nvda icon indicating copy to clipboard operation
nvda copied to clipboard
verified publisher icon nvaccess

Deploy with GitHub actions

Open seanbudd opened this issue 6 months ago • 1 comments

Link to issue number:

Part of #17878 Blocked by #18034 Blocked by #18243

Summary of the issue:

As part of migrating to GitHub actions, we need to deploy our signed snapshot/tagged builds to the server.

Right now several environment variables and feature flags are set in testAndPublish.yml, the CI/CD script. Forks should be able to maintain their CI/CD pipeline without making commits, as commits dirty the fork and make merging upstream harder. For AppVeyor, developers could create a gist for appveyor.yml, point AppVeyors UX towards it, and host it separately to their repo fork. This can't be done with GitHub actions. As such, all variables which need to be customizable by forks should be able to be set from GitHub variable contexts.

Description of developer facing changes:

  • Releases now trigger a deployment webhook with all the information needed to deploy a release. The server can use that webhook to deploy releases.
  • The create launcher step now publishes the SHA256 of the launcher. Currently it publishes the checksum of the zip folder, not the exe, and that is available else where in the GitHub UX. This allows people creating the release to know the SHA sum earlier, to be used in the website post.
  • Our secret was renamed to MOZILLA_SYMS_TOKEN from MOZILLA_SYMS_AUTH_TOKEN
  • All variables need to be set in GitHub variables, not in the yml file

Description of development approach:

switch to using gh release rather than a custom action for releases

Deploying

  1. Create a deploy environment for GitHub actions. This enables deploy protection, and gives us a good endpoint for a GitHub webhook
  2. Create a github webhook that fires when a deployment occurs.
  3. From our deploy step, trigger a deployment using our deploy environment. Pass in our payload of information.
  4. The GitHub webhook should fire off with our payload when the deployment happens.

Testing strategy:

  • [x] Tested releases triggered the webhook

    • Actions run: https://github.com/nvaccess/nvda-githubActionsRelease/actions/runs/15623200527
    • Webhook: https://github.com/nvaccess/nvda-githubActionsRelease/settings/hooks/551821542?tab=deliveries
    • Discussion: https://github.com/nvaccess/nvda-githubActionsRelease/discussions/4
    • Release: https://github.com/nvaccess/nvda-githubActionsRelease/releases/tag/release-2029.9.19
    • Used https://webhook.site to receive payloads

  • [ ] Test a snapshot deployment to the server

  • [ ] Test a tagged release deployment to the server

Known issues with pull request:

  • [ ] Infrastructure as described in ci/README.md needs to be setup in this repo
  • [ ] Infrastructure on the NV Access server to deploy from the webhook is still TODO

Code Review Checklist:

  • [x] Documentation:
    • Change log entry
    • User Documentation
    • Developer / Technical Documentation
    • Context sensitive help for GUI changes
  • [ ] Testing:
    • Unit tests
    • System (end to end) tests
    • Manual testing
  • [x] Security precautions taken.

@coderabbitai summary

seanbudd avatar Jun 13 '25 04:06 seanbudd

  • PASS: Translation comments check.
  • PASS: License check.
  • PASS: Unit tests.
  • FAIL: System tests (tags: installer NVDA). See test results for more information.
  • Build (for testing PR): https://ci.appveyor.com/api/buildjobs/1cnwri725oasbwu4/artifacts/output/nvda_snapshot_pr18244-36788,dd75667e.exe
  • CI timing (mins): INIT 0.0, INSTALL_START 1.5, INSTALL_END 0.9, BUILD_START 0.0, BUILD_END 19.0, TESTSETUP_START 0.0, TESTSETUP_END 0.4, TEST_START 0.0, TEST_END 19.0, FINISH_END 0.1

See test results for failed build of commit dd75667eed

AppVeyorBot avatar Jun 13 '25 05:06 AppVeyorBot

  • PASS: Translation comments check.
  • PASS: License check.
  • PASS: Unit tests.
  • FAIL: System tests (tags: installer NVDA). See test results for more information.
  • Build (for testing PR): https://ci.appveyor.com/api/buildjobs/o3df9fq09cb55xlf/artifacts/output/nvda_snapshot_pr18244-37090,4d993609.exe
  • CI timing (mins): INIT 0.0, INSTALL_START 2.3, INSTALL_END 1.0, BUILD_START 0.0, BUILD_END 27.2, TESTSETUP_START 0.0, TESTSETUP_END 0.4, TEST_START 0.0, TEST_END 21.2, FINISH_END 0.1

See test results for failed build of commit 4d993609f1

AppVeyorBot avatar Jun 30 '25 08:06 AppVeyorBot

@SaschaCowley - I think this has sufficient testing now, I have tested deployments for try builds. snapshots and releases to a local server. I think we should merge this before merging the server work, to ensure we have real life payloads being sent before receiving them.

seanbudd avatar Jul 17 '25 02:07 seanbudd