DEV-3545: secure cookie flag #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Preview | |
| on: | |
| push: | |
| branches: | |
| - "develop" | |
| - "feature/**" | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| # Avoid duplicate workflows on same branch | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| upload-whl: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read # This is required for actions/checkout | |
| statuses: write # This is required for "Set S3 URL as Github status" step | |
| defaults: | |
| run: | |
| shell: bash --login -eo pipefail {0} | |
| outputs: | |
| enable-setup: ${{ steps.exports.outputs.enable-setup }} | |
| preview-branch: ${{ steps.exports.outputs.preview-branch }} | |
| s3-url: ${{ steps.exports.outputs.s3-url }} | |
| steps: | |
| - name: Checkout Streamlit code | |
| uses: actions/checkout@v3 | |
| with: | |
| persist-credentials: false | |
| submodules: "recursive" | |
| fetch-depth: 2 | |
| - name: Set Python version vars | |
| uses: ./.github/actions/build_info | |
| - name: Set up Python ${{ env.PYTHON_MAX_VERSION }} | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: "${{ env.PYTHON_MAX_VERSION }}" | |
| - name: Setup virtual env | |
| uses: ./.github/actions/make_init | |
| - name: Create Wheel File | |
| timeout-minutes: 120 | |
| run: | | |
| sudo apt install rsync | |
| BUILD_AS_FAST_AS_POSSIBLE=1 make package | |
| - name: Store Whl File | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: whl_file | |
| path: lib/dist/*.whl | |
| # Uses action to safely process user input (branch name) to prevent script injection attacks | |
| - name: Set Environment Variables | |
| uses: ./.github/actions/preview_branch | |
| with: | |
| pull_request_number: ${{ github.event.pull_request.number }} | |
| ref_type: ${{ github.ref_type }} | |
| branch: ${{ github.ref_name }} | |
| - if: ${{ env.AWS_ACCESS_KEY_ID != '' }} | |
| name: Upload wheel to S3 | |
| id: exports | |
| env: | |
| BRANCH: ${{ env.BRANCH }} | |
| PREVIEW_BRANCH: ${{ env.PREVIEW_BRANCH }} | |
| AWS_DEFAULT_REGION: us-west-2 | |
| AWS_ACCESS_KEY_ID: ${{ secrets.CORE_PREVIEWS_S3_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.CORE_PREVIEWS_S3_SECRET_KEY }} | |
| # To create a consistent location for the release/demo whl file, we need a | |
| # stagnent version number (streamlit-11.11.11) | |
| run: | | |
| sudo apt install -y awscli | |
| cd lib/dist | |
| export WHEELFILE="$(ls -t *.whl | head -n 1)" | |
| if [ "${BRANCH}" = "release/demo" ] | |
| then | |
| aws s3 cp "${WHEELFILE}" s3://core-previews/${PREVIEW_BRANCH}/streamlit-11.11.11-py2.py3-none-any.whl --acl public-read | |
| S3_URL="https://core-previews.s3-us-west-2.amazonaws.com/${PREVIEW_BRANCH}/streamlit-11.11.11-py2.py3-none-any.whl" | |
| else | |
| aws s3 cp "${WHEELFILE}" s3://core-previews/${PREVIEW_BRANCH}/ --acl public-read | |
| S3_URL="https://core-previews.s3-us-west-2.amazonaws.com/${PREVIEW_BRANCH}/${WHEELFILE}" | |
| fi | |
| echo -e "Wheel file download link: ${S3_URL}" | |
| cd ../.. | |
| # env variables don't carry over between gh action jobs | |
| echo "enable-setup=${{ env.AWS_ACCESS_KEY_ID != '' }}" >> $GITHUB_OUTPUT | |
| echo "preview-branch=$PREVIEW_BRANCH" >> $GITHUB_OUTPUT | |
| echo "s3-url=${S3_URL}" >> $GITHUB_OUTPUT | |
| - if: steps.exports.outputs.enable-setup == 'true' && success() && github.repository == 'streamlit/streamlit' && github.event_name == 'pull_request' && github.event.sender.type == 'User' | |
| name: Set S3 URL as Github Status | |
| uses: actions/github-script@v6 | |
| env: | |
| S3_URL: ${{ steps.exports.outputs.s3-url }} | |
| with: | |
| script: | | |
| const { sha } = context.payload.pull_request.head | |
| // For API documentation, see: | |
| // https://docs.github.com/en/rest/commits/statuses?apiVersion=2022-11-28#create-a-commit-status | |
| await github.request(`POST /repos/streamlit/streamlit/statuses/{sha}`, { | |
| owner: 'streamlit', | |
| repo: 'streamlit', | |
| sha, | |
| state: 'success', | |
| target_url: process.env.S3_URL, | |
| context: 'Wheel ready!' | |
| }) | |
| setup-preview: | |
| runs-on: ubuntu-latest | |
| needs: upload-whl | |
| if: needs.upload-whl.outputs.enable-setup == 'true' | |
| defaults: | |
| run: | |
| shell: bash --login -eo pipefail {0} | |
| steps: | |
| - name: Checkout Core Previews Repo | |
| uses: actions/checkout@v3 | |
| with: | |
| repository: streamlit/core-previews | |
| # The default GITHUB_TOKEN is scoped only to the triggering streamlit/streamlit repo. | |
| # Accessing streamlit/core-previews repo requires a separate auth token. | |
| token: ${{ secrets.CORE_PREVIEWS_REPO_TOKEN }} | |
| # Save the access token to the local git config, so | |
| # later git commands can work. | |
| persist-credentials: true | |
| - name: Setup preview repo | |
| env: | |
| PREVIEW_BRANCH: ${{ needs.upload-whl.outputs.preview-branch }} | |
| S3_URL: ${{ needs.upload-whl.outputs.s3-url }} | |
| run: | | |
| git config --global user.email "[email protected]" | |
| git config --global user.name "Streamlit Bot" | |
| git branch -D "$PREVIEW_BRANCH" &>/dev/null || true | |
| git checkout -b "$PREVIEW_BRANCH" | |
| echo "$S3_URL" >> requirements.txt | |
| git add . | |
| git commit -m "Prepare core preview: ${PREVIEW_BRANCH}" | |
| git push -f origin ${PREVIEW_BRANCH} | |
| - name: Ready to deploy! | |
| env: | |
| PREVIEW_BRANCH: ${{ needs.upload-whl.outputs.preview-branch }} | |
| run: | | |
| echo -e "https://share.streamlit.io/deploy?repository=streamlit/core-previews&branch=${PREVIEW_BRANCH}&mainModule=E2E_Tester_🧪.py" |