perl -pe 's/\e\[[0-9;]*[A-Za-z]//g' "$push_log" > "$clean_log" if [ "$push_status" -ne 0 ]; then exit "$push_status" fi image_ref="$(node - "$clean_log" <<'NODE' const fs = require('node:fs'); const logPath = process.argv[2]; const log = fs.readFileSync(logPath, 'utf8'); const expectedSuffix = `sure-preview-pr-${process.env.PR_NUMBER}:${process.env.HEAD_SHA}`; const pattern = /registry\.cloudflare\.com\/[A-Za-z0-9_-]+\/sure-preview-pr-[1-9][0-9]*:[a-f0-9]{40}/g; const matches = [...log.matchAll(pattern)].map((match) => match[0]); const imageRef = matches.findLast((candidate) => candidate.endsWith(`/${expectedSuffix}`)); if (imageRef) process.stdout.write(imageRef); NODE )" if [ -z "$image_ref" ]; then echo "Could not find Cloudflare registry image reference in wrangler output" >&2 exit 1 fi echo "image_ref=${image_ref}" >> "$GITHUB_OUTPUT" - name: Configure trusted preview image reference env: IMAGE_REF: ${{ steps.image.outputs.image_ref }} run: | set -euo pipefail config_path="$RUNNER_TEMP/sure-preview-worker/wrangler.toml" # Use Node instead of sed so the replacement preserves TOML string syntax. node - "$config_path" <<'NODE' const fs = require('node:fs'); const configPath = process.argv[2]; const imageRef = process.env.IMAGE_REF; const expectedSuffix = `sure-preview-pr-${process.env.PR_NUMBER}:${process.env.HEAD_SHA}`; if (!/^registry\.cloudflare\.com\/[A-Za-z0-9_-]+\/sure-preview-pr-[1-9][0-9]*:[a-f0-9]{40}$/.test(imageRef || '')) { throw new Error('Expected a Cloudflare registry image reference'); } if (!imageRef.endsWith(`/${expectedSuffix}`)) { throw new Error('Cloudflare registry image reference does not match this preview artifact'); } const original = fs.readFileSync(configPath, 'utf8'); const updated = original.replace(/image = "[^"]+"/, `image = ${JSON.stringify(imageRef)}`); if (updated === original) { throw new Error('Expected wrangler.toml to contain an image entry to rewrite'); } fs.writeFileSync(configPath, updated); NODE # Print a redacted copy for logs without mutating the config used by deploy. redacted_config="$RUNNER_TEMP/wrangler-redacted.toml" "$RUNNER_TEMP/sure-preview-worker/deploy/redact_preview_log.sh" < "$config_path" > "$redacted_config" cat "$redacted_config" - name: Deploy to Cloudflare Containers id: deploy env: CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_PREVIEW_API_TOKEN || secrets.CLOUDFLARE_API_TOKEN }} CLOUDFLARE_WORKERS_SUBDOMAIN: ${{ secrets.CLOUDFLARE_WORKERS_SUBDOMAIN }} run: | set -euo pipefail cd "$RUNNER_TEMP/sure-preview-worker" deploy_log="$RUNNER_TEMP/wrangler-deploy.log" clean_deploy_log="$RUNNER_TEMP/wrangler-deploy.clean.log" deploy_once() { set +e ./node_modules/.bin/wrangler deploy --config wrangler.toml --var "PR_NUMBER:${PR_NUMBER}" 2>&1 | tee "$deploy_log" | ./deploy/redact_preview_log.sh local deploy_status=${PIPESTATUS[0]} set -e return "$deploy_status" } if ! deploy_once; then perl -pe 's/\e\[[0-9;]*[A-Za-z]//g' "$deploy_log" > "$clean_deploy_log" if grep -F "associated with a different durable object namespace" "$clean_deploy_log" >/dev/null; then echo "Detected stale Cloudflare container app state for PR ${PR_NUMBER}; deleting preview Worker and retrying once." if ! ./node_modules/.bin/wrangler delete --name "sure-preview-${PR_NUMBER}" --force; then echo "Preview Worker delete failed; continuing to the single retry so wrangler deploy reports the final error if the stale state remains." >&2 fi deploy_once else exit 1 fi fi # Get the deployment URL PREVIEW_URL="https://sure-preview-${PR_NUMBER}.