From 4400d70eb181a288301099389377b91d8f2eb25e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philip=20J=C3=A4genstedt?= <philip@foolip.org>
Date: Sat, 13 Jun 2020 21:53:25 +0200
Subject: [PATCH] Migrate to GitHub Actions

Part of https://github.com/whatwg/meta/issues/173.
---
 .github/workflows/test.yml     |  24 ++++++++++++++++++++++++
 .travis.yml                    |  19 -------------------
 ci-deploy/Dockerfile           |   4 +---
 ci-deploy/README.md            |   2 +-
 ci-deploy/deploy-key.enc       | Bin 3248 -> 0 bytes
 ci-deploy/inside-container.sh  |  22 +++++++---------------
 ci-deploy/outside-container.sh |  13 -------------
 7 files changed, 33 insertions(+), 51 deletions(-)
 create mode 100644 .github/workflows/test.yml
 delete mode 100644 .travis.yml
 delete mode 100644 ci-deploy/deploy-key.enc

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 0000000..d7438cc
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,24 @@
+name: Test
+on:
+  pull_request:
+    branches:
+    - master
+  push:
+    branches:
+    - master
+jobs:
+  build:
+    name: Test
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - run: shellcheck *.sh
+    - run: shellcheck ci-deploy/*.sh
+    - uses: actions/checkout@v2
+      with:
+        repository: whatwg/html
+        fetch-depth: 2
+        path: ../html
+    - run: ./ci-deploy/outside-container.sh
+      env:
+        IS_TEST_OF_HTML_BUILD_ITSELF: true
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index 51f92c8..0000000
--- a/.travis.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-language: bash
-services:
-  - docker
-
-script:
-  - shellcheck *.sh
-  - shellcheck ci-deploy/*.sh
-  - cd .. &&
-    git clone https://github.com/whatwg/html.git --depth 2 &&
-    IS_TEST_OF_HTML_BUILD_ITSELF=true bash ./html-build/ci-deploy/outside-container.sh
-
-branches:
-  only:
-    - master
-
-notifications:
-  email:
-    on_success: never
-    on_failure: always
diff --git a/ci-deploy/Dockerfile b/ci-deploy/Dockerfile
index 16bd093..f4f68c5 100644
--- a/ci-deploy/Dockerfile
+++ b/ci-deploy/Dockerfile
@@ -1,4 +1,4 @@
-# This Dockerfile is just used to run on Travis CI in an environment that can easily and repeatedly
+# This Dockerfile is just used to run in CI in an environment that can easily and repeatedly
 # install our build dependencies.
 FROM debian:stable
 
@@ -48,9 +48,7 @@ ADD html-build /whatwg/html-build
 # on Docker Hub.
 ENV HTML_SOURCE /whatwg/html
 
-ARG travis_pull_request
 ARG is_test_of_html_build_itself
-ENV TRAVIS_PULL_REQUEST=${travis_pull_request}
 ENV IS_TEST_OF_HTML_BUILD_ITSELF=${is_test_of_html_build_itself}
 
 ENV SKIP_BUILD_UPDATE_CHECK=true
diff --git a/ci-deploy/README.md b/ci-deploy/README.md
index d223f12..0919afe 100644
--- a/ci-deploy/README.md
+++ b/ci-deploy/README.md
@@ -1,6 +1,6 @@
 # HTML Standard CI Deploy
 
-This directory contains files used specifically for deploying the HTML Standard on Travis CI. They are not generally relevant to local builds.
+This directory contains files used specifically for deploying the HTML Standard in CI. They are not generally relevant to local builds.
 
 The setup is assumed to be a directory containing:
 
