From 730c03fbbd54a9e54f1359b59c294c1ad8092253 Mon Sep 17 00:00:00 2001 From: Olivier Desenfans Date: Mon, 15 Jun 2026 16:46:58 +0200 Subject: [PATCH 1/4] ci: add per-PR docs preview deployment to Aleph Cloud Adds a pull_request-triggered workflow that builds the docs and deploys a per-PR preview via aleph-im/web3-hosting-action@v2, using delegated signing (low-privilege CI key, owner wallet pays). The action sweeps and removes previews of closed PRs on each run, so the workflow does not listen for the closed event. Fork PRs are skipped since they cannot read repository secrets. Release deployment is left unchanged. --- .github/workflows/pr-preview.yml | 59 ++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/pr-preview.yml diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml new file mode 100644 index 0000000..634f302 --- /dev/null +++ b/.github/workflows/pr-preview.yml @@ -0,0 +1,59 @@ +name: PR preview deploy + +# Builds the docs and deploys a per-pull-request preview to Aleph Cloud using +# aleph-im/web3-hosting-action@v2, commenting the preview link on the PR. +# +# Cleanup: on every pull_request event the action first sweeps this repo's +# preview sites and removes the ones whose PR is now closed, then deploys the +# current PR's preview. Closed-PR previews are therefore reaped on subsequent +# PR activity - that is why we do NOT listen for the `closed` event (doing so +# would make the action reap then immediately redeploy the just-closed preview). +# +# One-time setup required (delegated signing - the CI key signs, the owner +# wallet pays and owns the sites): +# 1. Generate a dedicated CI keypair; store its private key as the +# ALEPH_CI_PRIVATE_KEY repository secret. +# 2. From the owner wallet, authorize the CI signer (low privilege - cannot +# spend credits, only manage website/domain registry entries): +# aleph authorization add \ +# --message-types store,aggregate \ +# --aggregate-keys websites,domains \ +# --channels ALEPH-CLOUDSOLUTIONS +# 3. Ensure the owner wallet holds Aleph credits (`aleph credit buy`). +# 4. Set the ALEPH_OWNER_ADDRESS repository variable to the owner address. + +on: pull_request + +permissions: + contents: read + pull-requests: write # comment the preview link and query PR state for cleanup + +jobs: + deploy-preview: + name: Deploy docs preview to Aleph Cloud + runs-on: ubuntu-22.04 + # Fork PRs cannot read repository secrets, so the deploy would always fail. + # Skip them cleanly instead of showing a red X on every external contribution. + if: github.event.pull_request.head.repo.full_name == github.repository + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Set up Node + uses: actions/setup-node@v3 + with: + node-version: 18 + cache: 'npm' + + - name: Install dependencies + run: npm install + + - name: Build and Export + run: npm run docs:build + + - name: Deploy preview on Aleph + uses: aleph-im/web3-hosting-action@v2 + with: + path: docs/.vitepress/dist + private-key: ${{ secrets.ALEPH_CI_PRIVATE_KEY }} + owner-address: ${{ vars.ALEPH_OWNER_ADDRESS }} From 2e22f3e309267d43987c4761e029a3f4ea72d92b Mon Sep 17 00:00:00 2001 From: Olivier Desenfans Date: Mon, 15 Jun 2026 16:50:39 +0200 Subject: [PATCH 2/4] ci: run preview deploy on ubuntu-latest for newer glibc The aleph CLI binary installed by web3-hosting-action requires GLIBC_2.38+, which ubuntu-22.04 does not provide. --- .github/workflows/pr-preview.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml index 634f302..b4b807a 100644 --- a/.github/workflows/pr-preview.yml +++ b/.github/workflows/pr-preview.yml @@ -31,7 +31,9 @@ permissions: jobs: deploy-preview: name: Deploy docs preview to Aleph Cloud - runs-on: ubuntu-22.04 + # ubuntu-latest (24.04+): the aleph CLI binary the action installs needs a + # newer glibc (>= 2.38) than ubuntu-22.04 provides. + runs-on: ubuntu-latest # Fork PRs cannot read repository secrets, so the deploy would always fail. # Skip them cleanly instead of showing a red X on every external contribution. if: github.event.pull_request.head.repo.full_name == github.repository From ced9d73b8997d11bbd2c3fc1ea3fc7a6bf48be1c Mon Sep 17 00:00:00 2001 From: Olivier Desenfans Date: Mon, 15 Jun 2026 17:20:27 +0200 Subject: [PATCH 3/4] ci: bump checkout/setup-node to v4 v3 runs on the deprecated Node 16 runtime on ubuntu-latest (24.04+). --- .github/workflows/pr-preview.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml index b4b807a..766c41e 100644 --- a/.github/workflows/pr-preview.yml +++ b/.github/workflows/pr-preview.yml @@ -39,10 +39,10 @@ jobs: if: github.event.pull_request.head.repo.full_name == github.repository steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Node - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: 18 cache: 'npm' From 2268d84088b24c1a5f4c0fda04c21200ad544720 Mon Sep 17 00:00:00 2001 From: Olivier Desenfans Date: Mon, 15 Jun 2026 17:22:32 +0200 Subject: [PATCH 4/4] ci: bump checkout/setup-node to v6 Latest stable; v4 (Node 20) is entering deprecation. --- .github/workflows/pr-preview.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml index 766c41e..3cf3748 100644 --- a/.github/workflows/pr-preview.yml +++ b/.github/workflows/pr-preview.yml @@ -39,10 +39,10 @@ jobs: if: github.event.pull_request.head.repo.full_name == github.repository steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Set up Node - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: 18 cache: 'npm'