${CLOUDFLARE_WORKERS_SUBDOMAIN}.workers.dev" echo "preview_url=${PREVIEW_URL}" >> "$GITHUB_OUTPUT" - name: Warm preview container env: PREVIEW_URL: ${{ steps.deploy.outputs.preview_url }} run: | echo "Triggering preview wake-up..." curl -fsS --connect-timeout 5 --max-time 15 "$PREVIEW_URL/_container_status" >/dev/null || true - name: Collect preview diagnostics if: success() env: PREVIEW_URL: ${{ steps.deploy.outputs.preview_url }} run: | set -euo pipefail diagnostics_file="$RUNNER_TEMP/preview-diagnostics.json" last_error="" for attempt in $(seq 1 40); do if curl -fsS --connect-timeout 5 --max-time 15 "$PREVIEW_URL/_container_status" -o "$diagnostics_file"; then if jq -e '.previewReady == true or .previewFailed == true' "$diagnostics_file" >/dev/null; then break fi else last_error="curl failed on attempt ${attempt}" fi sleep 3 done if [ ! -s "$diagnostics_file" ]; then jq -n --arg error "${last_error:-preview diagnostics unavailable}" \ --arg url "$PREVIEW_URL" \ '{previewReady: false, previewFailed: false, error: $error, previewUrl: $url}' > "$diagnostics_file" fi jq -c . "$diagnostics_file" if jq -e '.previewFailed == true' "$diagnostics_file" >/dev/null; then echo "Preview diagnostics from _container_status reported previewFailed=true:" >&2 jq -c . "$diagnostics_file" >&2 exit 1 fi if ! jq -e '.previewReady == true' "$diagnostics_file" >/dev/null; then echo "Preview diagnostics from _container_status did not reach previewReady=true:" >&2 jq -c . "$diagnostics_file" >&2 exit 1 fi if ! jq -e '.timings.previewReadyAt != null and .timings.secondsToPreviewReady != null' "$diagnostics_file" >/dev/null; then echo "Preview diagnostics are missing readiness timing fields:" >&2 jq -c . "$diagnostics_file" >&2 exit 1 fi - name: Upload preview diagnostics if: always() && steps.deploy.outputs.preview_url != '' uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: preview-diagnostics-pr-${{ env.PR_NUMBER }}-${{ env.HEAD_SHA }} path: ${{ runner.temp }}/preview-diagnostics.json if-no-files-found: error retention-days: 3 - name: Collect preview failure diagnostics if: failure() run: | set -euo pipefail diagnostics_dir="$RUNNER_TEMP/preview-failure-diagnostics" manifest_file="$RUNNER_TEMP/preview-image/sure-preview-image.manifest.json" redaction_helper="$RUNNER_TEMP/sure-preview-worker/deploy/redact_preview_log.sh" mkdir -p "$diagnostics_dir" jq -n \ --arg artifactName "$ARTIFACT_NAME" \ --arg headSha "$HEAD_SHA" \ --arg isFork "$IS_FORK" \ --arg prNumber "$PR_NUMBER" \ --arg resolutionSource "$RESOLUTION_SOURCE" \ '{ artifactName: $artifactName, headSha: $headSha, isFork: $isFork, prNumber: $prNumber, resolutionSource: $resolutionSource }' > "$diagnostics_dir/preview-request.json" sanitize_copy() { local source="$1" local destination="$2" if [ -f "$source" ]; then if [ -x "$redaction_helper" ]; then "$redaction_helper" < "$source" > "$destination" else cp "$source" "$destination" fi fi } if [ -f "$manifest_file" ]; then jq '{ artifactVersion, archivePath, archiveSha256, headSha, imageId, imageTag, prNumber }' "$manifest_file" > "$diagnostics_dir/preview-image-manifest.json" fi sanitize_copy "$RUNNER_TEMP/sure-preview-worker/wrangler.toml" "$diagnostics_dir/wrangler.toml" sanitize_copy "$RUNNER_TEMP/wrangler-containers-push.clean.log" "$diagnostics_dir/wrangler-containers-push.log" if [ -f "$RUNNER_TEMP/wrangler-deploy.clean.log" ]; then sanitize_copy "$RUNNER_TEMP/wrangler-deploy.clean.log" "$diagnostics_dir/wrangler-deploy.log" else sanitize_copy "$RUNNER_TEMP/wrangler-deploy.log" "$diagnostics_dir/wrangler-deploy.log" fi find "$diagnostics_dir" -maxdepth 1 -type f -print - name: Upload preview failure diagnostics if: failure() uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: preview-failure-diagnostics-pr-${{ env.PR_NUMBER }}-${{ env.HEAD_SHA }} path: ${{ runner.temp }}/preview-failure-diagnostics if-no-files-found: error retention-days: 3 - name: Prepare cleanup metadata if: success() run: | set -euo pipefail metadata_dir="$RUNNER_TEMP/preview-cleanup-metadata" mkdir -p "$metadata_dir" "$RUNNER_TEMP/sure-preview-worker/deploy/redact_preview_log.sh" \ < "$RUNNER_TEMP/sure-preview-worker/wrangler.toml" \ > "$metadata_dir/wrangler.toml" - name: Store cleanup metadata if: success() uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: preview-cleanup-pr-${{ env.PR_NUMBER }} path: ${{ runner.temp }}/preview-cleanup-metadata/wrangler.toml retention-days: 2 deployment_status: needs: [preview-gate, deployment_record, deploy-preview] if: | always() && needs.preview-gate.outputs.should_deploy == 'true' && needs.preview-gate.outputs.is_fork == 'false' && needs.deployment_record.result == 'success' name: Update GitHub Deployment Status runs-on: ubuntu-latest timeout-minutes: 5 permissions: contents: read deployments: write env: DEPLOYMENT_ID: ${{ needs.deployment_record.outputs.deployment_id }} DEPLOY_RESULT: ${{ needs.deploy-preview.result }} PREVIEW_URL: ${{ needs.deploy-preview.outputs.preview_url }} steps: - name: Update Deployment Status uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const state = process.env.DEPLOY_RESULT === 'success' ? 'success' : 'failure'; const previewUrl = process.env.PREVIEW_URL || undefined; await github.rest.repos.createDeploymentStatus({ owner: context.repo.owner, repo: context.repo.repo, deployment_id: Number(process.env.DEPLOYMENT_ID), state: state, environment_url: state === 'success' ? previewUrl : undefined, description: state === 'success' ? 'Preview deployed successfully' : 'Preview deployment failed' }); preview_comment: needs: [preview-gate, deploy-preview] if: needs.deploy-preview.result == 'success' name: Comment on PR runs-on: ubuntu-latest timeout-minutes: 5 permissions: contents: read pull-requests: write env: HEAD_SHA: ${{ needs.preview-gate.outputs.head_sha }} PR_NUMBER: ${{ needs.preview-gate.outputs.pr_number }} PREVIEW_URL: ${{ needs.deploy-preview.outputs.preview_url }} steps: - name: Comment on PR uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const previewUrl = process.env.PREVIEW_URL; const issueNumber = Number(process.env.PR_NUMBER); const headSha = process.env.HEAD_SHA; const commentBody = [ '## 🚀 Preview Deployment Ready', '', "Your preview environment has been deployed to Cloudflare Containers with the PR's Docker image.", '', `**Preview URL:** ${previewUrl}`, '', '> ⏰ This preview is intended to be cleaned up after **24 hours** of the last deployment once the cleanup workflow is live on the default branch.', '> 💤 The container will sleep after 30 minutes of inactivity and wake on the next request.', '', '---', `Deployed from commit ${headSha}`, ].join('\n'); // Find existing comment const { data: comments } = await github.rest.issues.listComments({ owner: context.repo.owner, repo: context.repo.repo, issue_number: issueNumber }); const botComment = comments.find(comment => comment.user.type === 'Bot' && comment.body.includes('Preview Deployment Ready') ); if (botComment) { await github.rest.issues.updateComment({ owner: context.repo.owner, repo: context.repo.repo, comment_id: botComment.id, body: commentBody }); } else { await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: issueNumber, body: commentBody }); }