From 03c35a49442e184ab62f164814134932b60a4124 Mon Sep 17 00:00:00 2001 From: Greg Logan Date: Thu, 11 Jun 2026 12:06:01 -0600 Subject: [PATCH 1/8] Using org secret to enable writing to ghcr in PRs --- .github/workflows/pr-deploy-container-image.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-deploy-container-image.yml b/.github/workflows/pr-deploy-container-image.yml index 9e14e7d2cd..4118c4c7e6 100644 --- a/.github/workflows/pr-deploy-container-image.yml +++ b/.github/workflows/pr-deploy-container-image.yml @@ -27,7 +27,7 @@ jobs: with: registry: ghcr.io username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + password: ${{ secrets.SUBMODULE_PR_DOCKER_WRITE }} - name: Extract metadata (tags, labels) id: meta @@ -42,6 +42,7 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + github-token: ${{ secrets.SUBMODULE_PR_DOCKER_WRITE }} - name: Add comment if: github.event_name == 'pull_request' From ea0257ff173d01b0a622eeb5b3c061c79415ce1a Mon Sep 17 00:00:00 2001 From: Greg Logan Date: Thu, 11 Jun 2026 13:10:42 -0600 Subject: [PATCH 2/8] Setting the ghcr user --- .github/workflows/pr-deploy-container-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-deploy-container-image.yml b/.github/workflows/pr-deploy-container-image.yml index 4118c4c7e6..ca3d7d84f6 100644 --- a/.github/workflows/pr-deploy-container-image.yml +++ b/.github/workflows/pr-deploy-container-image.yml @@ -26,7 +26,7 @@ jobs: uses: docker/login-action@v3 with: registry: ghcr.io - username: ${{ github.actor }} + username: opencastproject password: ${{ secrets.SUBMODULE_PR_DOCKER_WRITE }} - name: Extract metadata (tags, labels) From c8ff253e5d4bafc50d532eb9c1ce4a9d0f30bd53 Mon Sep 17 00:00:00 2001 From: Greg Logan Date: Thu, 11 Jun 2026 15:37:16 -0600 Subject: [PATCH 3/8] Breaking this into two --- .../workflows/pr-build-container-image.yml | 35 +++++++++++++++++ .../workflows/pr-deploy-container-image.yml | 39 ++++++++----------- 2 files changed, 52 insertions(+), 22 deletions(-) create mode 100644 .github/workflows/pr-build-container-image.yml diff --git a/.github/workflows/pr-build-container-image.yml b/.github/workflows/pr-build-container-image.yml new file mode 100644 index 0000000000..9c1070d8f9 --- /dev/null +++ b/.github/workflows/pr-build-container-image.yml @@ -0,0 +1,35 @@ +name: PRs » Build container image + +on: + push: + branches-ignore: + - 'dependabot/**' + pull_request: + types: + - opened + - synchronize + +jobs: + container-image-build: + runs-on: ubuntu-latest + steps: + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository }} + + - name: Build and push images + uses: docker/build-push-action@v6 + with: + context: . + push: false # This is handled in another workflow! + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + outputs: type=docker,dest=${{ runner.temp }}/build.tar + + - name: Upload docker image to GHA + uses: actions/upload-artifact@v4 + with: + name: build + path: ${{ runner.temp }}/build.tar diff --git a/.github/workflows/pr-deploy-container-image.yml b/.github/workflows/pr-deploy-container-image.yml index ca3d7d84f6..d8cdb016fb 100644 --- a/.github/workflows/pr-deploy-container-image.yml +++ b/.github/workflows/pr-deploy-container-image.yml @@ -1,33 +1,25 @@ -name: PRs » Publish container image +name: PRs » Push container image on: - push: - branches-ignore: - - 'dependabot/**' - pull_request: + workflow_run: + workflows: ["PRs » Build container image"] types: - - opened - - synchronize + - completed jobs: - container-image: + container-image-deploy: runs-on: ubuntu-latest permissions: contents: read packages: write pull-requests: write steps: - - uses: actions/checkout@v5 - - - name: Prepare commit hash - run: git