From c42df68c1012fc6f39913806fdb051ca14ecddab Mon Sep 17 00:00:00 2001 From: John McCall Date: Wed, 11 Mar 2026 16:49:43 -0400 Subject: [PATCH 1/9] fix: remediate security issues in workflows Signed-off-by: John McCall --- .github/workflows/check-python-code.yaml | 7 ++---- .../check-python-package-versions.yaml | 3 +-- .../workflows/publish-python-packages.yaml | 23 +++++++++++-------- ...eusable-check-python-package-versions.yaml | 20 ++++++++-------- 4 files changed, 27 insertions(+), 26 deletions(-) diff --git a/.github/workflows/check-python-code.yaml b/.github/workflows/check-python-code.yaml index 97d37eb4b..fffbd8b53 100644 --- a/.github/workflows/check-python-code.yaml +++ b/.github/workflows/check-python-code.yaml @@ -1,7 +1,7 @@ name: Check Python package code on: - pull_request_target: + pull_request: paths: - 'packages/**' - 'pyproject.toml' @@ -16,12 +16,9 @@ on: jobs: check: runs-on: ubuntu-latest - if: github.event.pull_request.head.repo.full_name == github.repository steps: - - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/checkout@v6 - name: Install uv uses: astral-sh/setup-uv@v4 diff --git a/.github/workflows/check-python-package-versions.yaml b/.github/workflows/check-python-package-versions.yaml index c8e4f2449..960c68e4b 100644 --- a/.github/workflows/check-python-package-versions.yaml +++ b/.github/workflows/check-python-package-versions.yaml @@ -1,7 +1,7 @@ name: Check Python package version numbers on: - pull_request_target: + pull_request: paths: - '**/pyproject.toml' - 'packages/**/__about__.py' @@ -12,7 +12,6 @@ permissions: jobs: check: - if: github.event.pull_request.head.repo.full_name == github.repository uses: ./.github/workflows/reusable-check-python-package-versions.yaml with: before_commit: ${{ github.event.pull_request.base.sha }} diff --git a/.github/workflows/publish-python-packages.yaml b/.github/workflows/publish-python-packages.yaml index b9a31e837..09da369e1 100644 --- a/.github/workflows/publish-python-packages.yaml +++ b/.github/workflows/publish-python-packages.yaml @@ -6,6 +6,7 @@ on: paths: - '**/pyproject.toml' - 'packages/**/__about__.py' + workflow_dispatch: inputs: aws_iam_role_name: description: The name of the IAM role to assume for accessing CodeArtifact @@ -64,16 +65,18 @@ jobs: - name: Get CodeArtifact publish URL id: get-code-artifact-params run: | - echo 'token<> $GITHUB_OUTPUT - ./.github/workflows/scripts/code-artifact.sh token \ - 505071440022 us-west-2 overture-pypi >> $GITHUB_OUTPUT - echo EOF >> $GITHUB_OUTPUT - echo 'publish_url<> $GITHUB_OUTPUT - ./.github/workflows/scripts/code-artifact.sh publish-url \ - 505071440022 us-west-2 overture-pypi overture >> $GITHUB_OUTPUT - echo EOF >> $GITHUB_OUTPUT + token=$(./.github/workflows/scripts/code-artifact.sh token \ + 505071440022 us-west-2 overture-pypi) + echo "::add-mask::${token}" + echo "token=${token}" >> $GITHUB_OUTPUT + publish_url=$(./.github/workflows/scripts/code-artifact.sh publish-url \ + 505071440022 us-west-2 overture-pypi overture) + echo "publish_url=${publish_url}" >> $GITHUB_OUTPUT - name: Publish package ${{ matrix.package }} version ${{ matrix.after }} to PyPI + env: + CA_TOKEN: ${{ steps.get-code-artifact-params.outputs.token }} + CA_PUBLISH_URL: ${{ steps.get-code-artifact-params.outputs.publish_url }} run: | package="${{ matrix.package }}" before="${{ matrix.before }}" @@ -91,5 +94,5 @@ jobs: exit 1 fi uv publish "$wheel" "$tarball" \ - -t "${{ steps.get-code-artifact-params.outputs.token }}" \ - --publish-url "${{ steps.get-code-artifact-params.outputs.publish_url }}" + -t "${CA_TOKEN}" \ + --publish-url "${CA_PUBLISH_URL}" diff --git a/.github/workflows/reusable-check-python-package-versions.yaml b/.github/workflows/reusable-check-python-package-versions.yaml index 87253e03e..1972c737d 100644 --- a/.github/workflows/reusable-check-python-package-versions.yaml +++ b/.github/workflows/reusable-check-python-package-versions.yaml @@ -62,17 +62,17 @@ jobs: run: sudo apt-get