diff --git a/ci-deploy/deploy-key.enc b/ci-deploy/deploy-key.enc
deleted file mode 100644
index 06f68a830faa8fccc581dade51da142bf3488663..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 3248
zcmV;h3{Uf`D*o8GN@FmeUtigzuXhfy&ER~sOOwVKuS|~a^Z8}UgjZ-Ka7*!>Ldm84
zT$h+@><r0{eGna}e;^J8{^vNka}0KmoZQ4PkR4o!6bfe}25c*8^CV<y{2Si1I~k@x
zR~eJOJKWs63gPb6Q1h8|)95tm?1OJ}xWRU`ZR<)aKSUSvmvB9*-i^hCIe5~T;N@}}
zRX<pC*{mJ4)C8fZF@Ji_=WfEOrR*nIAGN1PUvlM4LoRiRsM3L0olGAldb@cWPL_*`
z$K1*UK@T((vDS#!U&x#dMhE@FvB~%$L-u*J&@fMvjF+B_`WvaVtN;T4c9z;WGpF1)
zcuQZDw2;<8erZEYRL>*x(|z<&Nj?T9RYi6S1T(H<nom53peYN^Fd1pLqz05o4W8er
zl*7VO>!RK9Ld7~Eau)%J$8pmig~NQFHL8-M0y;eCY2p&v*&{6;ecbC%$F6KGnYN2(
z6qXXG&|WVuRv~~A|9+y$v#9v~PPiU}!*Q8{Q0z)=iTSq_qCmwO<*Ia;Q)!%M|Gr`4
ztwa3J#&e_jp_T=*dOpPK@64zh0SPUaQpcKjeDI24R5;|w*3;P7d=dIfs>0_mj&sDZ
zH7_N)I6)ZKO#}lCRSJ2wXV#TgUwcv2Oe05DY`t$6vqNRy8vBw3zw0tznP<vsotKXG
z?8gB(9h}g&VGkzMY+8IK1Pi|n6eC=H+RU^?30#-g7JSY?(m8bfAd1c~ye!-5`gi$2
z9>>j2!^VnS;=&0@+U_9Lgq+}lrnsda|B4e19&pZ?Jx79@1w_mZB7_QO-nT+wN%P@J
zRRSGMjqC39ZKC<LglWZieldmgPUImfe}dL*G>n;bt4yquQXn8w$tr()b$vjrtd$<O
zRUFM*qC%Ea#ST6lMN-HEB-EqJA($S6)vq{sDe*Bmj&Yu!R=<R4(WNeZK6=U5a5r0@
zd(aheNof~fJgO_^jN;L@d0XmZ)))5QGAo6&Y=q+^qXp1>xzH%T!;VkitidC{Z(tgx
zv0U!|T2iE5!sFLOqZmzT+T0s;f5sI^0~Mu%a9>oZ5_yOKy5sBKfeMTR8xv@B#Y~+@
zhUTPZnDjM<pHma@o#OW{XGssiuN9n-qq}ceH3)%vW9E1(J`=c|J``nZeY8aW2fl~%
zpSiaeF(?Tx*VE{8h9}W3O!tc7cyW|$E58wt^;HpXKdv05TvW;JPn+zr^LVD*34@{T
z2mGtKqyWRVm>}<?dj|_wm^dJ@?L0%3hQKt2GtH%UEMUeV?CX=~8*^5vC(*PfKcg;}
zUG!sH$%@cCI1G-}8p7E1?TPZIt2QJy5f9@<{<~T5HN7uA55e-&cDCM>uTL6f_*yc2
zBAnn?K^aA25W6EX6*N#hL=j_KI3PgW5Mx|!a<$@*)J6efCuY17({HMbytQ|^{RwiB
z+h}kYV>QSvOo>+5dxt%~%+@h&UlOz)QPBHgjVwl*X2X`5SZ^;`M>Ec_U*$|Sz<Yfl
z{bn!fW?U2UJV(x0N2q<}r#n1FEiS;t3Vz&p&Lp<Bw~+woT+f>r#b4K=79+ShkK6Kl
zl!1^@6lOW!3K!fUK-<ydm7^}pm>{?4fSD&)6hSacS})2zkpiG#MAEW~Ch1zC>2-8L
zx}lR-3A=a#yBZ_i(2`XGWzNS6dV?{M-rH-0l+uK#x3|#Mw42;_rn+~XE}77bPs)6$
zGo)VtS|Ls;TwEgnbJ^IQROCPtr2^^jo*591i9AvDBoc7Lxb&5-{(s~O+J8adTB`1%
z?&)s7o;$*++^_)tW9of|Q~Or`|CpEZ*Av@K5~4vFeWb{DTT-><Z+a%!krhUWPEG}C
z+%YNkfzTra2%DvzV0Zj-PEE>j*Osh}6^yDW=zPCZwOaN`5XUJL_r$kTyrn{PY-SI&
zrBTUTaXGv=*hy^9BRtL%iTd-6v<{;{_!8}05f4hr3!{Ngy=lKY7u6QOAqIKpQ;T!1
z8ySjNdns(y2{BZ!{5&EZ`ZQ30DERL+XVftL18DbxVN)+OXS3v3EfY&}CzC-CAYses
