Merge branch 'v6'

Author: crohr

.dockerignore

@@ -7,36 +7,36 @@ on:
 
 jobs:
   deploy_env1:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     if: github.event_name == 'schedule' || github.event_name == 'push' || github.event.label.name == 'pullpreview-multi-env' || contains(github.event.pull_request.labels.*.name, 'pullpreview-multi-env')
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: "./"
         with:
           deployment_variant: env1
           label: pullpreview-multi-env
           admins: crohr,qbonnard
           app_path: ./examples/wordpress
-          instance_type: micro_2_0
+          instance_type: micro
           registries: docker://${{ secrets.GHCR_PAT }}@ghcr.io
         env:
           AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
           AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
 
   deploy_env2:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     if: github.event_name == 'schedule' || github.event_name == 'push' || github.event.label.name == 'pullpreview-multi-env' || contains(github.event.pull_request.labels.*.name, 'pullpreview-multi-env')
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: "./"
         with:
           deployment_variant: env2
           label: pullpreview-multi-env
           admins: crohr,qbonnard
           app_path: ./examples/wordpress
-          instance_type: micro_2_0
+          instance_type: micro
           registries: docker://${{ secrets.GHCR_PAT }}@ghcr.io
         env:
           AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"

.github/workflows/pullpreview-multi-env.yml

@@ -5,47 +5,138 @@ on:
   push:
     branches:
       - master
-      - v5
+      - v6
   pull_request:
-    types: [labeled, unlabeled, synchronize, closed, reopened]
+    types: [labeled, unlabeled, synchronize, closed, reopened, opened]
 
 concurrency: ${{ github.ref }}
 
 permissions:
   contents: read # to fetch code (actions/checkout)
-  deployments: write # to delete deployments
-  pull-requests: write # to remove labels
-  statuses: write # to create commit status
+  pull-requests: write # to remove labels / write PR comments
 
