cpprefjp · akinomyoga · Jan 13, 2025 · Jan 11, 2025 · Jan 11, 2025 · Jan 11, 2025
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -2,6 +2,13 @@ name: build
 
 on:
   workflow_dispatch:
+  workflow_call:
+    inputs:
+      arguments:
+        description: "build.sh に渡すコマンドライン引数"
+        default: ''
+        required: false
+        type: string
   push:
     branches:
       - master
@@ -12,50 +19,48 @@ on:
 
 jobs:
   build:
+    if: github.repository_owner == 'cpprefjp' || startsWith(inputs.arguments, '--pull ')
     runs-on: ubuntu-latest
     steps:
-    - name: Register SSH key
-      env:
-        CPPREFJP_GITHUB_IO_SECRETS: ${{ secrets.CPPREFJP_GITHUB_IO_SECRETS }}
+    - id: vars
       run: |
-        mkdir -p $HOME/.ssh
-        echo "$CPPREFJP_GITHUB_IO_SECRETS" > $HOME/.ssh/id_ed25519
-        chmod 600 $HOME/.ssh/id_ed25519
+        echo "base_repo=${{ startsWith(inputs.arguments, '--pull ') && github.event.pull_request.base.repo.full_name || github.event.repository.full_name }}" >> "$GITHUB_OUTPUT"
+        echo "head_repo=${{ startsWith(inputs.arguments, '--pull ') && github.event.pull_request.head.repo.full_name || github.event.repository.full_name }}" >> "$GITHUB_OUTPUT"
+        echo "head_ref=${{ startsWith(inputs.arguments, '--pull ') && github.event.pull_request.head.ref || github.ref }}" >> "$GITHUB_OUTPUT"
 
     # site_generator
-    - uses: actions/checkout@v4
+    - name: Check out cpprefjp/site_generator
+      uses: actions/checkout@v4
       with:
         repository: cpprefjp/site_generator
         path: site_generator
     - run: git submodule update -i
       working-directory: site_generator
 
     # kunai
-    - uses: actions/checkout@v4
+    - name: Check out cpprefjp/kunai
+      uses: actions/checkout@v4
       with:
         repository: cpprefjp/kunai
         path: site_generator/kunai
     - run: git submodule update -i
       working-directory: site_generator/kunai
 
-    # cpprefjp.github.io
-    - uses: actions/checkout@v4
+    # site (typically cpprefjp/site)
+    - name: Check out ${{ steps.vars.outputs.head_repo }}
+      uses: actions/checkout@v4
       with:
-        repository: cpprefjp/cpprefjp.github.io
-        path: site_generator/cpprefjp/cpprefjp.github.io
-
-    # site
-    - uses: actions/checkout@v4
-      with:
-        repository: cpprefjp/site
-        path: site_generator/cpprefjp/site
+        repository: ${{ steps.vars.outputs.head_repo }}
         # atom 生成のために全履歴が必要
         fetch-depth: 0
+        ref: ${{ steps.vars.outputs.head_ref }}
+        path: site_generator/cpprefjp/site
     - run: git submodule update -i
       working-directory: site_generator/cpprefjp/site
 
-    # site
-    - uses: actions/checkout@v2
+    # image
+    - name: Check out cpprefjp/image
+      uses: actions/checkout@v4
       with:
         repository: cpprefjp/image
         path: site_generator/cpprefjp/image
@@ -66,10 +71,65 @@ jobs:
         python-version: 3.11
         # 3.12でUndefined symbolエラーがでた
 
