angular-cn/aio/aio-builds-setup/docs/overview--general.md

# Overview - General


## Objective
Whenever a PR job is run on the CI infrastructure (e.g. CircleCI), we want to build `angular.io`
and host the build artifacts on a publicly accessible server so that collaborators (developers,
designers, authors, etc) can preview the changes without having to checkout and build the app
locally.


## Source code
In order to make it easier to administer the server and version-control the setup, we are using
[docker](https://www.docker.com) to run a container on a VM. The Dockerfile and all other files
necessary for creating the docker container are stored (and versioned) along with the angular.io
project's source code (currently part of the angular/angular repo) in the `aio-builds-setup/`
directory.


## Setup
The VM is hosted on [Google Compute Engine](https://cloud.google.com/compute/). The host OS is
debian:jessie. For more info how to set up the host VM take a look at the "Setting up the VM"
section in [TOC](_TOC.md).


## Security model
Since we are managing a public server, it is important to take appropriate measures in order to
prevent abuse. For more details on the challenges and the chosen approach take a look at the
[security model](overview--security-model.md).


## The 10000 feet view
This section gives a brief summary of the several operations performed on CI and by the docker
container:


### On CI (CircleCI)
- The CI script builds the angular.io project.
- The CI script gzips and stores the build artifacts in the CI infrastructure.
- When the build completes, CircleCI triggers a webhook on the preview-server.

More info on how to set things up on CI can be found [here](misc--integrate-with-ci.md).


### Hosting build artifacts
- nginx receives the webhook trigger and passes it through to the preview server.
- The preview-server runs several preliminary checks to determine whether the request is valid and
  whether the corresponding PR can have a (public or non-public) preview (more details can be found
  [here](overview--security-model.md)).
- The preview-server makes a request to CircleCI for the URL of the AIO build artifacts.
- The preview-server makes a request to this URL to receive the artifact - failing if the size
  exceeds the specified max file size - and stores it in a temporary location.
- The preview-server runs more checks to determine whether the preview should be publicly accessible
  or stored for later verification (more details can be found [here](overview--security-model.md)).
- The preview-server changes the "visibility" of the associated PR, if necessary. For example, if
  builds for the same PR had been previously deployed as non-public and the current build has been
  automatically verified, all previous builds are made public as well.
  If the PR transitions from "non-public" to "public", the preview-server posts a comment on the
  corresponding PR on GitHub mentioning the SHAs and the links where the previews can be found.
- The preview-server verifies that it is not trying to overwrite an existing build.
- The preview-server deploys the artifacts to a sub-directory named after the PR number and the
  first few characters of the SHA: `<PR>/<SHA>/`
  (Non-publicly accessible PRs will be stored in a different location, but again derived from the PR
  number and SHA.)
- If the PR is publicly accessible, the preview-server posts a comment on the corresponding PR on
  GitHub mentioning the SHA and the link where the preview can be found.

More info on the possible HTTP status codes and their meaning can be found
[here](overview--http-status-codes.md).


### Updating PR visibility
- nginx receives a natification that a PR has been updated and passes it through to the
  preview-server. This could, for example, be sent by a GitHub webhook every time a PR's labels
  change.
  E.g.: `ngbuilds.io/pr-updated` (payload: `{"number":<PR>,"action":"labeled"}`)
- The request contains the PR number (as `number`) and optionally the action that triggered the
  request (as `action`) in the payload.
- The preview-server verifies the payload and determines whether the `action` (if specified) could
  have led to PR visibility changes. Only requests that omit the `action` field altogether or
  specify an action that can affect visibility are further processed.
  (Currently, the only actions that are considered capable of affecting visibility are `labeled` and
  `unlabeled`.)
- The preview-server re-checks and if necessary updates the PR's visibility.

More info on the possible HTTP status codes and their meaning can be found
[here](overview--http-status-codes.md).


### Serving build artifacts
- nginx receives a request for a hosted preview resource on a subdomain corresponding to the PR and SHA.
  E.g.: `pr<PR>-<SHA>.ngbuilds.io/path/to/resource`
- nginx maps the subdomain to the correct sub-directory and serves the resource.
  E.g.: `/<PR>/<SHA>/path/to/resource`

More info on the possible HTTP status codes and their meaning can be found
[here](overview--http-status-codes.md).