update && sudo apt-get install -y jq - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@v7 with: version: latest - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: - python-version: "3.10" + python-version-file: .python-version - name: Check out code before change - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: ref: ${{ inputs.before_commit }} @@ -123,20 +123,22 @@ jobs: id: get-code-artifact-index-url if: steps.save-changes.outputs.num_changed_packages > 0 run: | - echo 'index_url<> $GITHUB_OUTPUT - ./.github/workflows/scripts/code-artifact.sh index-url \ + index_url=$(./.github/workflows/scripts/code-artifact.sh index-url \ "${{ inputs.aws_account_id }}" "${{ inputs.aws_region }}" \ - "${{ inputs.domain }}" "${{ inputs.repository }}" >> $GITHUB_OUTPUT - echo EOF >> $GITHUB_OUTPUT + "${{ inputs.domain }}" "${{ inputs.repository }}") + echo "::add-mask::${index_url}" + echo "index_url=${index_url}" >> $GITHUB_OUTPUT - name: Fail if any of the new versions already exist in the repo if: steps.save-changes.outputs.num_changed_packages > 0 + env: + INDEX_URL: ${{ steps.get-code-artifact-index-url.outputs.index_url }} run: | jq -c '.[]' /tmp/package-version-diff.json | while read -r entry; do package=$(echo "$entry" | jq -r '.package') after=$(echo "$entry" | jq -r '.after') exit_code=0 - output=$(uv run pip download "${package}==${after}" --index-url "${{ steps.get-code-artifact-index-url.outputs.index_url }}" --no-deps -d /tmp --quiet 2>&1) || exit_code=$? + output=$(uv run pip download "${package}==${after}" --index-url "${INDEX_URL}" --no-deps -d /tmp --quiet 2>&1) || exit_code=$? if [[ $exit_code -eq 0 || ( "${output,,}" != *"could not find a version"* && "${output,,}" != *"no matching distributions"* From d2ec79dbb376ba58f91cd41fc828005da486b3d8 Mon Sep 17 00:00:00 2001 From: John McCall Date: Wed, 11 Mar 2026 16:49:52 -0400 Subject: [PATCH 2/9] chore: stub CODEOWNERS Signed-off-by: John McCall --- CODEOWNERS | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 CODEOWNERS diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 000000000..0fe93f496 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,3 @@ +# Devops + +/.github @lowlydba @overturemaps/omf-public-reviewers From 523774b455cc4df6d741a3209d12546578b8ce83 Mon Sep 17 00:00:00 2001 From: John McCall Date: Wed, 11 Mar 2026 16:50:04 -0400 Subject: [PATCH 3/9] chore: update GHA versions Signed-off-by: John McCall --- .github/workflows/test-schema.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-schema.yaml b/.github/workflows/test-schema.yaml index d23d2b315..68045d53b 100644 --- a/.github/workflows/test-schema.yaml +++ b/.github/workflows/test-schema.yaml @@ -14,12 +14,14 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v6 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: 1.22 + - name: Install dependencies run: go install github.com/santhosh-tekuri/jsonschema/cmd/jv@latest + - name: Validate run: ./test.sh From 73e6fced528ac6d43c9ebba398fd33b5968cd365 Mon Sep 17 00:00:00 2001 From: John McCall Date: Wed, 11 Mar 2026 16:50:17 -0400 Subject: [PATCH 4/9] chore: enable dependabot for GHA Signed-off-by: John McCall --- .github/dependabot.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..ca6697070 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,15 @@ +--- +version: 2 +updates: + + # Maintain GitHub Actions dependencies + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "bot" + commit-message: + prefix: "[CHORE](deps)" + include: "scope" From f5fc07f90994c8b84a559c3f9eaafbd249e47537 Mon Sep 17 00:00:00 2001 From: John McCall Date: Wed, 11 Mar 2026 17:00:23 -0400 Subject: [PATCH 5/9] Update test-schema.yaml Signed-off-by: John McCall --- .github/workflows/test-schema.