angular-docs-cn/aio/aio-builds-setup/docs/overview--general.md

# Overview - General


## Objective
Whenever a PR job is run on Travis, we want to build `angular.io` and upload the build artifacts to
a publicly accessible server so that collaborators (developers, designers, authors, etc) can preview
the changes without having to checkout and build the app locally.


## Source code
In order to make it easier to administer the server and version-control the setup, we are using
[docker](https://www.docker.com) to run a container on a VM. The Dockerfile and all other files
necessary for creating the docker container are stored (and versioned) along with the angular.io
project's source code (currently part of the angular/angular repo) in the `aio-builds-setup/`
directory.


## Setup
The VM is hosted on [Google Compute Engine](https://cloud.google.com/compute/). The host OS is
debian:jessie. For more info how to set up the host VM take a look at the "Setting up the VM"
section in [TOC](_TOC.md).


## Security model
Since we are managing a public server, it is important to take appropriate measures in order to
prevent abuse. For more details on the challenges and the chosen approach take a look at the
[security model](overview--security-model.md).


## The 10000 feet view
This section gives a brief summary of the several operations performed on CI and by the docker
container:


### On CI (Travis)
- Build job completes successfully.
- The CI script checks whether the build job was initiated by a PR against the angular/angular
  master branch.
- The CI script checks whether the PR has touched any files that might affect the angular.io app
  (currently the `aio/` or `packages/` directories, ignoring spec files).
- Optionally, the CI script can check whether the PR can be automatically verified (i.e. if the
  author of the PR is a member of one of the whitelisted GitHub teams or the PR has the specified
  "trusted PR" label).
  **Note:**
  For security reasons, the same checks will be performed on the server as well. This is an optional
  step that can be used in case one wants to apply special logic depending on the outcome of the
  pre-verification. For example:
  1. One might want to deploy automatically verified PRs only. In that case, the pre-verification
     helps avoid the wasted overhead associated with uploads that are going to be rejected (e.g.
     building the artifacts, sending them to the server, running checks on the server, detecting the
     reasons of deployment failure and whether to fail the build, etc).
  2. One might want to apply additional logic (e.g. different tests) depending on whether the PR is
     automatically verified or not).
- The CI script gzips and uploads the build artifacts to the server.

More info on how to set things up on CI can be found [here](misc--integrate-with-ci.md).


### Uploading build artifacts
- nginx receives the upload request.
- nginx checks that the uploaded gzip archive does not exceed the specified max file size, stores it
  in a temporary location and passes the filepath to the Node.js upload-server.
- The upload-server runs several checks to determine whether the request should be accepted and
  whether it should be publicly accessible or stored for later verification (more details can be
  found [here](overview--security-model.md)).
- The upload-server changes the "visibility" of the associated PR, if necessary. For example, if
  builds for the same PR had been previously deployed as non-public and the current build has been
  automatically verified, all previous builds are made public.
  If the PR transitions from "non-public" to "public", the upload-server posts a comment on the
  corresponding PR on GitHub mentioning the SHAs and the links where the previews can be found.
- The upload-server verifies that the uploaded file is not trying to overwrite an existing build.
- The upload-server deploys the artifacts to a sub-directory named after the PR number and SHA:
  `<PR>/<SHA>/` (Non-publicly accessible PRs will be stored in a different location.)
- If the PR is publicly accessible, the upload-server posts a comment on the corresponding PR on
  GitHub mentioning the SHA and the link where the preview can be found.


### Serving build artifacts
- nginx receives a request for an uploaded resource on a subdomain corresponding to the PR and SHA.
  E.g.: `pr<PR>-<SHA>.ngbuilds.io/path/to/resource`
- nginx maps the subdomain to the correct sub-directory and serves the resource.
  E.g.: `/<PR>/<SHA>/path/to/resource`


### Removing obsolete artifacts
In order to avoid flooding the disk with unnecessary build artifacts, there is a cronjob that runs a
clean-up tasks once a day. The task retrieves all open PRs from GitHub and removes all directories
that do not correspond with an open PR.


