Skip to content

DEV-3545: secure cookie flag #4

DEV-3545: secure cookie flag

DEV-3545: secure cookie flag #4

Workflow file for this run

name: PR Preview
on:
push:
branches:
- "develop"
- "feature/**"
pull_request:
types: [opened, synchronize, reopened]
# Avoid duplicate workflows on same branch
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
upload-whl:
runs-on: ubuntu-latest
permissions:
contents: read # This is required for actions/checkout
statuses: write # This is required for "Set S3 URL as Github status" step
defaults:
run:
shell: bash --login -eo pipefail {0}
outputs:
enable-setup: ${{ steps.exports.outputs.enable-setup }}
preview-branch: ${{ steps.exports.outputs.preview-branch }}
s3-url: ${{ steps.exports.outputs.s3-url }}
steps:
- name: Checkout Streamlit code
uses: actions/checkout@v3
with:
persist-credentials: false
submodules: "recursive"
fetch-depth: 2
- name: Set Python version vars
uses: ./.github/actions/build_info
- name: Set up Python ${{ env.PYTHON_MAX_VERSION }}
uses: actions/setup-python@v4
with:
python-version: "${{ env.PYTHON_MAX_VERSION }}"
- name: Setup virtual env
uses: ./.github/actions/make_init
- name: Create Wheel File
timeout-minutes: 120
run: |
sudo apt install rsync
BUILD_AS_FAST_AS_POSSIBLE=1 make package
- name: Store Whl File
uses: actions/upload-artifact@v3
with:
name: whl_file
path: lib/dist/*.whl
# Uses action to safely process user input (branch name) to prevent script injection attacks
- name: Set Environment Variables
uses: ./.github/actions/preview_branch
with:
pull_request_number: ${{ github.event.pull_request.number }}
ref_type: ${{ github.ref_type }}
branch: ${{ github.ref_name }}
- if: ${{ env.AWS_ACCESS_KEY_ID != '' }}
name: Upload wheel to S3
id: exports
env:
BRANCH: ${{ env.BRANCH }}
PREVIEW_BRANCH: ${{ env.PREVIEW_BRANCH }}
AWS_DEFAULT_REGION: us-west-2
AWS_ACCESS_KEY_ID: ${{ secrets.CORE_PREVIEWS_S3_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.CORE_PREVIEWS_S3_SECRET_KEY }}
# To create a consistent location for the release/demo whl file, we need a
# stagnent version number (streamlit-11.11.11)
run: |
sudo apt install -y awscli
cd lib/dist
export WHEELFILE="$(ls -t *.whl | head -n 1)"
if [ "${BRANCH}" = "release/demo" ]
then
aws s3 cp "${WHEELFILE}" s3://core-previews/${PREVIEW_BRANCH}/streamlit-11.11.11-py2.py3-none-any.whl --acl public-read
S3_URL="https://core-previews.s3-us-west-2.amazonaws.com/${PREVIEW_BRANCH}/streamlit-11.11.11-py2.py3-none-any.whl"
else
aws s3 cp "${WHEELFILE}" s3://core-previews/${PREVIEW_BRANCH}/ --acl public-read
S3_URL="https://core-previews.s3-us-west-2.amazonaws.com/${PREVIEW_BRANCH}/${WHEELFILE}"
fi
echo -e "Wheel file download link: ${S3_URL}"
cd ../..
# env variables don't carry over between gh action jobs
echo "enable-setup=${{ env.AWS_ACCESS_KEY_ID != '' }}" >> $GITHUB_OUTPUT
echo "preview-branch=$PREVIEW_BRANCH" >> $GITHUB_OUTPUT
echo "s3-url=${S3_URL}" >> $GITHUB_OUTPUT
- if: steps.exports.outputs.enable-setup == 'true' && success() && github.repository == 'streamlit/streamlit' && github.event_name == 'pull_request' && github.event.sender.type == 'User'
name: Set S3 URL as Github Status
uses: actions/github-script@v6
env:
S3_URL: ${{ steps.exports.outputs.s3-url }}
with:
script: |
const { sha } = context.payload.pull_request.head
// For API documentation, see:
// https://docs.github.com/en/rest/commits/statuses?apiVersion=2022-11-28#create-a-commit-status
await github.request(`POST /repos/streamlit/streamlit/statuses/{sha}`, {
owner: 'streamlit',
repo: 'streamlit',
sha,
state: 'success',
target_url: process.env.S3_URL,
context: 'Wheel ready!'
})
setup-preview:
runs-on: ubuntu-latest
needs: upload-whl
if: needs.upload-whl.outputs.enable-setup == 'true'
defaults:
run:
shell: bash --login -eo pipefail {0}
steps:
- name: Checkout Core Previews Repo
uses: actions/checkout@v3
with:
repository: streamlit/core-previews
# The default GITHUB_TOKEN is scoped only to the triggering streamlit/streamlit repo.
# Accessing streamlit/core-previews repo requires a separate auth token.
token: ${{ secrets.CORE_PREVIEWS_REPO_TOKEN }}
# Save the access token to the local git config, so
# later git commands can work.
persist-credentials: true
- name: Setup preview repo
env:
PREVIEW_BRANCH: ${{ needs.upload-whl.outputs.preview-branch }}
S3_URL: ${{ needs.upload-whl.outputs.s3-url }}
run: |
git config --global user.email "[email protected]"
git config --global user.name "Streamlit Bot"
git branch -D "$PREVIEW_BRANCH" &>/dev/null || true
git checkout -b "$PREVIEW_BRANCH"
echo "$S3_URL" >> requirements.txt
git add .
git commit -m "Prepare core preview: ${PREVIEW_BRANCH}"
git push -f origin ${PREVIEW_BRANCH}
- name: Ready to deploy!
env:
PREVIEW_BRANCH: ${{ needs.upload-whl.outputs.preview-branch }}
run: |
echo -e "https://share.streamlit.io/deploy?repository=streamlit/core-previews&branch=${PREVIEW_BRANCH}&mainModule=E2E_Tester_🧪.py"