Skip to content

ci: nightly builds + self-serve PR previews#419

Draft
NewtTheWolf wants to merge 6 commits into
TabularisDB:mainfrom
NewtTheWolf:ci/preview-nightly-builds
Draft

ci: nightly builds + self-serve PR previews#419
NewtTheWolf wants to merge 6 commits into
TabularisDB:mainfrom
NewtTheWolf:ci/preview-nightly-builds

Conversation

@NewtTheWolf

Copy link
Copy Markdown
Collaborator

Why

A real (even draft) GitHub Release per PR clutters the releases page and is the wrong tool for throwaway test builds. This adds a lightweight preview/nightly pipeline without changing stable release semantics, and de-duplicates the build config shared by all pipelines.

What

  • build.yml (new) — reusable workflow_call build matrix (macOS arm64+intel, Linux AppImage/deb, Windows nsis + portable exe, signing/notarization). Single source of truth so signing config can't drift between pipelines. Also fixes a dead macos-13 matrix reference (now macos-15-intel).
  • release.yml (refactored, −115/+18) — same triggers and prerelease logic, now delegates the build to build.yml. Tag push → draft release; workflow_dispatch + pr_number → forced prerelease.
  • nightly.yml (new) — daily cron (+ manual) builds main into a single rolling nightly prerelease (deleted + recreated each run). prerelease: true keeps it out of AUR/Snap/Winget.
  • preview.yml (new) — unsigned per-PR previews → Actions artifacts (no tag, no release, 14-day retention).

Preview flow

Triggered two ways:

  • a maintainer adds the preview label, or
  • anyone with write access or the PR author comments /preview (self-serve, works for fork authors).

Three jobs with separate permissions:

  • authorize (pull-requests: read) — decides + gates the command
  • build (contents: read, no secrets) — builds fork code safely (worst case = wasted runner minutes, never token/secret theft)
  • comment (pull-requests: write) — posts a sticky bot comment with status + download link; never checks out fork code

A sticky bot comment reports ✅ Preview build ready — [Download] / ❌ ….

Design notes

  • Unsigned by necessity: fork PRs get no secrets. Ad-hoc macOS signing (APPLE_SIGNING_IDENTITY: "-", no cert) avoids the Gatekeeper "damaged" error; testers right-click → Open (Windows: "Run anyway").
  • Injection-safe: the /preview command body is read only inside a GitHub if: expression, never interpolated into a shell.
  • Fork limitation (documented in the workflow): on a fork PR the plain pull_request token is read-only, so the label path builds but can't self-comment — fork authors use /preview (privileged issue_comment context) to get build + comment.
  • Artifacts self-expire → nothing to clean up. Label-gated / command-gated to control cost (macOS runners ~10× Linux).
  • Need a signed build of a specific PR? Use release.ymlworkflow_dispatch(pr_number).

Setup (repo admin)

  • The preview label already exists.
  • New dependency: marocchino/sticky-pull-request-comment@v2 (widely used).
  • Recommended: Settings → Actions → Require approval for first-time contributors stays on (gates the label path for new fork contributors; the /preview command path is gated by the author-or-write check in the workflow).
  • Optional: for un-authenticated artifact downloads (Actions artifacts require a GitHub login even on public repos — actions/upload-artifact#51), install the nightly.link GitHub App — no workflow change needed.

Testing

YAML + reusable-workflow wiring validated locally. Signing/notarization and the secrets: inherit boundary only exercise on GitHub runners — the release.yml refactor touches the live release path, please review that diff.

Adds a lightweight preview/nightly pipeline without touching stable
release semantics, and de-duplicates the shared build config.

- build.yml: reusable workflow_call build matrix (single source of truth
  for the macOS/Linux/Windows signed+notarized build). Fixes a dead
  `macos-13` matrix reference (now `macos-15-intel`).
- release.yml: refactored to delegate to build.yml; triggers and
  prerelease logic unchanged (tag push -> draft release, dispatch
  pr_number -> forced prerelease).
- nightly.yml: daily cron (+ manual) builds main into a single rolling
  `nightly` prerelease, deleted+recreated each run. prerelease flag keeps
  it out of AUR/Snap/Winget.
- preview.yml: unsigned per-PR preview builds -> Actions artifacts (no
  tag/release, 14d retention). Triggered by the `preview` label or a
  `/preview` comment (PR author or write access). A sticky bot comment
  reports status + download link. Fork-safe: build runs with
  contents:read and no secrets; commenting is a separate write-scoped job
  that never checks out fork code.
@NewtTheWolf NewtTheWolf marked this pull request as draft July 3, 2026 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant