feat: per-PR ephemeral preview envs with PAT browser auth#95
Merged
Conversation
Each PR now deploys its own CP to pr-{N}.devopsdefender.com, isolated
by hostname and DD_ENV=pr-{N}. Browser access uses /auth/pat (paste a
GitHub PAT, validated against DD_OWNER); OIDC and Noise XX still gate
machine endpoints unchanged.
On PR close, pr-teardown.yml deletes the VM, CF tunnel, and DNS
CNAME. Between pushes, cleanup.yml's new reap-pr-previews job reaps
STONITH-terminated VMs so they don't accumulate.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
`env.DD_DOMAIN` isn't available when job-level `env:` is evaluated — only vars/secrets/inputs/github/runner/needs/matrix are. Reference `vars.DD_CF_DOMAIN` directly instead. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
DD preview readyURL: https://pr-95.devopsdefender.com Browser login: paste CLI / curl: Register endpoint for a local agent: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pr-{N}.devopsdefender.com, isolated by hostname andDD_ENV=pr-{N}(no more single sharedapp-staging)/auth/patform accepts a GitHub PAT (gh auth token), validated againstDD_OWNERviaapi.github.com/user. Reuses the existing session-cookie machinery.DD_GITHUB_CLIENT_ID) is now optional indd-web. When unset,/auth/github/*returns 404 and browsers are redirected to/auth/patinstead.release.yml'sdeploy-stagingjob is renamed todeploy-preview, computesDD_ENV+DD_HOSTNAMEfromgithub.event_nameandgithub.event.number, and posts a comment on the PR with the preview URL.pr-teardown.ymlonpull_request: closeddeletes the VM, CF tunnel(s), and DNS CNAME.cleanup.ymlgains areap-pr-previewsjob for TERMINATEDdd-pr-*VMs that accumulate between pushes.Machine auth is unchanged:
/cp/atteststill takes GitHub Actions OIDC,/registerstill takes Noise XX.What this PR does NOT do
app-stagingenv (workflow_dispatch still targets it)feat/installerbranch)Those are follow-ups once the per-PR flow is proven.
Test plan
This PR exercises itself — on open, CI will:
pr-{sha12}pr-{this-PR}.devopsdefender.com/healthreturns 200 via the new CF tunnel/cp/attestreturns a non-zero MRTD (OIDC-gated)dd_env=pr-{this-PR}VM RUNNINGcurl -H "Authorization: Bearer \$(gh auth token)" https://pr-{N}.devopsdefender.com/returns 200/redirects to/auth/pat; form accepts PAT, sets cookie, redirects to dashboardpr-teardown.ymldeletes VM + tunnel + DNS🤖 Generated with Claude Code