Merge pull request #960 from OWASP/copilot/fix-959

Add GitHub preview action for automated container builds and deployment instructions

Author: commjoen

.github/workflows/preview.yml

@@ -0,0 +1,259 @@
+---  # yamllint disable rule:line-length
+name: "Preview Deployment"
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+  packages: write
+  pull-requests: write
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_PREFIX: ghcr.io/${{ github.repository_owner }}
+
+jobs:
+  set-tag:
+    name: "Determine Tag"
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.set-tag.outputs.tag }}
+    steps:
+      - name: Set output tag
+        id: set-tag
+        run: |
+          if [ "${{ github.event_name }}" == "pull_request" ]; then
+            echo "tag=pr-${{ github.event.number }}" >> $GITHUB_OUTPUT
+          else
+            echo "tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+          fi
+
+  build-and-publish:
+    name: "Build and Publish Preview Images"
+    runs-on: ubuntu-latest
+    needs: set-tag
+    strategy:
+      matrix:
+        component:
+          - wrongsecrets-balancer
+          - cleaner
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_PREFIX }}/${{ matrix.component }}
+          tags: |
+            type=raw,value=${{ needs.set-tag.outputs.tag }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: ./${{ matrix.component }}
+          file: ./${{ matrix.component }}/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+
+  generate-preview-instructions:
+    name: "Generate Preview Instructions"
+    runs-on: ubuntu-latest
+    needs: [set-tag, build-and-publish]
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Install yq
+        run: |
+          sudo snap install yq
+
+      - name: Generate preview values
+        id: values
+        run: |
+          # Create a preview values file
+          cat > preview-values.yaml << EOF
+          balancer:
+            repository: ${{ env.IMAGE_PREFIX }}/wrongsecrets-balancer
+            tag: ${{ needs.set-tag.outputs.tag }}
+
+          wrongsecretsCleanup:
+            repository: ${{ env.IMAGE_PREFIX }}/cleaner
+            tag: ${{ needs.set-tag.outputs.tag }}
+
+          # Preview configuration
+          ingress:
+            enabled: true
+            hosts:
+              - host: >-
+                  preview-${{ needs.set-tag.outputs.tag }}.wrongsecrets.local
+                paths:
+                  - "/"
+          EOF
+
+          # Output the content for use in the comment
+          echo "values<<EOF" >> $GITHUB_OUTPUT
+          cat preview-values.yaml >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Create deployment instructions
+        id: instructions
+        run: |
+          # yamllint disable rule:line-length
+          cat > instructions.md << 'EOF'
+          ## 🚀 Preview Deployment Ready!
+
+          Your pull request has been built and is ready for preview deployment.
+          Here's how to test your changes:
+
+          ### Container Images Built
+
+          - **Balancer**: `${{ env.IMAGE_PREFIX }}/wrongsecrets-balancer:${{ needs.set-tag.outputs.tag }}`
+          - **Cleaner**: `${{ env.IMAGE_PREFIX }}/cleaner:${{ needs.set-tag.outputs.tag }}`
+
+          ### Quick Deploy with Helm
+
+          ```bash
+          # Add the wrongsecrets helm repository
+          helm repo add wrongsecrets https://owasp.org/wrongsecrets-ctf-party
+          helm repo update
+
+          # Deploy with preview images
+          helm install my-preview wrongsecrets/wrongsecrets-ctf-party \
+            --set balancer.repository=${{ env.IMAGE_PREFIX }}/wrongsecrets-balancer \
+            --set balancer.tag=${{ needs.set-tag.outputs.tag }} \
+            --set wrongsecretsCleanup.repository=${{ env.IMAGE_PREFIX }}/cleaner \
+            --set wrongsecretsCleanup.tag=${{ needs.set-tag.outputs.tag }} \
+            --set imagePullPolicy=Always
+
+          # Port forward to access locally
+          kubectl port-forward service/wrongsecrets-balancer 3000:3000
+          ```
+
+          ### Deploy with Custom Values
+
+          <details>
+          <summary>Click to see preview-values.yaml</summary>
+
+          ```yaml
+          ${{ steps.values.outputs.values }}
+          ```
+
+          </details>
+
+          ```bash
+          # Save the above values to preview-values.yaml, then:
+          helm install my-preview wrongsecrets/wrongsecrets-ctf-party \
+            -f preview-values.yaml
+          ```
+
+          ### Deploy with Local Build Scripts
+
+          ```bash
+          # Clone this PR
+          git fetch origin pull/${{ github.event.number }}/head:pr-${{ github.event.number }}
+          git checkout pr-${{ github.event.number }}
+
+          # Use the existing deployment script with custom images
+          ./build-and-deploy.sh
+          ```
+
+          ### Test the Changes
+
+          1. Access the application at http://localhost:3000
+          2. Create a team and verify functionality
+          3. Test any new features or bug fixes
+
+          ### Container Registry
+
+          The preview images are available at:
+          - https://github.com/${{ github.repository_owner }}/wrongsecrets-ctf-party/pkgs/container/wrongsecrets-balancer
+          - https://github.com/${{ github.repository_owner }}/wrongsecrets-ctf-party/pkgs/container/cleaner
+
+          ---
+
+          *This preview was automatically generated for PR #${{ github.event.number }}*
+          EOF
+          # yamllint enable rule:line-length
+
+          echo "content<<EOF" >> $GITHUB_OUTPUT
+          cat instructions.md >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Comment on PR
+        uses: actions/github-script@v7
+        env:
+          INSTRUCTIONS_CONTENT: ${{ steps.instructions.outputs.content }}
+        with:
+          script: |
+            const { owner, repo } = context.repo;
+            const issue_number = context.issue.number;
+
+            // Find existing preview comment
+            const comments = await github.rest.issues.listComments({
+              owner,
+              repo,
+              issue_number,
+            });
+
+            const existingComment = comments.data.find(comment =>
+              comment.user.login === 'github-actions[bot]' &&
+              comment.body.includes('🚀 Preview Deployment Ready!')
+            );
+
+            const body = process.env.INSTRUCTIONS_CONTENT;
+
+            if (existingComment) {
+              // Update existing comment
+              await github.rest.issues.updateComment({
+                owner,
+                repo,
+                comment_id: existingComment.id,
+                body
+              });
+            } else {
+              // Create new comment
+              await github.rest.issues.createComment({
+                owner,
+                repo,
+                issue_number,
+                body
+              });
+            }
+
+  notify-main-branch:
+    name: "Notify Main Branch Build"
+    runs-on: ubuntu-latest
+    needs: [set-tag, build-and-publish]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - name: Create main branch notification
+        run: |
+          # yamllint disable rule:line-length
+          echo "## 🚀 Main Branch Preview Images Updated!"
+          echo ""
+          echo "New preview images have been built for the main branch:"
+          echo ""
+          echo "- **Balancer**: \`${{ env.IMAGE_PREFIX }}/wrongsecrets-balancer:${{ needs.set-tag.outputs.tag }}\`"
+          echo "- **Cleaner**: \`${{ env.IMAGE_PREFIX }}/cleaner:${{ needs.set-tag.outputs.tag }}\`"
+          echo ""
+          echo "These can be used for testing the latest main branch changes."
+          # yamllint enable rule:line-length