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test-schema.yaml b/.github/workflows/test-schema.yaml index 68045d53b..7b386ad24 100644 --- a/.github/workflows/test-schema.yaml +++ b/.github/workflows/test-schema.yaml @@ -14,14 +14,14 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - name: Set up Go - uses: actions/setup-go@v6 - with: - go-version: 1.22 + - uses: actions/checkout@v6 + - name: Set up Go + uses: actions/setup-go@v6 + with: + go-version: 1.22 - - name: Install dependencies - run: go install github.com/santhosh-tekuri/jsonschema/cmd/jv@latest + - name: Install dependencies + run: go install github.com/santhosh-tekuri/jsonschema/cmd/jv@latest - - name: Validate - run: ./test.sh + - name: Validate + run: ./test.sh From 39a24f258d8259d5e5c6866a4031daf9e36da159 Mon Sep 17 00:00:00 2001 From: John McCall Date: Wed, 11 Mar 2026 17:02:08 -0400 Subject: [PATCH 6/9] Set up Python after checkout; minor YAML formatting Move the "Set up Python" step in reusable-check-python-package-versions.yaml to run after actions/checkout so the .python-version file is available to actions/setup-python and the subsequent "uv sync" can see repository packages. Also add a small whitespace/formatting tweak in test-schema.yaml (blank line between checkout and Go setup) for readability. Signed-off-by: John McCall --- .../reusable-check-python-package-versions.yaml | 10 +++++----- .github/workflows/test-schema.yaml | 1 + 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/reusable-check-python-package-versions.yaml b/.github/workflows/reusable-check-python-package-versions.yaml index 1972c737d..519a9e3d2 100644 --- a/.github/workflows/reusable-check-python-package-versions.yaml +++ b/.github/workflows/reusable-check-python-package-versions.yaml @@ -66,16 +66,16 @@ jobs: with: version: latest - - name: Set up Python - uses: actions/setup-python@v6 - with: - python-version-file: .python-version - - name: Check out code before change uses: actions/checkout@v6 with: ref: ${{ inputs.before_commit }} + - name: Set up Python + uses: actions/setup-python@v6 + with: + python-version-file: .python-version + - name: Sync code before change to make packages visible to Python run: uv sync --all-packages diff --git a/.github/workflows/test-schema.yaml b/.github/workflows/test-schema.yaml index 7b386ad24..9f15acd88 100644 --- a/.github/workflows/test-schema.yaml +++ b/.github/workflows/test-schema.yaml @@ -15,6 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 + - name: Set up Go uses: actions/setup-go@v6 with: From 5f8baeea507117856eba0b12708a0007c52de3c4 Mon Sep 17 00:00:00 2001 From: John McCall Date: Thu, 12 Mar 2026 09:56:42 -0400 Subject: [PATCH 7/9] test touch - whitespace Signed-off-by: John McCall --- pyproject.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 1679e49a3..9626ff7c4 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -9,7 +9,6 @@ version = "0.0.0" [tool.uv.workspace] members = ["packages/*"] - [tool.ruff] line-length = 88 target-version = "py310" From e71c186d9d3092a94247282eb35405bc9195120c Mon Sep 17 00:00:00 2001 From: John McCall Date: Thu, 12 Mar 2026 18:13:40 -0400 Subject: [PATCH 8/9] initial commit Signed-off-by: John McCall --- .../actions/generate-schema-docs/action.yml | 31 +++++ ...eusable-check-python-package-versions.yaml | 2 +- .../workflows/schema-pr-preview-cleanup.yml | 39 ++++++ .github/workflows/schema-pr-preview.yml | 113 ++++++++++++++++++ 4 files changed, 184 insertions(+), 1 deletion(-) create mode 100644 .github/actions/generate-schema-docs/action.yml create mode 100644 .github/workflows/schema-pr-preview-cleanup.yml create mode 100644 .github/workflows/schema-pr-preview.yml diff --git a/.github/actions/generate-schema-docs/action.yml b/.github/actions/generate-schema-docs/action.yml new file mode 100644 index 000000000..fbd1de481 --- /dev/null +++ b/.github/actions/generate-schema-docs/action.yml @@ -0,0 +1,31 @@ +--- +name: Generate Schema Docs +description: > + Run the overture-codegen tool to generate markdown documentation + from the Pydantic schema models in this repository. + +inputs: + output-dir: + description: 'Path to write generated markdown into (absolute, or relative to GITHUB_WORKSPACE)' + required: true + +runs: + using: composite + steps: + - name: Set up Python + uses: actions/setup-python@v6 + with: + python-version-file: .python-version + + - name: Install uv + uses: astral-sh/setup-uv@v7 + + - name: Install schema packages + shell: bash + working-directory: ${{ github.workspace }} + run: uv sync + + - name: Generate markdown docs + shell: bash + working-directory: ${{ github.workspace }} + run: uv run overture-codegen generate --format markdown --output-dir "${{ inputs.output-dir }}" diff --git a/.github/workflows/reusable-check-python-package-versions.yaml b/.github/workflows/reusable-check-python-package-versions.yaml index 519a9e3d2..3a764ea16 100644 --- a/.github/workflows/reusable-check-python-package-versions.yaml +++ b/.github/workflows/reusable-check-python-package-versions.yaml @@ -19,7 +19,7 @@ on: description: The AWS account ID that owns the CodeArtifact domain type: string required: false - default: 505071440022 + default: '505071440022' aws_region: description: The AWS region where the CodeArtifact repository is hosted type: string diff --git a/.github/workflows/schema-pr-preview-cleanup.yml b/.github/workflows/schema-pr-preview-cleanup.yml new file mode 100644 index 000000000..e3d3494ff --- /dev/null +++ b/.github/workflows/schema-pr-preview-cleanup.yml @@ -0,0 +1,39 @@ +--- +name: Schema PR Preview Cleanup +run-name: Clean up schema reference preview for PR #${{ github.event.number }} + +on: + pull_request: + types: [closed] + +permissions: + contents: read + +jobs: + cleanup: + name: Cleanup + runs-on: ubuntu-latest + permissions: + id-token: write + env: + AWS_ROLE_ARN: arn:aws:iam::763944545891:role/pages-staging-oidc-overturemaps + AWS_REGION: us-west-2 + + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + + # No flags to ignore "not found" errors, so we use "|| true" to prevent failure if the path doesn't exist + - name: Delete from S3 + run: | + aws s3 rm --recursive \ + s3://overture-managed-staging-usw2/gh-pages/schema/pr/${{ github.event.number }}/ || true + + - name: Bust the cache + run: | + aws cloudfront create-invalidation \ + --distribution-id E1KP2IN0H2RGGT \ + --paths "/schema/pr/${{ github.event.number }}/*" || true diff --git a/.github/workflows/schema-pr-preview.yml b/.github/workflows/schema-pr-preview.yml new file mode 100644 index 000000000..082d01512 --- /dev/null +++ b/.github/workflows/schema-pr-preview.yml @@ -0,0 +1,113 @@ +--- +name: Schema PR Preview +run-name: Build and deploy schema reference preview for PR #${{ github.event.number }} + +on: + pull_request: + types: [opened, synchronize, reopened] + +permissions: + contents: read + +jobs: + build: + name: Build + runs-on: ubuntu-latest + steps: + - name: Check out schema repo + uses: actions/checkout@v6 + + - name: Check out docs repo + uses: actions/checkout@v6 + with: + repository: OvertureMaps/docs + path: _docs + + - name: Set up Node.js + uses: actions/setup-node@v6 + with: + node-version-file: _docs/package.json + + - name: Configure sustainable npm + uses: lowlydba/sustainable-npm@ed089bd92235c2af803a951fba2bd42c59fbcd73 # v2.0.0 + + - name: Install NPM dependencies + working-directory: _docs + run: npm ci --omit=dev + + - name: Generate schema markdown docs + uses: ./.github/actions/generate-schema-docs + with: + output-dir: ${{ github.workspace }}/_docs/docs/schema/reference + + - name: Build Docusaurus site + working-directory: _docs + env: + DOCUSAURUS_URL: https://staging.overturemaps.org/ + DOCUSAURUS_BASE_URL: /schema/pr/${{ github.event.number }}/ + SCHEMA_PREVIEW: 'true' + run: npm run build + + - name: Upload build artifact + uses: actions/upload-artifact@v7 + with: + name: build-artifact + path: _docs/build + + deploy: + name: Deploy + runs-on: ubuntu-latest + needs: build + permissions: + id-token: write + pull-requests: write + env: + AWS_ROLE_ARN: arn:aws:iam::763944545891:role/pages-staging-oidc-overturemaps + AWS_REGION: us-west-2 + environment: + name: staging + url: https://staging.overturemaps.org/schema/pr/${{ github.event.number }}/schema/ + + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + + - name: Download build artifact + uses: actions/download-artifact@v7 + with: + name: build-artifact + path: build + + - name: Copy to S3 + run: | + aws s3 sync --delete build \ + s3://overture-managed-staging-usw2/gh-pages/schema/pr/${{ github.event.number }}/ + + - name: Bust the cache + run: | + aws cloudfront create-invalidation \ + --distribution-id E1KP2IN0H2RGGT \ + --paths "/schema/pr/${{ github.event.number }}/*" + + - name: Get deploy timestamp + id: timestamp + run: echo "time=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT + + - name: Comment on PR + uses: marocchino/sticky-pull-request-comment@v2 + with: + message: | + ## 🗺️ Schema reference preview is live! + + Your schema changes are deployed and ready to review in a preview environment. + You can view the generated documentation and test out the new schema features: + + **[→ Open preview](https://staging.overturemaps.org/schema/pr/${{ github.event.number }}/schema/)** + + > [!NOTE] + > This preview & comment update automatically with each push to this PR. + + Last updated: ${{ steps.timestamp.outputs.time }} (${{ github.sha }}) From ee7ab97b3e1d4d43d7a04cb2ee79672e8b69cefc Mon Sep 17 00:00:00 2001 From: John McCall Date: Fri, 13 Mar 2026 11:37:21 -0400 Subject: [PATCH 9/9] Revert "initial commit" This reverts commit e71c186d9d3092a94247282eb35405bc9195120c. --- .../actions/generate-schema-docs/action.yml | 31 ----- ...eusable-check-python-package-versions.yaml | 2 +- .../workflows/schema-pr-preview-cleanup.yml | 39 ------ .github/workflows/schema-pr-preview.yml | 113 ------------------ 4 files changed, 1 insertion(+), 184 deletions(-) delete mode 100644 .github/actions/generate-schema-docs/action.yml delete mode 100644 .github/workflows/schema-pr-preview-cleanup.yml delete mode 100644 .github/workflows/schema-pr-preview.yml diff --git a/.github/actions/generate-schema-docs/action.yml b/.github/actions/generate-schema-docs/action.yml deleted file mode 100644 index fbd1de481..000000000 --- a/.github/actions/generate-schema-docs/action.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -name: Generate Schema Docs -description: > - Run the overture-codegen tool to generate markdown documentation - from the Pydantic schema models in this repository. - -inputs: - output-dir: - description: 'Path to write generated markdown into (absolute, or relative to GITHUB_WORKSPACE)' - required: true - -runs: - using: composite - steps: - - name: Set up Python - uses: actions/setup-python@v6 - with: - python-version-file: .python-version - - - name: Install uv - uses: astral-sh/setup-uv@v7 - - - name: Install schema packages - shell: bash - working-directory: ${{ github.workspace }} - run: uv sync - - - name: Generate markdown docs - shell: bash - working-directory: ${{ github.workspace }} - run: uv run overture-codegen generate --format markdown --output-dir "${{ inputs.output-dir }}" diff --git a/.github/workflows/reusable-check-python-package-versions.yaml b/.github/workflows/reusable-check-python-package-versions.yaml index 3a764ea16..519a9e3d2 100644 --- a/.github/workflows/reusable-check-python-package-versions.yaml +++ b/.github/workflows/reusable-check-python-package-versions.yaml @@ -19,7 +19,7 @@ on: description: The AWS account ID that owns the CodeArtifact domain type: string required: false - default: '505071440022' + default: 505071440022 aws_region: description: The AWS region where the CodeArtifact repository is hosted type: string diff --git a/.github/workflows/schema-pr-preview-cleanup.yml b/.github/workflows/schema-pr-preview-cleanup.yml deleted file mode 100644 index e3d3494ff..000000000 --- a/.github/workflows/schema-pr-preview-cleanup.