+    # build.sh - base の build.sh を使う必要がある。もし PR head の
+    # build.sh を使うと、pull_request_target で呼び出された時に PR
+    # head の build.sh に悪意のあるコードが埋め込まれていると秘密鍵な
+    # ど盗まれてしまう。
+    - name: Check out build.sh
+      uses: actions/checkout@v4
+      with:
+        repository: ${{ steps.vars.outputs.base_repo }}
+        ref: master
+        sparse-checkout: .github
+        path: .trusted
+
+    # Deploy 用
+    - name: "(Deploy) Register SSH key"
+      if: inputs.arguments == ''
+      env:
+        CPPREFJP_GITHUB_IO_SECRETS: ${{ secrets.CPPREFJP_GITHUB_IO_SECRETS }}
+      run: |
+        mkdir -p $HOME/.ssh
+        echo "$CPPREFJP_GITHUB_IO_SECRETS" > $HOME/.ssh/id_ed25519
+        chmod 600 $HOME/.ssh/id_ed25519
+
+    # Deploy 用
+    - name: "(Deploy) Check out cpprefjp.github.io"
+      if: inputs.arguments == ''
+      uses: actions/checkout@v4
+      with:
+        repository: cpprefjp/cpprefjp.github.io
+        path: site_generator/cpprefjp/cpprefjp.github.io
+
+    # Preview 用
+    - name: "(Preview build) Check out gh-pages"
+      if: startsWith(inputs.arguments, '--pull ')
+      continue-on-error: true
+      uses: actions/checkout@v4
+      with:
+        repository: ${{ github.event.pull_request.base.repo.full_name }}
+        ref: gh-pages
+        path: site_generator/cpprefjp/gh-pages
+
     # あとはスクリプトで頑張る
-    - run: ./cpprefjp/site/.github/workflows/script/build.sh
+    - name: Run script build.sh
+      run: ../.trusted/.github/workflows/script/build.sh ${{ inputs.arguments }}
       working-directory: site_generator
 