CONTRIBUTING.md

@@ -46,6 +46,37 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change
 
   For example: `Fix #545` or `Closes #10`
 
+### Testing your changes with Preview Deployments
+
+When you create a pull request, GitHub Actions will automatically build and publish preview Docker containers to GitHub Container Registry. This allows you and reviewers to easily test your changes before merging.
+
+#### How Preview Deployments Work
+
+1. **Automatic Build**: When you open a PR, the preview workflow builds both `wrongsecrets-balancer` and `cleaner` containers
+2. **Container Publishing**: Images are pushed to `ghcr.io` with PR-specific tags (e.g., `pr-123`)
+3. **Deployment Instructions**: A comment is automatically posted on your PR with detailed deployment instructions
+4. **Easy Testing**: Anyone can deploy and test your changes using the provided Helm commands
+
+#### Using Preview Deployments
+
+After opening a PR, look for the automated comment that provides:
+
+- **Direct deployment commands** using Helm
+- **Custom values file** for advanced configuration
+- **Container registry links** to inspect the built images
+- **Local testing instructions** for different deployment scenarios
+
+Example deployment command from the preview comment:
+```bash
+helm install my-preview wrongsecrets/wrongsecrets-ctf-party \
+  --set balancer.repository=ghcr.io/owasp/wrongsecrets-balancer \
+  --set balancer.tag=pr-123 \
+  --set wrongsecretsCleanup.repository=ghcr.io/owasp/cleaner \
+  --set wrongsecretsCleanup.tag=pr-123
+```
+
+This makes it easy for maintainers and other contributors to test your changes in a real Kubernetes environment.
+
 ## How to set up your Contributor Environment
 
 1. Create a GitHub account. Multiple different GitHub subscription plans are available, but you only need a free one. Follow [these steps](https://help.github.com/en/articles/signing-up-for-a-new-github-account "Signing up for a new GitHub account") to set up your account.

readme.md

@@ -68,6 +68,8 @@ A 100 contestant game can be played on the AWS, GCP, and Azure setup, which will
 
 This is an experimental release. It showed to work at 6 CTFs already, we just did not complete the documentation and the cleaning up of the Helm chart yet. However: it is working in its basis, and can support a good crowd. Currently, we support using Minikube, AWS EKS, GCP GKE, and Azure AKS (_**Please follow the readme in the folder for each cloud provider if you want to use it, as the guides section is not updated yet**_).
 
+**For Contributors**: Pull requests automatically generate preview deployments with containers published to GitHub Container Registry. See the automated PR comments for deployment instructions.
+
 ## How to use it
 
 The different setups are explained in [OWASP WrongSecrets CTF-instructions](https://github.com/OWASP/wrongsecrets/blob/master/ctf-instructions.md). With the 3-domain approach you generate flags for CTFD automatically, while with the 2-domain setup you need to set it up manually.

wrongsecrets-balancer/Dockerfile

@@ -2,7 +2,6 @@ FROM node:22-alpine AS build
 RUN mkdir -p /home/app
 WORKDIR /home/app
 COPY package.json package-lock.json ./
-RUN npm install
 RUN npm ci --omit=dev
 
 FROM node:22-alpine AS ui