rev-parse HEAD > commit - - name: Log in to the container registry uses: docker/login-action@v3 with: registry: ghcr.io - username: opencastproject - password: ${{ secrets.SUBMODULE_PR_DOCKER_WRITE }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata (tags, labels) id: meta @@ -35,14 +27,17 @@ jobs: with: images: ghcr.io/${{ github.repository }} - - name: Build and push images - uses: docker/build-push-action@v6 + - name: Download docker image from GHA + uses: actions/download-artifact@v4 with: - context: . - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - github-token: ${{ secrets.SUBMODULE_PR_DOCKER_WRITE }} + name: build + path: ${{ runner.temp }} + run-id: ${{ github.event.workflow_run.id }} + + - name: Load image + run: | + docker load --input ${{ runner.temp }}/build.tar + docker push ghcr.io/${{ github.repository }} - name: Add comment if: github.event_name == 'pull_request' From adccabe694c07716c792d42a3c198ba4e992f54d Mon Sep 17 00:00:00 2001 From: Greg Logan Date: Fri, 12 Jun 2026 10:35:43 -0600 Subject: [PATCH 4/8] This is required to be able to write the docker image to the tarball --- .github/workflows/pr-build-container-image.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pr-build-container-image.yml b/.github/workflows/pr-build-container-image.yml index 9c1070d8f9..7413f5d85a 100644 --- a/.github/workflows/pr-build-container-image.yml +++ b/.github/workflows/pr-build-container-image.yml @@ -19,6 +19,9 @@ jobs: with: images: ghcr.io/${{ github.repository }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Build and push images uses: docker/build-push-action@v6 with: From 02fc2f8d1a693b8d314d89ba3448753c1545c050 Mon Sep 17 00:00:00 2001 From: Greg Logan Date: Fri, 12 Jun 2026 10:35:54 -0600 Subject: [PATCH 5/8] Removing the custom context since this breaks things --- .github/workflows/pr-build-container-image.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/pr-build-container-image.yml b/.github/workflows/pr-build-container-image.yml index 7413f5d85a..f9ec8a1d81 100644 --- a/.github/workflows/pr-build-container-image.yml +++ b/.github/workflows/pr-build-container-image.yml @@ -25,7 +25,6 @@ jobs: - name: Build and push images uses: docker/build-push-action@v6 with: - context: . push: false # This is handled in another workflow! tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From 6862476f6c1393c20558e3844dd4f2323a0fb26e Mon Sep 17 00:00:00 2001 From: Greg Logan Date: Fri, 12 Jun 2026 16:21:16 -0600 Subject: [PATCH 6/8] Aping the docker image approach, breaking the test branch deployment into two components as well. --- .github/workflows/pr-build-test-branch.yml | 95 +++++++++++++++++++++ .github/workflows/pr-deploy-test-branch.yml | 88 +++---------------- 2 files changed, 106 insertions(+), 77 deletions(-) create mode 100644 .github/workflows/pr-build-test-branch.yml diff --git a/.github/workflows/pr-build-test-branch.yml b/.github/workflows/pr-build-test-branch.yml new file mode 100644 index 0000000000..9934e29777 --- /dev/null +++ b/.github/workflows/pr-build-test-branch.yml @@ -0,0 +1,95 @@ +name: PRs » Build Pull Request Page + +on: + pull_request: + types: + - opened + - synchronize + +concurrency: + group: pull-request-page + cancel-in-progress: false + +jobs: + detect-repo-owner: + if: github.repository_owner == 'opencast' + runs-on: ubuntu-latest + outputs: + server: ${{ steps.test-server.outputs.server }} + branch: ${{ steps.branch-name.outputs.branch }} + steps: + - name: Checkout sources + uses: actions/checkout@v5 + + - name: Determine the correct test server + id: test-server + run: echo "server=https://`./.github/get-release-server.sh ${{ github.ref_name }}`" >> $GITHUB_OUTPUT + + - name: Determine branch name + id: branch-name + run: | + #Temp becomes something like r/17.x + export TEMP=${{ github.ref_name }} + #Strip the r/ prefix, giving us just 17.x. If this is main/develop this does nothing + echo "branch=${TEMP#r\/}" >> $GITHUB_OUTPUT + + build-pr: + runs-on: ubuntu-latest + needs: detect-repo-owner + steps: + - name: Generate build path + run: echo "build=${{github.event.number}}/$(date +%Y-%m-%d_%H-%M-%S)/" >> $GITHUB_OUTPUT + id: build-path + + - name: Checkout sources + uses: actions/checkout@v5 + + - name: Get Node.js + uses: actions/setup-node@v5 + with: + node-version: 20 + + - name: Run npm ci + run: npm ci + + - name: Build the app + run: | + npm run build + mkdir -p admin-interface-test/${{ steps.build-path.outputs.build }} + mv build/* admin-interface-test/${{ steps.build-path.outputs.build }}/ + tar cf ${{ runner.temp }}/build.tar admin-interface-test + env: + VITE_TEST_SERVER_URL: ${{needs.detect-repo-owner.outputs.server}} + NODE_ENV: development + VITE_TEST_SERVER_AUTH: "admin:opencast" + + - name: Upload build to GHA + uses: actions/upload-artifact@v4 + with: + name: build + path: ${{ runner.temp }}/build.tar + + + check-no-modified-translations: + name: Translations only via Crowdin + if: github.repository_owner == 'opencast' + runs-on: ubuntu-latest + + steps: + - name: Checkout Sources + uses: actions/checkout@v4 + + - name: Get changed locale files + uses: dorny/paths-filter@v3 + id: filter_locales + with: + filters: | # !(pattern) matches anything but pattern + locales: + - 'src/i18n/org/opencastproject/adminui/languages/!lang-(en_US)*.json' + + - name: Check for changes in translations + if: steps.filter_locales.outputs.locales == true + uses: actions/github-script@v7 + with: + script: | + core.setFailed('You should not alter translations outside of Crowdin.') diff --git a/.github/workflows/pr-deploy-test-branch.yml b/.github/workflows/pr-deploy-test-branch.yml index dab4fb609c..6da7d97bde 100644 --- a/.github/workflows/pr-deploy-test-branch.yml +++ b/.github/workflows/pr-deploy-test-branch.yml @@ -1,65 +1,19 @@ name: PRs » Publish Pull Request Page on: - pull_request: + workflow_run: + workflows: ["PRs » Build Pull Request Page"] types: - - opened - - synchronize + - completed concurrency: group: pull-request-page cancel-in-progress: false jobs: - detect-repo-owner: - if: github.repository_owner == 'opencast' - runs-on: ubuntu-latest - outputs: - server: ${{ steps.test-server.outputs.server }} - branch: ${{ steps.branch-name.outputs.branch }} - steps: - - name: Checkout sources - uses: actions/checkout@v5 - - - name: Determine the correct test server - id: test-server - run: echo "server=https://`./.github/get-release-server.sh ${{ github.ref_name }}`" >> $GITHUB_OUTPUT - - - name: Determine branch name - id: branch-name - run: | - #Temp becomes something like r/17.x - export TEMP=${{ github.ref_name }} - #Strip the r/ prefix, giving us just 17.x. If this is main/develop this does nothing - echo "branch=${TEMP#r\/}" >> $GITHUB_OUTPUT - deploy-pr: runs-on: ubuntu-latest - needs: detect-repo-owner steps: - - name: Generate build path - run: echo "build=${{github.event.number}}/$(date +%Y-%m-%d_%H-%M-%S)/" >> $GITHUB_OUTPUT - id: build-path - - - name: Checkout sources - uses: actions/checkout@v5 - - - name: Get Node.js - uses: actions/setup-node@v5 - with: - node-version: 20 - - - name: Run npm ci - run: npm ci - - - name: Build the app - run: | - npm run build - env: - VITE_TEST_SERVER_URL: ${{needs.detect-repo-owner.outputs.server}} - NODE_ENV: development - VITE_TEST_SERVER_AUTH: "admin:opencast" - - name: Prepare git run: | git config --global user.name "Admin Interface