sure/.github/workflows/pr.yml

name: Pull Request

on:
  pull_request:
    types: [opened, synchronize, reopened, labeled]
    paths-ignore:
      - 'charts/**'

permissions:
  contents: read

jobs:
  ci:
    uses: ./.github/workflows/ci.yml

  preview_image:
    needs: ci
    if: |
      contains(github.event.pull_request.labels.*.name, 'preview-cf') &&
      (github.event.action != 'labeled' || github.event.label.name == 'preview-cf')
    name: Build Cloudflare preview image
    runs-on: ubuntu-latest
    timeout-minutes: 30
    permissions:
      contents: read
    env:
      PR_NUMBER: ${{ github.event.pull_request.number }}
      HEAD_SHA: ${{ github.event.pull_request.head.sha }}
      IMAGE_TAG: sure-preview-pr-${{ github.event.pull_request.number }}:${{ github.event.pull_request.head.sha }}
    steps:
      - name: Checkout PR code
        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          persist-credentials: false

      - name: Build preview image without secrets
        run: |
          set -euo pipefail

          image_archive="$RUNNER_TEMP/sure-preview-image.tar.gz"
          manifest_file="$RUNNER_TEMP/sure-preview-image.manifest.json"

          docker build \
            --platform linux/amd64 \
            --build-arg "BUILD_COMMIT_SHA=${HEAD_SHA}" \
            -f Dockerfile.preview \
            -t "${IMAGE_TAG}" \
            .

          docker image inspect "${IMAGE_TAG}" >/dev/null
          docker save "${IMAGE_TAG}" | gzip -1 > "$image_archive"
          archive_sha256="$(sha256sum "$image_archive" | awk '{print $1}')"
          image_id="$(docker image inspect --format '{{.Id}}' "${IMAGE_TAG}")"

          printf '%s\n' "$archive_sha256" > "$RUNNER_TEMP/sure-preview-image.sha256"
          ARCHIVE_SHA256="$archive_sha256" IMAGE_ID="$image_id" node - "$manifest_file" <<'NODE'
          const fs = require('node:fs');

          const manifestPath = process.argv[2];
          const manifest = {
            artifactVersion: 1,
            archivePath: 'sure-preview-image.tar.gz',
            archiveSha256: process.env.ARCHIVE_SHA256,
            headSha: process.env.HEAD_SHA,
            imageId: process.env.IMAGE_ID,
            imageTag: process.env.IMAGE_TAG,
            prNumber: process.env.PR_NUMBER,
          };

          fs.writeFileSync(manifestPath, `${JSON.stringify(manifest, null, 2)}\n`);
          NODE
          jq -e . "$manifest_file" >/dev/null

      - name: Upload preview image artifact
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
        with:
          name: preview-image-pr-${{ env.PR_NUMBER }}-${{ env.HEAD_SHA }}
          path: |
            ${{ runner.temp }}/sure-preview-image.tar.gz
            ${{ runner.temp }}/sure-preview-image.sha256
            ${{ runner.temp }}/sure-preview-image.manifest.json
          if-no-files-found: error
          retention-days: 3