### Health-check
The docker service runs a periodic health-check that verifies the running conditions of the
container. This includes verifying the status of specific system services, the responsiveness of
nginx and the upload-server and internet connectivity.
docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00			`# Overview - General`


			`## Objective`
			Whenever a PR job is run on Travis, we want to build `angular.io` and upload the build artifacts to
			`a publicly accessible server so that collaborators (developers, designers, authors, etc) can preview`
			`the changes without having to checkout and build the app locally.`


			`## Source code`
			`In order to make it easier to administer the server and version-control the setup, we are using`
			`[docker](https://www.docker.com) to run a container on a VM. The Dockerfile and all other files`
			`necessary for creating the docker container are stored (and versioned) along with the angular.io`
			project's source code (currently part of the angular/angular repo) in the `aio-builds-setup/`
			`directory.`


			`## Setup`
			`The VM is hosted on [Google Compute Engine](https://cloud.google.com/compute/). The host OS is`
			`debian:jessie. For more info how to set up the host VM take a look at the "Setting up the VM"`
			`section in [TOC](_TOC.md).`


			`## Security model`
			`Since we are managing a public server, it is important to take appropriate measures in order to`
			`prevent abuse. For more details on the challenges and the chosen approach take a look at the`
			`[security model](overview--security-model.md).`


			`## The 10000 feet view`
			`This section gives a brief summary of the several operations performed on CI and by the docker`
			`container:`


			`### On CI (Travis)`
feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`- Build job completes successfully.`
docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00			`- The CI script checks whether the build job was initiated by a PR against the angular/angular`
			`master branch.`
feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`- The CI script checks whether the PR has touched any files that might affect the angular.io app`
			(currently the `aio/` or `packages/` directories, ignoring spec files).
			`- Optionally, the CI script can check whether the PR can be automatically verified (i.e. if the`
			`author of the PR is a member of one of the whitelisted GitHub teams or the PR has the specified`
			`"trusted PR" label).`
docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00			`Note:`
			`For security reasons, the same checks will be performed on the server as well. This is an optional`
feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`step that can be used in case one wants to apply special logic depending on the outcome of the`
			`pre-verification. For example:`
			`1. One might want to deploy automatically verified PRs only. In that case, the pre-verification`
			`helps avoid the wasted overhead associated with uploads that are going to be rejected (e.g.`
			`building the artifacts, sending them to the server, running checks on the server, detecting the`
			`reasons of deployment failure and whether to fail the build, etc).`
			`2. One might want to apply additional logic (e.g. different tests) depending on whether the PR is`
			`automatically verified or not).`
			`- The CI script gzips and uploads the build artifacts to the server.`
docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00
			`More info on how to set things up on CI can be found [here](misc--integrate-with-ci.md).`


			`### Uploading build artifacts`
feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`- nginx receives the upload request.`
docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00			`- nginx checks that the uploaded gzip archive does not exceed the specified max file size, stores it`
			`in a temporary location and passes the filepath to the Node.js upload-server.`
feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`- The upload-server runs several checks to determine whether the request should be accepted and`
			`whether it should be publicly accessible or stored for later verification (more details can be`
docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00			`found [here](overview--security-model.md)).`
feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`- The upload-server changes the "visibility" of the associated PR, if necessary. For example, if`
			`builds for the same PR had been previously deployed as non-public and the current build has been`
			`automatically verified, all previous builds are made public.`
			`If the PR transitions from "non-public" to "public", the upload-server posts a comment on the`
			`corresponding PR on GitHub mentioning the SHAs and the links where the previews can be found.`
			`- The upload-server verifies that the uploaded file is not trying to overwrite an existing build.`
docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00			`- The upload-server deploys the artifacts to a sub-directory named after the PR number and SHA:`
feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`<PR>/<SHA>/` (Non-publicly accessible PRs will be stored in a different location.)
			`- If the PR is publicly accessible, the upload-server posts a comment on the corresponding PR on`
			`GitHub mentioning the SHA and the link where the preview can be found.`
docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00

			`### Serving build artifacts`
			`- nginx receives a request for an uploaded resource on a subdomain corresponding to the PR and SHA.`
docs(aio): correct spelling in overview 2017-03-25 22:48:36 -04:00			E.g.: `pr<PR>-<SHA>.ngbuilds.io/path/to/resource`
			`- nginx maps the subdomain to the correct sub-directory and serves the resource.`
docs(aio): add more docs about `aio-builds-setup` 2017-03-09 15:12:01 -05:00			E.g.: `/<PR>/<SHA>/path/to/resource`


			`### Removing obsolete artifacts`
			`In order to avoid flooding the disk with unnecessary build artifacts, there is a cronjob that runs a`
			`clean-up tasks once a day. The task retrieves all open PRs from GitHub and removes all directories`
			`that do not correspond with an open PR.`


			`### Health-check`
			`The docker service runs a periodic health-check that verifies the running conditions of the`
			`container. This includes verifying the status of specific system services, the responsiveness of`
			`nginx and the upload-server and internet connectivity.`