### Removing obsolete artifacts
In order to avoid flooding the disk with unnecessary build artifacts, there is a cronjob that runs a
clean-up task once a day. The task retrieves all open PRs from GitHub and removes all directories
that do not correspond to an open PR.


### Health-check
The docker service runs a periodic health-check that verifies the running conditions of the
container. This includes verifying the status of specific system services, the responsiveness of
nginx and the preview-server and internet connectivity.
docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00			`# Overview - General`


			`## Objective`
docs(docs-infra): update the preview server documentation 2018-05-09 13:54:53 -04:00			Whenever a PR job is run on the CI infrastructure (e.g. CircleCI), we want to build `angular.io`
ci(docs-infra): rename 'upload-server' to 'preview-server' The server no longer has files uploaded to it. Instead it is more accurate to refer to it as dealing with "previews" of PRs. 2018-08-15 08:47:45 -04:00			`and host the build artifacts on a publicly accessible server so that collaborators (developers,`
docs(docs-infra): update the preview server documentation 2018-05-09 13:54:53 -04:00			`designers, authors, etc) can preview the changes without having to checkout and build the app`
			`locally.`
docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00

			`## Source code`
			`In order to make it easier to administer the server and version-control the setup, we are using`
			`[docker](https://www.docker.com) to run a container on a VM. The Dockerfile and all other files`
			`necessary for creating the docker container are stored (and versioned) along with the angular.io`
			project's source code (currently part of the angular/angular repo) in the `aio-builds-setup/`
			`directory.`


			`## Setup`
			`The VM is hosted on [Google Compute Engine](https://cloud.google.com/compute/). The host OS is`
			`debian:jessie. For more info how to set up the host VM take a look at the "Setting up the VM"`
			`section in [TOC](_TOC.md).`


			`## Security model`
			`Since we are managing a public server, it is important to take appropriate measures in order to`
			`prevent abuse. For more details on the challenges and the chosen approach take a look at the`
			`[security model](overview--security-model.md).`


			`## The 10000 feet view`
			`This section gives a brief summary of the several operations performed on CI and by the docker`
			`container:`


docs(docs-infra): update the preview server documentation 2018-05-09 13:54:53 -04:00			`### On CI (CircleCI)`
docs(docs-infra): update preview server docs to account for recent changes (#25671) Mostly (but not exclusively) a follow-up to #23576. PR Close #25671 2018-09-06 11:28:20 -04:00			`- The CI script builds the angular.io project.`
docs(docs-infra): update the preview server documentation 2018-05-09 13:54:53 -04:00			`- The CI script gzips and stores the build artifacts in the CI infrastructure.`
docs(docs-infra): update preview server docs to account for recent changes (#25671) Mostly (but not exclusively) a follow-up to #23576. PR Close #25671 2018-09-06 11:28:20 -04:00			`- When the build completes, CircleCI triggers a webhook on the preview-server.`
docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00
			`More info on how to set things up on CI can be found [here](misc--integrate-with-ci.md).`