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -name: Schema PR Preview Cleanup -run-name: Clean up schema reference preview for PR #${{ github.event.number }} - -on: - pull_request: - types: [closed] - -permissions: - contents: read - -jobs: - cleanup: - name: Cleanup - runs-on: ubuntu-latest - permissions: - id-token: write - env: - AWS_ROLE_ARN: arn:aws:iam::763944545891:role/pages-staging-oidc-overturemaps - AWS_REGION: us-west-2 - - steps: - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v6 - with: - role-to-assume: ${{ env.AWS_ROLE_ARN }} - aws-region: ${{ env.AWS_REGION }} - - # No flags to ignore "not found" errors, so we use "|| true" to prevent failure if the path doesn't exist - - name: Delete from S3 - run: | - aws s3 rm --recursive \ - s3://overture-managed-staging-usw2/gh-pages/schema/pr/${{ github.event.number }}/ || true - - - name: Bust the cache - run: | - aws cloudfront create-invalidation \ - --distribution-id E1KP2IN0H2RGGT \ - --paths "/schema/pr/${{ github.event.number }}/*" || true diff --git a/.github/workflows/schema-pr-preview.yml b/.github/workflows/schema-pr-preview.yml deleted file mode 100644 index 082d01512..000000000 --- a/.github/workflows/schema-pr-preview.yml +++ /dev/null @@ -1,113 +0,0 @@ ---- -name: Schema PR Preview -run-name: Build and deploy schema reference preview for PR #${{ github.event.number }} - -on: - pull_request: - types: [opened, synchronize, reopened] - -permissions: - contents: read - -jobs: - build: - name: Build - runs-on: ubuntu-latest - steps: - - name: Check out schema repo - uses: actions/checkout@v6 - - - name: Check out docs repo - uses: actions/checkout@v6 - with: - repository: OvertureMaps/docs - path: _docs - - - name: Set up Node.js - uses: actions/setup-node@v6 - with: - node-version-file: _docs/package.json - - - name: Configure sustainable npm - uses: lowlydba/sustainable-npm@ed089bd92235c2af803a951fba2bd42c59fbcd73 # v2.0.0 - - - name: Install NPM dependencies - working-directory: _docs - run: npm ci --omit=dev - - - name: Generate schema markdown docs - uses: ./.github/actions/generate-schema-docs - with: - output-dir: ${{ github.workspace }}/_docs/docs/schema/reference - - - name: Build Docusaurus site - working-directory: _docs - env: - DOCUSAURUS_URL: https://staging.overturemaps.org/ - DOCUSAURUS_BASE_URL: /schema/pr/${{ github.event.number }}/ - SCHEMA_PREVIEW: 'true' - run: npm run build - - - name: Upload build artifact - uses: actions/upload-artifact@v7 - with: - name: build-artifact - path: _docs/build - - deploy: - name: Deploy - runs-on: ubuntu-latest - needs: build - permissions: - id-token: write - pull-requests: write - env: - AWS_ROLE_ARN: arn:aws:iam::763944545891:role/pages-staging-oidc-overturemaps - AWS_REGION: us-west-2 - environment: - name: staging - url: https://staging.overturemaps.org/schema/pr/${{ github.event.number }}/schema/ - - steps: - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v6 - with: - role-to-assume: ${{ env.AWS_ROLE_ARN }} - aws-region: ${{ env.AWS_REGION }} - - - name: Download build artifact - uses: actions/download-artifact@v7 - with: - name: build-artifact - path: build - - - name: Copy to S3 - run: | - aws s3 sync --delete build \ - s3://overture-managed-staging-usw2/gh-pages/schema/pr/${{ github.event.number }}/ - - - name: Bust the cache - run: | - aws cloudfront create-invalidation \ - --distribution-id E1KP2IN0H2RGGT \ - --paths "/schema/pr/${{ github.event.number }}/*" - - - name: Get deploy timestamp - id: timestamp - run: echo "time=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT - - - name: Comment on PR - uses: marocchino/sticky-pull-request-comment@v2 - with: - message: | - ## 🗺️ Schema reference preview is live! - - Your schema changes are deployed and ready to review in a preview environment. - You can view the generated documentation and test out the new schema features: - - **[→ Open preview](https://staging.overturemaps.org/schema/pr/${{ github.event.number }}/schema/)** - - > [!NOTE] - > This preview & comment update automatically with each push to this PR. - - Last updated: ${{ steps.timestamp.outputs.time }} (${{ github.sha }})