Enable specs to deploy using GitHub Actions

Part of whatwg/meta#173.
whatwg · Jun 11, 2020 · 57739f0 · 57739f0
1 parent 3374e69
commit 57739f0
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 9 deletions.
diff --git a/resources.whatwg.org/build/README.md b/resources.whatwg.org/build/README.md
@@ -12,19 +12,46 @@ The `deploy.sh` script is used by most WHATWG standards and is meant to run eith
 - Running the [Nu HTML checker](http://checker.html5.org/) on the build results
 - Deploying the build results to the WHATWG web server
 
-For non-local deploys, it is dependent on the following environment setup:
+For Travis CI deploys, it is dependent on the following environment setup:
 
 - `deploy_key.enc` must contain a SSH private key, [encrypted for Travis](https://docs.travis-ci.com/user/encrypting-files/) for the appropriate repository.
 - The environment variable `$ENCRYPTION_LABEL` must contain the encryption label produced by the Travis encryption process.
 
-Optional environment variables:
+For GitHub Actions deploys, the following environment variables are required:
 - `$SERVER` is the server to deploy to.
 - `$SERVER_PUBLIC_KEY` is the public key of the deploy server, in the format of `known_hosts`.
+- `$SERVER_DEPLOY_KEY` is the deploy key for the server, which will be passed to `ssh-add`.
+
+Optional environment variables:
 - `$EXTRA_FILES` are extra files to copy for each build. Shell wildcards are allowed, and directory structure will be preserved. Example: `EXTRA_FILES="images/*.png"`.
 - `$POST_BUILD_STEP` is an extra step to run after each build. Evaluated with the `$DIR` variable set to the build directory. Example: `POST_BUILD_STEP='python generate-stuff.py "$DIR"'`.
 
 To cause particular errors or warnings emitted by the HTML checker to be suppressed, add a file named `.htmlcheckerfilter` at the root of the repo for a particular standard, and put filter patterns into it, as documented at https://github.com/validator/validator/wiki/Message-filtering#using-the---filterfile-option.
 
+An example `.github/workflows/deploy.yml` file that uses this script would then be as follows:
+
+```yaml
+name: deploy
+on:
+  push:
+    branches:
+      - master
+jobs:
+  deploy:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        fetch-depth: 2
+    - run: make deploy
+      env:
+        SERVER: ${{ secrets.MARQUEE_SERVER }}
+        SERVER_PUBLIC_KEY: ${{ secrets.MARQUEE_PUBLIC_KEY }}
+        SERVER_DEPLOY_KEY: ${{ secrets.MARQUEE_DEPLOY_KEY }}
+```
+
+This assumes that the `Makefile` from [spec-factory](https://github.com/whatwg/spec-factory) is used, which fetches and runs `deploy.sh`.
+
 An example `.travis.yml` file that uses this script would then be as follows:
 
 ```yaml

diff --git a/resources.whatwg.org/build/deploy.sh b/resources.whatwg.org/build/deploy.sh
@@ -14,16 +14,21 @@ COMMITS_DIR="commit-snapshots"
 REVIEW_DRAFTS_DIR="review-drafts"
 
 # Optional environment variables (won't be set for local deploys)
+GITHUB_ACTIONS=${GITHUB_ACTIONS:-false}
+GITHUB_EVENT_NAME=${GITHUB_EVENT_NAME:-}
+GITHUB_REF=${GITHUB_REF:-}
 TRAVIS=${TRAVIS:-false}
 TRAVIS_BRANCH=${TRAVIS_BRANCH:-}
 TRAVIS_PULL_REQUEST=${TRAVIS_PULL_REQUEST:-false}
 ENCRYPTION_LABEL=${ENCRYPTION_LABEL:-}
-SERVER="165.227.248.76"
-SERVER_PUBLIC_KEY="ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDt6Igtp73aTOYXuFb8qLtgs80wWF6cNi3/AItpWAMpX3PymUw7stU7Pi+IoBJz21nfgmxaKp3gfSe2DPNt06l8="
+# TODO: Remove the default server info when everything is on GitHub Actions.
+SERVER=${SERVER:-"165.227.248.76"}
+SERVER_PUBLIC_KEY=${SERVER_PUBLIC_KEY:-"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDt6Igtp73aTOYXuFb8qLtgs80wWF6cNi3/AItpWAMpX3PymUw7stU7Pi+IoBJz21nfgmxaKp3gfSe2DPNt06l8="}
+SERVER_DEPLOY_KEY=${SERVER_DEPLOY_KEY:-}
 EXTRA_FILES=${EXTRA_FILES:-}
 POST_BUILD_STEP=${POST_BUILD_STEP:-}
 
-if [[ "$TRAVIS" != "true" ]]; then
+if [[ "$GITHUB_ACTIONS" != "true" && "$TRAVIS" != "true" ]]; then
     echo "Running a local deploy into $WEB_ROOT directory"
 fi
 
@@ -167,8 +172,8 @@ header "Overview of generated files:"
 find "$WEB_ROOT" -type f -print
 echo ""
 
-# Run the HTML checker only when building on Travis
-if [[ "$TRAVIS" == "true" ]]; then
+# Run the HTML checker only in CI
+if [[ "$GITHUB_ACTIONS" == "true" || "$TRAVIS" == "true" ]]; then
     header "Running the HTML checker..."
     curlretry --fail --remote-name --location https://github.com/validator/validator/releases/download/linux/vnu.linux.zip
     unzip -q vnu.linux.zip
@@ -180,8 +185,18 @@ if [[ "$TRAVIS" == "true" ]]; then
     echo ""
 fi
 
-# Deploy from Travis on push to master branch only
-if [[ "$TRAVIS_BRANCH" == "master" && "$TRAVIS_PULL_REQUEST" == "false" ]]; then
+# Deploy from push to master branch only
+if [[ "$GITHUB_EVENT_NAME" == "push" && "$GITHUB_REF" == "refs/heads/master" ]]; then
+    header "rsync to the WHATWG server..."
+    eval "$(ssh-agent -s)"
+    echo "$SERVER_DEPLOY_KEY" | ssh-add -
+    mkdir -p ~/.ssh/ && echo "$SERVER $SERVER_PUBLIC_KEY" > ~/.ssh/known_hosts
+    # No --delete as that would require extra care to not delete snapshots.
+    # --chmod=D755,F644 means read-write for user, read-only for others.
+    rsync --verbose --archive --chmod=D755,F644 --compress \
+          "$WEB_ROOT" deploy@$SERVER:/var/www/
+    echo ""
+elif [[ "$TRAVIS_BRANCH" == "master" && "$TRAVIS_PULL_REQUEST" == "false" ]]; then
     header "rsync to the WHATWG server..."
     # Get the deploy key by using Travis's stored variables to decrypt deploy_key.enc
     ENCRYPTED_KEY_VAR="encrypted_${ENCRYPTION_LABEL}_key"