docs(docs-infra): update the preview server documentation 2018-05-09 13:54:53 -04:00			`### Hosting build artifacts`
ci(docs-infra): rename 'upload-server' to 'preview-server' The server no longer has files uploaded to it. Instead it is more accurate to refer to it as dealing with "previews" of PRs. 2018-08-15 08:47:45 -04:00			`- nginx receives the webhook trigger and passes it through to the preview server.`
docs(docs-infra): update preview server docs to account for recent changes (#25671) Mostly (but not exclusively) a follow-up to #23576. PR Close #25671 2018-09-06 11:28:20 -04:00			`- The preview-server runs several preliminary checks to determine whether the request is valid and`
			`whether the corresponding PR can have a (public or non-public) preview (more details can be found`
			`[here](overview--security-model.md)).`
ci(docs-infra): rename 'upload-server' to 'preview-server' The server no longer has files uploaded to it. Instead it is more accurate to refer to it as dealing with "previews" of PRs. 2018-08-15 08:47:45 -04:00			`- The preview-server makes a request to CircleCI for the URL of the AIO build artifacts.`
			`- The preview-server makes a request to this URL to receive the artifact - failing if the size`
docs(docs-infra): update the preview server documentation 2018-05-09 13:54:53 -04:00			`exceeds the specified max file size - and stores it in a temporary location.`
docs(docs-infra): update preview server docs to account for recent changes (#25671) Mostly (but not exclusively) a follow-up to #23576. PR Close #25671 2018-09-06 11:28:20 -04:00			`- The preview-server runs more checks to determine whether the preview should be publicly accessible`
			`or stored for later verification (more details can be found [here](overview--security-model.md)).`
ci(docs-infra): rename 'upload-server' to 'preview-server' The server no longer has files uploaded to it. Instead it is more accurate to refer to it as dealing with "previews" of PRs. 2018-08-15 08:47:45 -04:00			`- The preview-server changes the "visibility" of the associated PR, if necessary. For example, if`
feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`builds for the same PR had been previously deployed as non-public and the current build has been`
feat(aio): use shorter URLs for previews Use the 7 first characters of the 40-chars long SHAs for shorter/cleaner URLs. The collision probability is extremely low (since all SHAs are further "namespaced" under the corresponding PR). In case of a collision, the second PR will not be deployed, in order to avoid overwriting the original build. (This is a design decision to keep the implementation simple. It can be changed later if necessary.) 2017-06-25 15:13:03 -04:00			`automatically verified, all previous builds are made public as well.`
ci(docs-infra): rename 'upload-server' to 'preview-server' The server no longer has files uploaded to it. Instead it is more accurate to refer to it as dealing with "previews" of PRs. 2018-08-15 08:47:45 -04:00			`If the PR transitions from "non-public" to "public", the preview-server posts a comment on the`
feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`corresponding PR on GitHub mentioning the SHAs and the links where the previews can be found.`
ci(docs-infra): rename 'upload-server' to 'preview-server' The server no longer has files uploaded to it. Instead it is more accurate to refer to it as dealing with "previews" of PRs. 2018-08-15 08:47:45 -04:00			`- The preview-server verifies that it is not trying to overwrite an existing build.`
docs(docs-infra): update preview server docs to account for recent changes (#25671) Mostly (but not exclusively) a follow-up to #23576. PR Close #25671 2018-09-06 11:28:20 -04:00			`- The preview-server deploys the artifacts to a sub-directory named after the PR number and the`
			first few characters of the SHA: `<PR>/<SHA>/`
feat(aio): use shorter URLs for previews Use the 7 first characters of the 40-chars long SHAs for shorter/cleaner URLs. The collision probability is extremely low (since all SHAs are further "namespaced" under the corresponding PR). In case of a collision, the second PR will not be deployed, in order to avoid overwriting the original build. (This is a design decision to keep the implementation simple. It can be changed later if necessary.) 2017-06-25 15:13:03 -04:00			`(Non-publicly accessible PRs will be stored in a different location, but again derived from the PR`
			`number and SHA.)`
ci(docs-infra): rename 'upload-server' to 'preview-server' The server no longer has files uploaded to it. Instead it is more accurate to refer to it as dealing with "previews" of PRs. 2018-08-15 08:47:45 -04:00			`- If the PR is publicly accessible, the preview-server posts a comment on the corresponding PR on`
feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`GitHub mentioning the SHA and the link where the preview can be found.`
docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00
docs(aio): document preview server HTTP status codes 2017-06-19 07:52:58 -04:00			`More info on the possible HTTP status codes and their meaning can be found`
			`[here](overview--http-status-codes.md).`

docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00
feat(aio): add API endpoint for notifying about PR updates This commit adds an API endpoint for notifying the preview server about PR updates (`/pr-updated`). According to the update, the preview server can take several actions. Currently, it will only check and (if necessary) update the PR's preview visibility (but more actions could be supported in the future). The API can be used with an automatic trigger (e.g. a GitHub webhook) to instantly update a PR's preview visibility when it changes. Fixes #16526 2017-06-27 12:43:02 -04:00			`### Updating PR visibility`
			`- nginx receives a natification that a PR has been updated and passes it through to the`
ci(docs-infra): rename 'upload-server' to 'preview-server' The server no longer has files uploaded to it. Instead it is more accurate to refer to it as dealing with "previews" of PRs. 2018-08-15 08:47:45 -04:00			`preview-server. This could, for example, be sent by a GitHub webhook every time a PR's labels`
feat(aio): add API endpoint for notifying about PR updates This commit adds an API endpoint for notifying the preview server about PR updates (`/pr-updated`). According to the update, the preview server can take several actions. Currently, it will only check and (if necessary) update the PR's preview visibility (but more actions could be supported in the future). The API can be used with an automatic trigger (e.g. a GitHub webhook) to instantly update a PR's preview visibility when it changes. Fixes #16526 2017-06-27 12:43:02 -04:00			`change.`
			E.g.: `ngbuilds.io/pr-updated` (payload: `{"number":<PR>,"action":"labeled"}`)
			- The request contains the PR number (as `number`) and optionally the action that triggered the
			request (as `action`) in the payload.
ci(docs-infra): rename 'upload-server' to 'preview-server' The server no longer has files uploaded to it. Instead it is more accurate to refer to it as dealing with "previews" of PRs. 2018-08-15 08:47:45 -04:00			- The preview-server verifies the payload and determines whether the `action` (if specified) could
feat(aio): add API endpoint for notifying about PR updates This commit adds an API endpoint for notifying the preview server about PR updates (`/pr-updated`). According to the update, the preview server can take several actions. Currently, it will only check and (if necessary) update the PR's preview visibility (but more actions could be supported in the future). The API can be used with an automatic trigger (e.g. a GitHub webhook) to instantly update a PR's preview visibility when it changes. Fixes #16526 2017-06-27 12:43:02 -04:00			have led to PR visibility changes. Only requests that omit the `action` field altogether or
			`specify an action that can affect visibility are further processed.`
			(Currently, the only actions that are considered capable of affecting visibility are `labeled` and
			`unlabeled`.)
ci(docs-infra): rename 'upload-server' to 'preview-server' The server no longer has files uploaded to it. Instead it is more accurate to refer to it as dealing with "previews" of PRs. 2018-08-15 08:47:45 -04:00			`- The preview-server re-checks and if necessary updates the PR's visibility.`
feat(aio): add API endpoint for notifying about PR updates This commit adds an API endpoint for notifying the preview server about PR updates (`/pr-updated`). According to the update, the preview server can take several actions. Currently, it will only check and (if necessary) update the PR's preview visibility (but more actions could be supported in the future). The API can be used with an automatic trigger (e.g. a GitHub webhook) to instantly update a PR's preview visibility when it changes. Fixes #16526 2017-06-27 12:43:02 -04:00
			`More info on the possible HTTP status codes and their meaning can be found`
			`[here](overview--http-status-codes.md).`


docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00			`### Serving build artifacts`
ci(docs-infra): rename 'upload-server' to 'preview-server' The server no longer has files uploaded to it. Instead it is more accurate to refer to it as dealing with "previews" of PRs. 2018-08-15 08:47:45 -04:00			`- nginx receives a request for a hosted preview resource on a subdomain corresponding to the PR and SHA.`
docs(aio): correct spelling in overview 2017-03-25 22:48:36 -04:00			E.g.: `pr<PR>-<SHA>.ngbuilds.io/path/to/resource`
			`- nginx maps the subdomain to the correct sub-directory and serves the resource.`
docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00			E.g.: `/<PR>/<SHA>/path/to/resource`

feat(aio): add API endpoint for notifying about PR updates This commit adds an API endpoint for notifying the preview server about PR updates (`/pr-updated`). According to the update, the preview server can take several actions. Currently, it will only check and (if necessary) update the PR's preview visibility (but more actions could be supported in the future). The API can be used with an automatic trigger (e.g. a GitHub webhook) to instantly update a PR's preview visibility when it changes. Fixes #16526 2017-06-27 12:43:02 -04:00			`More info on the possible HTTP status codes and their meaning can be found`
docs(aio): document preview server HTTP status codes 2017-06-19 07:52:58 -04:00			`[here](overview--http-status-codes.md).`

docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00
			`### Removing obsolete artifacts`
			`In order to avoid flooding the disk with unnecessary build artifacts, there is a cronjob that runs a`
docs(docs-infra): update preview server docs to account for recent changes (#25671) Mostly (but not exclusively) a follow-up to #23576. PR Close #25671 2018-09-06 11:28:20 -04:00			`clean-up task once a day. The task retrieves all open PRs from GitHub and removes all directories`
			`that do not correspond to an open PR.`
docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00

			`### Health-check`
			`The docker service runs a periodic health-check that verifies the running conditions of the`
			`container. This includes verifying the status of specific system services, the responsiveness of`
ci(docs-infra): rename 'upload-server' to 'preview-server' The server no longer has files uploaded to it. Instead it is more accurate to refer to it as dealing with "previews" of PRs. 2018-08-15 08:47:45 -04:00			`nginx and the preview-server and internet connectivity.`