 jobs:
-  deploy:
-    runs-on: ubuntu-latest
+  deploy_smoke_1:
+    runs-on: ubuntu-slim
     if: github.event_name == 'schedule' || github.event_name == 'push' || github.event.label.name == 'pullpreview' || contains(github.event.pull_request.labels.*.name, 'pullpreview')
-    timeout-minutes: 30
+    timeout-minutes: 35
     steps:
-      - uses: actions/checkout@v4
-      - uses: "./"
+      - uses: actions/checkout@v6
+
+      - name: Deploy smoke app (v1)
+        id: pullpreview
+        uses: "./"
         with:
           admins: "@collaborators/push"
-          always_on: master,v5
-          app_path: ./examples/wordpress
+          always_on: master,v6
+          app_path: ./examples/workflow-smoke
           instance_type: micro
           # only required if using custom domain for your preview environments
-          dns: custom.preview.run
+          dns: preview.chunk.io
           max_domain_length: 30
-          # only required if fetching images from private registry
+          # Enable HTTPS preview URL through Caddy + Let's Encrypt.
+          proxy_tls: web:8080
+          # required here because the mysql image is private in GHCR
           registries: docker://${{ secrets.GHCR_PAT }}@ghcr.io
           # how long this instance will stay alive (each further commit will reset the timer)
           ttl: 1h
-          # preinstall script to run on the instance before docker-compose is called, relative to the app_path
-          pre_script: ./pre_script.sh
         env:
           AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
           AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
-      # # Uncomment the following if need to debug
-      # - name: Setup tmate session
-      #   if: always()
-      #   uses: mxschmitt/action-tmate@v3
-      #   timeout-minutes: 45
-      #   with:
-      #     limit-access-to-actor: true
+
+      - name: Assert deploy v1 and DB seed state
+        shell: bash
+        env:
+          PREVIEW_URL: ${{ steps.pullpreview.outputs.url }}
+        run: |
+          set -euo pipefail
+
+          if [[ "${PREVIEW_URL}" != https://* ]]; then
+            echo "::error::Expected https preview URL when proxy_tls is enabled, got ${PREVIEW_URL}"
+            exit 1
+          fi
+
+          response=""
+          for attempt in $(seq 1 60); do
+            response="$(curl -fsSL --max-time 15 "${PREVIEW_URL}" || true)"
+            if printf '%s' "${response}" | grep -q 'Hello World Deploy 1' && \
+              printf '%s' "${response}" | grep -q 'seed_count=1' && \
+              printf '%s' "${response}" | grep -q 'seed_label=persisted'; then
+              echo "Smoke v1 checks passed for ${PREVIEW_URL}"
+              exit 0
+            fi
+
+            echo "Attempt ${attempt}/60: waiting for v1 response from ${PREVIEW_URL}"
+            sleep 5
+          done
+
+          echo "::error::Unexpected response from ${PREVIEW_URL}"
+          printf '%s\n' "${response}"
+          exit 1
+
+  deploy_smoke_2:
+    runs-on: ubuntu-slim
+    needs: deploy_smoke_1
+    if: needs.deploy_smoke_1.result == 'success'
+    timeout-minutes: 35
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Update app payload to v2
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          printf '%s\n' 'Hello World Deploy 2' > examples/workflow-smoke/web/message.txt
+
+          # This file should be synced, but with persistent DB volume it should not run.
+          cat > examples/workflow-smoke/dumps/999_should_not_run.sql <<'SQL'
+          INSERT INTO seed_data (label) VALUES ('should-not-run');
+          SQL
+
+      - name: Redeploy smoke app (v2)
+        id: pullpreview
+        uses: "./"
+        with:
+          admins: "@collaborators/push"
+          always_on: master,v6
+          app_path: ./examples/workflow-smoke
+          instance_type: micro
+          dns: preview.chunk.io
+          max_domain_length: 30
+          proxy_tls: web:8080
+          registries: docker://${{ secrets.GHCR_PAT }}@ghcr.io
+          ttl: 1h
+        env:
+          AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
+          AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
+
+      - name: Assert deploy v2 and DB persistence
+        shell: bash
+        env:
+          PREVIEW_URL: ${{ steps.pullpreview.outputs.url }}
+        run: |
+          set -euo pipefail
+
+          if [[ "${PREVIEW_URL}" != https://* ]]; then
+            echo "::error::Expected https preview URL when proxy_tls is enabled, got ${PREVIEW_URL}"
+            exit 1
+          fi
+
+          response=""
+          for attempt in $(seq 1 60); do
+            response="$(curl -fsSL --max-time 15 "${PREVIEW_URL}" || true)"
+            if printf '%s' "${response}" | grep -q 'Hello World Deploy 2' && \
+              printf '%s' "${response}" | grep -q 'seed_count=1' && \
+              printf '%s' "${response}" | grep -q 'seed_label=persisted'; then
+              echo "Smoke v2 checks passed for ${PREVIEW_URL}"
+              exit 0
+            fi
+
+            echo "Attempt ${attempt}/60: waiting for v2 response from ${PREVIEW_URL}"
+            sleep 5
+          done
+
+          echo "::error::Unexpected response from ${PREVIEW_URL}"
+          printf '%s\n' "${response}"
+          exit 1

.github/workflows/pullpreview.yml

@@ -1,3 +1,4 @@
 *.swp
 .env*
 tempkey
+.DS_Store

.gitignore

@@ -0,0 +1,3 @@
+[submodule "wiki"]
+	path = wiki
+	url = https://github.com/pullpreview/action.wiki.git

