ci: Allow blog builds from unprivileged forks

privacyguides · Nov 16, 2024 · 7c3424f · 7c3424f
1 parent 155691f
commit 7c3424f
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 7 deletions.
diff --git a/.github/workflows/build-blog.yml b/.github/workflows/build-blog.yml
@@ -65,17 +65,33 @@ jobs:
         with:
           cache: "pipenv"
 
+      - name: Install Python (no pipenv)
+        if: ${{ !inputs.privileged }}
+        uses: actions/setup-python@v5
+
       - name: Install Python Dependencies
         if: inputs.privileged
         run: |
           pip install pipenv
           pipenv install
           sudo apt install pngquant
 
-      - name: Build Website
+      - name: Install Python Dependencies (Unprivileged)
+        if: ${{ !inputs.privileged }}
+        run: |
+          pip install mkdocs-material mkdocs-rss-plugin mkdocs-glightbox mkdocs-macros-plugin
+          sudo apt install pngquant
+
+      - name: Build Website (Privileged)
+        if: inputs.privileged
         run: |
           pipenv run mkdocs build --config-file mkdocs.blog.yml
 
+      - name: Build Website (Unprivileged)
+        if: ${{ !inputs.privileged }}
+        run: |
+          BUILD_INSIDERS=false mkdocs build --config-file mkdocs.blog.yml
+
       - name: Package Website
         run: |
           tar -czf site-build-blog.tar.gz site

diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
@@ -19,25 +19,27 @@ jobs:
     env:
       ACTIONS_SSH_KEY: ${{ secrets.ACTIONS_SSH_KEY }}
     steps:
+      - name: Save PR metadata
+        run: |
+          mkdir -p ./metadata
+          echo ${{ github.event.number }} > ./metadata/NR
+          echo ${{ github.event.pull_request.head.sha }} > ./metadata/SHA
+
       - name: Set submodules for fork
         if: env.ACTIONS_SSH_KEY == ''
         id: submodules-fork
         run: |
           echo 'submodules={"repo":["brand","i18n"]}' >> "$GITHUB_OUTPUT"
           echo "privileged=false" >> "$GITHUB_OUTPUT"
+          echo "false" > ./metadata/PRIVILEGED
 
       - name: Set submodules for main repo
         if: env.ACTIONS_SSH_KEY != ''
         id: submodules-main
         run: |
           echo 'submodules={"repo":["brand","i18n","mkdocs-material-insiders"]}' >> "$GITHUB_OUTPUT"
           echo "privileged=true" >> "$GITHUB_OUTPUT"
-
-      - name: Save PR metadata
-        run: |
-          mkdir -p ./metadata
-          echo ${{ github.event.number }} > ./metadata/NR
-          echo ${{ github.event.pull_request.head.sha }} > ./metadata/SHA
+          echo "true" > ./metadata/PRIVILEGED
 
       - name: Upload metadata as artifact
         uses: actions/upload-artifact@v4

diff --git a/.github/workflows/publish-pr.yml b/.github/workflows/publish-pr.yml
@@ -22,6 +22,7 @@ jobs:
     outputs:
       pr_number: ${{ steps.metadata.outputs.pr_number }}
       sha: ${{ steps.metadata.outputs.sha }}
+      privileged: ${{ steps.metadata.outputs.privileged }}
 
     steps:
       - name: Download Website Build Artifact
@@ -86,6 +87,7 @@ jobs:
           unzip metadata.zip -d metadata
           echo "pr_number=$(cat metadata/NR)" >> "$GITHUB_OUTPUT"
           echo "sha=$(cat metadata/SHA)" >> "$GITHUB_OUTPUT"
+          echo "privileged=$(cat metadata/PRIVILEGED)" >> "$GITHUB_OUTPUT"
 
   deploy_netlify:
     needs: metadata
@@ -122,6 +124,7 @@ jobs:
       address: ${{ needs.deploy_garage.outputs.address }}
     steps:
       - uses: thollander/[email protected]
+        if: ${{ needs.metadata.outputs.privileged == 'true' }}
         with:
           pr_number: ${{ needs.metadata.outputs.pr_number }}
           message: |
@@ -132,3 +135,19 @@ jobs:
             | <span aria-hidden="true">🔨</span> Latest commit | ${{ needs.metadata.outputs.sha }} |
             | <span aria-hidden="true">😎</span> Preview | ${{ env.address }} |
           comment_tag: deployment
+
+      - uses: thollander/[email protected]
+        if: ${{ needs.metadata.outputs.privileged == 'false' }}
+        with:
+          pr_number: ${{ needs.metadata.outputs.pr_number }}
+          message: |
+            ### <span aria-hidden="true">✅</span> Your preview is ready!
+
+            |  Name | Link |
+            | :---: | ---- |
+            | <span aria-hidden="true">🔨</span> Latest commit | ${{ needs.metadata.outputs.sha }} |
+            | <span aria-hidden="true">😎</span> Preview | ${{ env.address }} |
+
+            Please note that this preview was built from an untrusted source, so it was not granted access to all mkdocs-material features.
+            Maintainers should ensure this PR has been reviewed locally with a full build before merging.
+          comment_tag: deployment