[#1272] Actions: move deployment to Surge to a secure workflow

.github/workflows/integration.yml

@@ -6,34 +6,36 @@ on:
   push:
     branches-ignore:
       - gh-pages
+  pull_request:
+    branches-ignore:
+      - gh-pages
   pull_request_target:
     branches-ignore:
       - gh-pages
 
-env:
-  ACTION_PULL_REQUEST_NUMBER: ${{ github.event.number }}
-
 jobs:
   ubuntu-1604:
     name: Ubuntu 16.04 JDK 8
     runs-on: ubuntu-16.04
+    if: ${{ github.event_name != 'pull_request_target' }}
     env:
       NODE_VERSION: "lts/*"
 
     steps:
-    - name: Checkout repository (pull request)
+    - name: Checkout repository
       uses: actions/checkout@v2
-      if: ${{ github.event_name == 'pull_request_target' }}
       with:
         fetch-depth: 0
-        ref: ${{ github.event.pull_request.head.ref }}
-        repository: ${{ github.event.pull_request.head.repo.full_name }}
 
-    - name: Checkout repository (push)
-      uses: actions/checkout@v2
-      if: ${{ github.event_name == 'push' }}
-      with:
-        fetch-depth: 0
+    - name: Update PR checklist for surge.sh as queued (pull request)
+      if: ${{ github.event_name == 'pull_request' }}
+      env:
+        ACTIONS_PULL_REQUEST_HEAD: ${{ github.event.pull_request.head.sha }}
+        ACTIONS_PULL_REQUEST_NUMBER: ${{ github.event.number }}
+        GITHUB_TOKEN: ${{ github.token }}
+      run: |
+        mkdir -p ./pr
+        ./config/gh-actions/deploy.sh queued
 
     - name: Set up JDK 1.8
       uses: actions/setup-java@v1
@@ -84,38 +86,47 @@ jobs:
       if: ${{ success() }}
       run: bash <(curl -s https://codecov.io/bash)
 
-    - name: Deploy to surge.sh
-      if: ${{ success() && github.event_name == 'pull_request_target' }}
-      env:
-        SURGE_LOGIN: ${{ secrets.SURGE_LOGIN }}
-        SURGE_TOKEN: ${{ secrets.SURGE_TOKEN }}
-        ACTIONS_PULL_REQUEST_HEAD: ${{ github.event.pull_request.head.sha }}
-        GITHUB_TOKEN: ${{ github.token }}
+    - name: Build preview website (pull request)
+      if: ${{ success() && github.event_name == 'pull_request' }}
       run: |
         git fetch --all && git config --global user.email "-" && git config --global user.name "-" && ./gradlew run -Dargs="--since d1"
-        npm install -g surge
         npm install -g markbind-cli
         (cd docs && markbind build)
-        ./config/gh-actions/deploy-surge.sh
+
+    - name: Save PR number and HEAD commit (pull request)
+      if: ${{ success() && github.event_name == 'pull_request' }}
+      run: |
+        echo ${{ github.event.number }} > ./pr/NUMBER
+        echo ${{ github.event.pull_request.head.sha }} > ./pr/SHA
+
+    - name: Upload artifacts (pull request)
+      if: ${{ success() && github.event_name == 'pull_request' }}
+      uses: actions/upload-artifact@v2
+      with:
+        name: reposense-deployment
+        path: |
+          ./reposense-report
+          ./docs/_site
+          ./pr
+
+    - name: Update PR checklist for surge.sh as failure (pull request)
+      if: ${{ failure() && github.event_name == 'pull_request' }}
+      env:
+        ACTIONS_PULL_REQUEST_HEAD: ${{ github.event.pull_request.head.sha }}
+        ACTIONS_PULL_REQUEST_NUMBER: ${{ github.event.number }}
+        GITHUB_TOKEN: ${{ github.token }}
+      run: ./config/gh-actions/deploy.sh failure
 
   macos-1015:
     name: macOS 10.15 JDK 8
+    if: ${{ github.event_name != 'pull_request_target' }}
     runs-on: macos-10.15
     env:
       HOMEBREW_NO_AUTO_UPDATE: 1 # Prevent time-consuming brew update
 
     steps:
-    - name: Checkout repository (pull request)
+    - name: Checkout repository
       uses: actions/checkout@v2
-      if: ${{ github.event_name == 'pull_request_target' }}
-      with:
-        fetch-depth: 0
-        ref: ${{ github.event.pull_request.head.ref }}
-        repository: ${{ github.event.pull_request.head.repo.full_name }}
-
-    - name: Checkout repository (push)
-      uses: actions/checkout@v2
-      if: ${{ github.event_name == 'push' }}
       with:
         fetch-depth: 0
 
@@ -166,20 +177,12 @@ jobs:
 
   cypress:
     name: Cypress frontend tests
+    if: ${{ github.event_name != 'pull_request_target' }}
     runs-on: ubuntu-18.04
 
     steps:
-    - name: Checkout repository (pull request)
+    - name: Checkout repository
       uses: actions/checkout@v2
-      if: ${{ github.event_name == 'pull_request_target' }}
-      with:
-        fetch-depth: 0
-        ref: ${{ github.event.pull_request.head.ref }}
-        repository: ${{ github.event.pull_request.head.repo.full_name }}
-
-    - name: Checkout repository (push)
-      uses: actions/checkout@v2
-      if: ${{ github.event_name == 'push' }}
       with:
         fetch-depth: 0
 
@@ -234,3 +237,34 @@ jobs:
 
     - name: Run frontend tests
       run: ./gradlew frontendTest -Pci
+
+  deploy:
+    name: Deployment status
+    if: ${{ github.event_name == 'pull_request_target' }}
+    runs-on: ubuntu-latest
+    env:
+      ACTIONS_PULL_REQUEST_HEAD: ${{ github.event.pull_request.head.sha }}
+      ACTIONS_PULL_REQUEST_NUMBER: ${{ github.event.number }}
+      GITHUB_TOKEN: ${{ github.token }}
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
+
+    - name: Update PR checklist for surge.sh as queued
+      run: |
+        mkdir -p ./pr
+        ./config/gh-actions/deploy.sh queued
+
+    - name: Upload artifacts
+      if: ${{ success() }}
+      uses: actions/upload-artifact@v2
+      with:
+        name: reposense-deployment-id
+        path: ./pr
+
+    - name: Update PR checklist for surge.sh as failure
+      if: ${{ failure() }}
+      run: ./config/gh-actions/deploy.sh failure

.github/workflows/surge.yml

@@ -0,0 +1,65 @@
+# This workflow deploys a RepoSense report and the MarkBind documentation
+# website to surge.sh in a secure manner for pull requests
+
+name: Surge.sh build preview
+
+on:
+  workflow_run:
+    workflows: ["Continuous Integration"]
+    types:
+      - completed
+
+jobs:
+  deploy:
+    name: Deploy to surge.sh
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }}
+    env:
+      NODE_VERSION: "lts/*"
+      GITHUB_TOKEN: ${{ github.token }}
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
+
+    - name: Set up Node.js
+      uses: actions/setup-node@v1
+      with:
+        node-version: '12.x'
+
+    - name: Download deployment artifacts
+      uses: dawidd6/action-download-artifact@v2
+      with:
+        workflow: integration.yml
+        workflow_conclusion: success
+        name: reposense-deployment
+        path: .
+
+    - name: Download deployment status artifacts
+      uses: dawidd6/action-download-artifact@v2
+      with:
+        workflow: integration.yml
+        workflow_conclusion: success
+        name: reposense-deployment-id
+        path: .
+
+    - name: Update PR checklist for surge.sh as in progress
+      if: ${{ success() }}
+      run: ./config/gh-actions/deploy.sh in_progress
+
+    - name: Install surge
+      if: ${{ success() }}
+      run: npm install -g surge
+
+    - name: Deploy to surge.sh
+      if: ${{ success() }}
+      env:
+        SURGE_LOGIN: ${{ secrets.SURGE_LOGIN }}
+        SURGE_TOKEN: ${{ secrets.SURGE_TOKEN }}
+      run: ./config/gh-actions/deploy.sh success
+
+    - name: Update PR checklist for surge.sh as failure
+      if: ${{ failure() }}
+      run: ./config/gh-actions/deploy.sh failure