+    # Preview 用
+    - name: "(Preview build) Publish result in gh-pages"
+      if: startsWith(inputs.arguments, '--pull ')
+      uses: peaceiris/actions-gh-pages@v4
+      with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        publish_dir: ./site_generator/cpprefjp/gh-pages
+
+        # Note: 以下のコミットメッセージは .github/workflows/preview_clear.yml
+        # で削除対象のコミットの特定に用いるので、変更する場合は preview_clear
+        # も一緒に更新すること。
+        commit_message: |
+          Preview PR ${{ github.event.number }}: ${{ github.event.pull_request.head.sha }} ←
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -0,0 +1,154 @@
+name: check
+
+on: [push, pull_request_target, workflow_dispatch]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        item:
+          - {name: code_qualify}
+          - {name: defined_word}
+          - {name: display_error}
+          - {name: meta_header}
+          - {name: ngword}
+          - {name: inner_link, script: link_check.py --check-inner-link}
+    name: check (${{ matrix.item.name }})
+    steps:
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.x'
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install requests
+    - uses: actions/checkout@v4
+      with:
+        repository: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name || github.event.repository.full_name }}
+        ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.ref || github.ref }}
+    - uses: actions/checkout@v4
+      with:
+        repository: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.base.repo.full_name || github.event.repository.full_name }}
+        ref: ${{ github.event_name == 'pull_request_target' && 'master' || github.ref }}
+        sparse-checkout: .github
+        path: .trusted
+    - name: check
+      run: python3 .trusted/.github/workflows/script/${{ matrix.item.script || format('{0}_check.py', matrix.item.name) }}
+
+  detect_forbidden_characters:
+    # 本リポジトリでは、以下に挙げる文字の使用を禁止している：
+    # U+00AD SOFT HYPHEN (ソフトハイフン)
+    # U+200B ZERO WIDTH SPACE (ゼロ幅スペース)
+    #
+    # 経緯は以下を参照：
+    # #735 SOFT HYPHENを削除する？
+    # https://github.com/cpprefjp/site/issues/735
+    runs-on: ubuntu-latest
+    env:
+      RIPGREP_VERSION: 14.1.0
+      BIN_DIR: ${{ github.workspace }}/bin
+      REPO_DIR: repo
+      cache-version: v1
+    steps:
+    - id: cache-ripgrep
+      uses: actions/cache@v3
+      with:
+        path: ${{ env.BIN_DIR }}
+        key: ${{ env.cache-version }}-ripgrep-${{ env.RIPGREP_VERSION }}
+    - name: install ripgrep
+      if: steps.cache-ripgrep.outputs.cache-hit != 'true'
+      run: |
+        curl -fsSLO https://github.com/BurntSushi/ripgrep/releases/download/$RIPGREP_VERSION/ripgrep-$RIPGREP_VERSION-x86_64-unknown-linux-musl.tar.gz
+        mkdir -p $BIN_DIR
+        tar xvf ripgrep-$RIPGREP_VERSION-x86_64-unknown-linux-musl.tar.gz --strip=1 --no-anchor -C $BIN_DIR rg
+      working-directory: ${{ runner.temp }}
+    - uses: actions/checkout@v4
+      with:
+        path: ${{ env.REPO_DIR }}
+    - name: check
+      run: "! $BIN_DIR/rg -t md --vimgrep '[\u00ad\u200b]' $REPO_DIR"
+
+  preview_build:
+    if: github.event_name == 'pull_request_target'
+    needs: [check, detect_forbidden_characters]
+    uses: ./.github/workflows/build.yml
+    with:
+      arguments: --pull ${{ github.event.number }}
+    concurrency:
+      group: cpprefjp.gh-pages.lock
+
+  preview_link:
+    needs: preview_build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - id: vars
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const sha0 = context.payload.pull_request.base.sha;
+            const sha = context.payload.pull_request.head.sha;
+            const base_url = (() => {
+              const owner = context.payload.pull_request.head.repo.owner.login;
+              const repo = context.payload.pull_request.head.repo.name;
+              const pull = context.payload.number;
+              return `https://${owner}.github.io/${repo}/gen/pull/${pull}`;
+            })();
+            const repo_full = context.payload.pull_request.head.repo.full_name;
+            const branch = context.payload.pull_request.head.ref;
+
+            // https://qiita.com/akko_merry/items/dda3c6b7ae01ac143a8b#comment-e0ecb4abe4d3d6d76054
+            const now = new Date();
+            now.setMinutes(now.getMinutes() + 9 * 60); // JST is +0900
+            const time = now.toJSON()?.replace('T', ' ').slice(0, 19) + ' JST';
+
+            core.setOutput('sha0', sha0);
+            core.setOutput('sha', sha);
+            core.setOutput('base_url', base_url);
+            core.setOutput('repo_full', repo_full);
+            core.setOutput('ubranch', encodeURIComponent(branch));
+            core.setOutput('time', time);
+
+      - id: file_list
+        shell: bash
+        run: |
+            content=$(
+              git diff --name-status --diff-filter=dr ${{ steps.vars.outputs.sha0 }} ${{ steps.vars.outputs.sha }} |
+                sed -n '
+                  # normalize the line format
+                  s/^[[:space:]]*\([^[:space:]]\{1,\}\)[[:space:]]\{1,\}/\1 /
+
+                  # exclude filenames containing special characters that may break Markdown
+                  /[][`()]/d
+
+                  # exclude README.md
+                  /^[^[:space:]]* README\.md$/d
+
+                  # generate list items
+                  s|^A \(.*\)\.md$|- :memo: [`\1`](${{ steps.vars.outputs.base_url }}/\1.html) :sparkles:|p
+                  s|^[^[:space:]]* \(.*\)\.md$|- :memo: [`\1`](${{ steps.vars.outputs.base_url }}/\1.html)|p
+                '
+            )
+            [[ $content ]] || content='- (内容変更された `.md` ファイルはありません)'
+            echo 'content<<EOF' >> "$GITHUB_OUTPUT"
+            echo "$content" >> "$GITHUB_OUTPUT"
+            echo 'EOF' >> "$GITHUB_OUTPUT"
+      - uses: thollander/actions-comment-pull-request@v3
+        with:
+          message: |
+            :zap: [**プレビュー (HTML)**](${{ steps.vars.outputs.base_url }}) (更新時刻: ${{ steps.vars.outputs.time }})
+
+            - **⫯** Commit: ${{ steps.vars.outputs.sha }}
+            - プレビューの生成には時間がかかります (3～5分)。進捗状況は[こちら](https://github.com/${{ steps.vars.outputs.repo_full }}/actions?query=event%3Apull_request_target+branch%3A${{ steps.vars.outputs.ubranch }})をご確認ください。
+
+            #### 変更記事一覧
+
+            ${{ steps.file_list.outputs.content }}
+
+            ※ソース (.md) に直接変更のあった記事を列挙しています。グローバル修飾や変換規則の変更による変化は考慮していません。
+          comment-tag: cpprefjp-preview_link
+          github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/code_qualify_check.yml b/.github/workflows/code_qualify_check.yml
diff --git a/.github/workflows/defined_word_check.yml b/.github/workflows/defined_word_check.yml
diff --git a/.github/workflows/detect_forbidden_characters.yml b/.github/workflows/detect_forbidden_characters.yml