Deployment Bot" @@ -85,12 +39,16 @@ jobs: run: | git clone -b gh-pages "git@github.com:${{ github.repository_owner }}/admin-interface-test.git" admin-interface-test + - name: Fetch build from GHA + uses: actions/download-artifact@v4 + with: + name: build + path: ${{ runner.temp }}/build.tar + run-id: ${{ github.event.workflow_run.id }} + - name: Store build in the clone - env: - DEPLOY_PATH: admin-interface-test/${{ steps.build-path.outputs.build }} run: | - mkdir -p ${DEPLOY_PATH} - cp -rv build/* ${DEPLOY_PATH} + tar xf ${{ runner.temp }}/build.tar - name: Cleanup test repository working-directory: admin-interface-test @@ -132,27 +90,3 @@ jobs: ](https://test.admin-interface.opencast.org/${{ steps.build-path.outputs.build }}). It might take a few minutes for it to become available. - - check-no-modified-translations: - name: Translations only via Crowdin - if: github.repository_owner == 'opencast' - runs-on: ubuntu-latest - - steps: - - name: Checkout Sources - uses: actions/checkout@v4 - - - name: Get changed locale files - uses: dorny/paths-filter@v3 - id: filter_locales - with: - filters: | # !(pattern) matches anything but pattern - locales: - - 'src/i18n/org/opencastproject/adminui/languages/!lang-(en_US)*.json' - - - name: Check for changes in translations - if: steps.filter_locales.outputs.locales == true - uses: actions/github-script@v7 - with: - script: | - core.setFailed('You should not alter translations outside of Crowdin.') From 272bee786cdb2156ce821a790fcc4e3ea3773d95 Mon Sep 17 00:00:00 2001 From: Greg Logan Date: Fri, 12 Jun 2026 16:51:15 -0600 Subject: [PATCH 7/8] LITE: Safety off --- .github/workflows/pr-build-test-branch.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/pr-build-test-branch.yml b/.github/workflows/pr-build-test-branch.yml index 9934e29777..084050dd23 100644 --- a/.github/workflows/pr-build-test-branch.yml +++ b/.github/workflows/pr-build-test-branch.yml @@ -12,7 +12,6 @@ concurrency: jobs: detect-repo-owner: - if: github.repository_owner == 'opencast' runs-on: ubuntu-latest outputs: server: ${{ steps.test-server.outputs.server }} From 747ccfc6a52be4bd88724f1a165007e4b3b227be Mon Sep 17 00:00:00 2001 From: Greg Logan Date: Fri, 12 Jun 2026 17:07:13 -0600 Subject: [PATCH 8/8] Correcting node version. These are GHA template instructions, not shell variables --- .github/workflows/deploy-main-branches.yml | 2 +- .github/workflows/pr-build-test-branch.yml | 2 +- .github/workflows/pr-test-build.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy-main-branches.yml b/.github/workflows/deploy-main-branches.yml index a122a70d43..a5ae0d07be 100644 --- a/.github/workflows/deploy-main-branches.yml +++ b/.github/workflows/deploy-main-branches.yml @@ -57,7 +57,7 @@ jobs: - name: Get Node.js uses: actions/setup-node@v5 with: - node-version: $NODE_VERSION + node-version: ${{ env.NODE_VERSION }} - name: Run npm ci run: npm ci diff --git a/.github/workflows/pr-build-test-branch.yml b/.github/workflows/pr-build-test-branch.yml index 30e93b388f..379b66faff 100644 --- a/.github/workflows/pr-build-test-branch.yml +++ b/.github/workflows/pr-build-test-branch.yml @@ -49,7 +49,7 @@ jobs: - name: Get Node.js uses: actions/setup-node@v5 with: - node-version: $NODE_VERSION + node-version: ${{ env.NODE_VERSION }} - name: Run npm ci run: npm ci diff --git a/.github/workflows/pr-test-build.yml b/.github/workflows/pr-test-build.yml index 4ee04b614f..caaffaf12f 100644 --- a/.github/workflows/pr-test-build.yml +++ b/.github/workflows/pr-test-build.yml @@ -34,7 +34,7 @@ jobs: - name: Get Node.js uses: actions/setup-node@v5 with: - node-version: $NODE_VERSION + node-version: ${{ env.NODE_VERSION }} - name: Run npm ci run: npm ci