ztXN#(K0C0xwvTR}82N1cg3?_*;yKbdMbnrqZb`3^O@ZF#LhDbk_M{S)!{S{yQjFn~
z)%yqoxmazvlr}RkEcEzA<>-sIs7#L@6KUCDz?1vO;B9Q5s3ljx{{EM>7zGTsymJr6
zk2HkfmUm>u3i^fjPGy^Y4(p!|4^{BC_U+jp4_sp>DZ5o-eowWkeI+k<0UY`5pJ<-b
zyF}$T!L?2D(})$%FQ6L@!o=v!ZB}^GLLmWGc^pql9Ai1>lN$}esLXo3S;)H>=ih?!
zx8H<&^-C66%MWk|DiXGVRBUj$$p=h!xIMiAgh{`~>`COta`~8957@xp6DO=~zqNRk
zd$I}q28yC>`4iBeu7!7?pezEZ)-#>0rq+dy8T@w$CR>g|;Lu1M6LDjOR~b#c{8M)~
zFn}ReDSwIN-pGX~CG2)Q0g%kSO}<C2CYegi#Q*2BQyYt8MouZ{ae=#fw6>;gEj<Xv
zb47%kNZR+2d98`uyQE2Byto_n6pD2|WR<x}3i@_(v?+@&o~lQnD%XR}>b9wm&&dCp
z?x#$ON%Wu+W9lJG^o0>cO&LW?L8ZT;GiuO1R$sF<mWnVec!}noB95FaCuKd>RySRN
zZ|Iz2rru2FV;a??Hm<{u9Z5x|L?}@sJq`0v&*OqlZoX2~ycV5Vei9C?NYz049z@x<
z9>+RpGcV9$F?xnieZfx^tz<lJ$v8ND3&LG3#_?ApOe5WY{=<->n1x(9<kX5i6QxQ%
zZ_v%$fLHGXF&&{&OaY?;)HpIhCAgj=+hJ8bP&3o`O&)>}Oqewp{%S!Ol;ZH)ag=JC
zY6>JPm*8dC4o3igB%8`O4%)b%ffb<M$E2#<QVj>-tAI^iF{R*W&E{;n+!A=?Caj-R
zWBeIZBRMh^HYb}OCGhQ9;nS*AG^CUqu}Oy~D4-Hop}br<CLSbspVZq9$u-}AZFjl3
zal=MuPm2pD?+*(BKiX11rx*<Cea=lB3dR)2nhF+5r$|ZYae9t9Mo22B^dqz^k`Mym
zE*=JBrUH-O%fa=Vu9&AUGOlQkAjyXgNMcb~^_F9jq)0LoZB+M5lw0e9rqn#RCCf{J
z`zX{HEVL)AGtXP$zVF`bRbx5g1ZkLpP0hV~7-<4t!q|CTkd1O2k6mhgT;0kP0w!~v
zV<l&UKp~;5zI<$?FUy6}(XEL|oT@A~j?~WQwx0Ck5=kfLGW}Oix7df$M3)HpmBvUO
zZK0iZ-ypfDu7)0ZCKPjDUAbHXi8h&Z($a`*<edKnm`|v+HLAcH<}W9X_}<1TkI0l1
zD8eB<!Agz1L^UD9qz=B6WSZdza7q%}%X8o#l1Azsd)0f`{--C7-XxX|NDJg(SwnB1
z%t9P>ZpKDu-NmC4oAxFW#Es`;=gR`aV}r`c<Z*|!RM<iHv0!k`J@)&+;#F*H)S@uj
zK;!4xX9B!*X^Y$Tpr_{Do`Fu>959$oVDTPzxDBF#c?Mjh6n@Sy1cX;Eh(%bcbH$Tw
z{YmI|dl@W3Skd(wENZU_y|m6RUm462&!n}nxVoiPxWzeEDfiMK1xh1PZo{jE->I$5
zVx!u~>R_XgC%fBuL0`{t$V5i*{O6%}p9hx{)U*qdg|vQxpN7z$QVFAF*(B#S&24);
zM!?I0M1Z($3W`%a{cE<k#Ta@Erzh77tk_DP+`#!fp_TGHdhS-i%p3ogcat?J$P3_i
z<EIOg8m^3~O_Yq~^=zN#*V<hG`fp!<rBAO>Hi4Klg{OV@^_uVhukECO2&!$SP(3VA
zvg|`|ij2pjDYs?i&!3qrkKgdi&i7xPKs2*ramH;k{{zI8=V53gCJ)@C%i8nj5))Uh
z=!N2^dc%kNJI3bl<Nx`xtWZribzHV@y|9Vgv6G>iriPG;-V^P5xTUE*|F{n;ZD`OU
zYY;uq+?s~F{Mv%e=R=vTR?)5}E%^O&;YqK{L>rLcBxQ7A`fDTkNe>Uj#i!&~-r1#k
z@~!%mhqAcHRDRNe!;K>$j&areVvJ{au7w;@s1XP?rQ9<f8!Cs22D<f&ara?c*Vj!L
zX<<H$s77^TPWg2F)JEU`;0Mhgx)7NJk{BQA0YPmJ&-9tm050XD7XHD@)mgk;K1#=q
z$5pa3ZP@6ws%(vf5;gak@W#_x&_JI%47L`UD3+;X>U7U#1-rcNpd^;=>k{O}V92fx
iOrRX42LUq}uLQ6kT7q9|i|Yi5DwZ+h4keNQ-6h5Zs8l%s