.gitmodules

@@ -1 +1 @@
-ruby 3.1.6
+go 1.25.1

.tool-versions

@@ -0,0 +1,80 @@
+# PullPreview Action — Current Behavior (Go)
+
+This repository ships a GitHub Action implemented in Go.
+
+## Runtime
+- Action definition: `action.yml`
+- Action type: `composite`
+- Runtime binary: prebuilt amd64 Linux artifact in `dist/`
+- No Docker image build is required during action execution.
+
+## Go Tooling
+- Go commands should be run via `mise` for toolchain consistency.
+- Examples:
+  - `mise exec -- go test ./...`
+  - `mise exec -- go run ./cmd/pullpreview up examples/example-app`
+  - `make dist`
+- Dist workflow:
+  - Commit source changes first.
+  - Run `make dist` afterwards.
+  - `make dist` auto-commits the updated bundled binary with a standard commit message.
+  - Before merging, `make rewrite` can rewrite the current branch and drop dist-only auto-commits (force-push required).
+
+## CLI
+Entrypoint source is `cmd/pullpreview/main.go`.
+
+Supported commands:
+- `pullpreview up path/to/app`
+- `pullpreview down --name <instance>`
+- `pullpreview list org/repo`
+- `pullpreview github-sync path/to/app`
+
+## Deploy behavior (`up`)
+- Launches/restores Lightsail instance and waits for SSH.
+- Uploads authorized keys.
+- Renders compose config, rewrites relative bind mounts under `app_path` to `/app/...`, and syncs only those bind-mounted local paths to the server via `rsync`.
+- Deploys through Docker context to the remote engine.
+- Executes `pre_script` inline over SSH before `docker compose up` (script must be self-contained).
+- Optional automatic HTTPS proxying via Caddy + Let's Encrypt when `proxy_tls` is set.
+  - Format: `service:port` (for example `web:80`).
+  - Forces preview URL/output to HTTPS on port `443`.
+  - Opens firewall port `443` and suppresses firewall exposure for port `80`.
+  - Injects `pullpreview-proxy` service unless host port `443` is already published (then it logs a warning and skips proxy injection).
+- Emits periodic heartbeat logs with:
+  - preview URL
+  - SSH command (`ssh user@ip`)
+  - authorized users info
+  - key-upload confirmation
+
+## GitHub sync behavior (`github-sync`)
+- Handles PR labeled/opened/reopened/synchronize/unlabeled/closed events.
+- Handles push events for `always_on` branches.
+- Handles scheduled cleanup of dangling labeled preview instances.
+- Updates marker-based PR status comments.
+- For `admins: "@collaborators/push"`:
+  - loads collaborators from GitHub REST API with `affiliation=all` + `permission=push`
+  - uses only the first page (up to 100 users)
+  - emits a warning if additional pages exist
+  - fetches each admin's SSH public keys via GitHub API and forwards keys to the instance
+  - uses local key cache directory (`PULLPREVIEW_SSH_KEYS_CACHE_DIR`) to avoid refetching keys across runs
+- Always posts/updates marker-based PR status comments per environment/job with building/ready/error/destroyed state and preview URL.
+
+## Action inputs/outputs
+- Existing inputs are preserved.
+- Additional input:
+  - `proxy_tls` (`service:port`, default empty)
+- Outputs:
+  - `url`
+  - `host`
+  - `username`
+
+## Key directories
+- `cmd/pullpreview`: CLI
+- `internal/pullpreview`: core orchestration
+- `internal/providers/lightsail`: Lightsail provider
+- `internal/github`: GitHub API wrapper
+- `internal/license`: license check client
+- `dist/`: bundled Linux amd64 binary used by the action
+
+## Repo-local skill
+- `skills/pullpreview-demo-flow/SKILL.md`: repeatable end-to-end demo capture workflow (PR open/label/deploy/view deployment/unlabel/destroy) with strict screenshot requirements and fixed demo PR title.

AGENTS.md

@@ -1,4 +1,29 @@
-## master
+## v6.0.0
+
+### Breaking changes
+
+- **Complete rewrite from Ruby/Docker to Go** — PullPreview now ships as a native binary in a composite action. No more Docker container overhead.
+- **Removed GitHub Deployments/Environments integration** — preview URLs are now displayed via PR comments and job summaries.
+- **Removed commit status integration** — deployment state is reported through PR comments only.
+- **Removed `comment_pr` input** — PR comment updates are always enabled.
+- Workflow references should now use `pullpreview/action@v6`.
+
+### New features
+
+- **Automatic HTTPS with `proxy_tls`** — inject a Caddy reverse proxy with Let's Encrypt certificates (e.g. `proxy_tls: web:80`).
+- **Built-in DNS alternatives** — use `rev1.click` through `rev9.click` to work around Let's Encrypt rate limits (50 certs/domain/week).
+- **`pre_script` input** — run a local shell script on the instance before docker compose.
+- **`ttl` input** — set a maximum deployment lifetime (e.g. `10h`, `5d`, `infinite`).
+- **Job summary** — deployment details are added to the GitHub Actions job summary.
+- **SSH key caching** — collaborator SSH keys are cached between workflow runs via the action cache.
+- **Compose troubleshooting** — docker container health status is displayed on deploy failures.
+- **Scheduled cleanup reconciliation** — dangling instances are reconciled against repo state during scheduled runs.
+
+### Improvements
+
+- Deploy files via rsync with bind mounts instead of Docker context.
+- PR comments are scoped by environment and job for multi-env setups.
+- PullPreview environment variables are injected during compose interpolation.
 
 ## v5.8.0