From b81961b0b87de0b64c5813647cf2c015be2252ea Mon Sep 17 00:00:00 2001
From: Emily <artyom@artyom.me>
Date: Sun, 10 Nov 2024 14:53:35 +0100
Subject: [PATCH] WIP: PR previews

---
 .github/workflows/docs-preview-build.yml  | 55 +++++++++++++++++++
 .github/workflows/docs-preview-deploy.yml | 67 +++++++++++++++++++++++
 2 files changed, 122 insertions(+)
 create mode 100644 .github/workflows/docs-preview-build.yml
 create mode 100644 .github/workflows/docs-preview-deploy.yml

diff --git a/.github/workflows/docs-preview-build.yml b/.github/workflows/docs-preview-build.yml
new file mode 100644
index 0000000000..cd3a6a6752
--- /dev/null
+++ b/.github/workflows/docs-preview-build.yml
@@ -0,0 +1,55 @@
+
+# This action builds and deploys the docs on each pull request created
+# Security notes:
+# The preview deployment is split in two workflows, preview_build and preview_deploy.
+# `preview_build` runs on pull_request, so it won't have any access to the repositories secrets, so it is safe to
+# build / execute untrusted code.
+# `preview_deploy` has access to the repositories secrets (so it can push to the pr preview repo) but won't run
+# any untrusted code (it will just extract the build artifact and push it to the pages branch where it will
+# automatically be deployed).
+
+# TODO: rewrite the comment and clarify
+
+# TODO: use commit hashes for actions
+
+# TODO: the publish job should run sequentially so that it does proper version switcher generation?
+
+name: Docs - preview build
+
+on:
+  - pull_request
+  
+# TODO: trailing whitespace
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      
+      - name: Install uv
+        uses: astral-sh/setup-uv@2e657c127d5b1635d5a8e3fa40e0ac50a5bf6992
+        
+      - name: Build the docs
+        # Intentionally without --strict, to have previews even if the docs are
+        # mildly broken
+        run: uv run mkdocs build  
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: rendered-docs
+          path: rendered-docs
+
+      # TODO: this should indicate forks in the name, maybe? PR numbers are
+      # unique but pr_branch is not I suppose
+      - name: Generate meta.json
+        env:
+          PR_NUMBER: ${{ github.event.number }}
+          PR_BRANCH: ${{ github.head_ref }}
+        run: |
+          echo "{\"pr_number\": \"$PR_NUMBER\", \"pr_branch\": \"$PR_BRANCH\"}" > meta.json
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: meta.json
+          path: meta.json
diff --git a/.github/workflows/docs-preview-deploy.yml b/.github/workflows/docs-preview-deploy.yml
new file mode 100644
index 0000000000..b50367101f
--- /dev/null
+++ b/.github/workflows/docs-preview-deploy.yml
@@ -0,0 +1,67 @@
+name: Docs - preview deploy
+
+permissions:
+  contents: write
+  pull-requests: write
+
+on:
+  workflow_run:
+    workflows:
+      - "Docs - preview build"
+    types:
+      - completed
+
+# Since we use single-commit and force on the deploy action, only one deploy action can run at a time.
+concurrency:
+  group: preview_deploy
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: 'Download build artifact'
+        uses: actions/download-artifact@v4
+        with:
+          name: rendered-docs
+          path: rendered-docs
+          # TODO: what token is that?
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+      - name: 'Download build meta'
+        uses: actions/download-artifact@v4
+        with:
+          name: meta.json
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: Parse meta.json
+        run: |
+          echo "PR_NUMBER=$(jq -r .pr_number meta.json)" >> $GITHUB_ENV
+          echo "PR_BRANCH=$(jq -r .pr_branch meta.json)" >> $GITHUB_ENV
+
+      - name: Url slug variable
+        run: |
+          echo "URL_SLUG=${{ env.PR_NUMBER }}-${{ env.PR_BRANCH }}" >> $GITHUB_ENV
+
+      # TODO: this is where we have to use mike? but for now it's fine not to have it
+      - name: Deploy
+        uses: JamesIves/github-pages-deploy-action@v4
+        with:
+          folder: rendered-docs
+          repository-name: neongreen/jj-pr-preview  # TODO: change
+          branch: 'main'
+          clean: true
+          target-folder: ${{ env.URL_SLUG }}
+          ssh-key: ${{ secrets.DEPLOY_KEY }}
+          commit-message: "Update preview for PR ${{ env.URL_SLUG }}"
+          single-commit: true
+
+      - name: Comment on the PR
+        uses: thollander/actions-comment-pull-request@v2
+        with:
+          message: |
+            Docs preview is available at https://neongreen.github.io/jj-pr-preview/${{ env.URL_SLUG }}.
+          pr_number: ${{ env.PR_NUMBER }}
+          comment_tag: 'docs-preview'