diff --git a/ci-deploy/inside-container.sh b/ci-deploy/inside-container.sh
index 15f3e44..ead87c6 100644
--- a/ci-deploy/inside-container.sh
+++ b/ci-deploy/inside-container.sh
@@ -16,9 +16,6 @@ SERVER_PUBLIC_KEY="ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzd
 HTML_OUTPUT="$(pwd)/output"
 export HTML_OUTPUT
 
-# Note: $TRAVIS_PULL_REQUEST is either a number or false, not true or false.
-# https://docs.travis-ci.com/user/environment-variables/#Default-Environment-Variables
-TRAVIS_PULL_REQUEST=${TRAVIS_PULL_REQUEST:-false}
 IS_TEST_OF_HTML_BUILD_ITSELF=${IS_TEST_OF_HTML_BUILD_ITSELF:-false}
 
 # Build the spec into the output directory
@@ -33,7 +30,7 @@ unzip vnu.linux.zip
 ./vnu-runtime-image/bin/java -Xmx1g -m vnu/nu.validator.client.SimpleCommandLineValidator --skip-non-html "$HTML_OUTPUT"
 echo ""
 
-if [[ "$TRAVIS_PULL_REQUEST" != "false" ]]; then
+if [[ "$GITHUB_EVENT_NAME" != "push" || "$GITHUB_REF" != "refs/heads/master" ]]; then
   echo "Skipping deploy for non-master"
   exit 0
 fi
@@ -42,17 +39,14 @@ if [[ "$IS_TEST_OF_HTML_BUILD_ITSELF" == "true" ]]; then
   exit 0
 fi
 
-# Add the (decoded) deploy key to the SSH agent, so scp works
-chmod 600 html/deploy-key
-eval "$(ssh-agent -s)"
-ssh-add html/deploy-key
-echo "$SERVER $SERVER_PUBLIC_KEY" > known_hosts
+# Add the deploy key to the SSH agent, so scp works
+echo "$SERVER_DEPLOY_KEY" | ssh-add -
+mkdir -p ~/.ssh/ && echo "$SERVER $SERVER_PUBLIC_KEY" > ~/.ssh/known_hosts
 
 # Sync, including deletes, but ignoring the stuff we'll deploy below, so that we don't delete them.
 echo "Deploying build output..."
 # --chmod=D755,F644 means read-write for user, read-only for others.
-rsync --rsh="ssh -o UserKnownHostsFile=known_hosts" \
-      --archive --chmod=D755,F644 --compress --verbose \
+rsync --archive --chmod=D755,F644 --compress --verbose \
       --delete --exclude="$COMMITS_DIR" --exclude="$REVIEW_DIR" \
       --exclude=print.pdf \
       "$HTML_OUTPUT/" "deploy@$SERVER:/var/www/$WEB_ROOT"
@@ -62,8 +56,7 @@ rsync --rsh="ssh -o UserKnownHostsFile=known_hosts" \
 echo ""
 echo "Deploying Commit Snapshot and Review Drafts, if any..."
 # --chmod=D755,F644 means read-write for user, read-only for others.
-rsync --rsh="ssh -o UserKnownHostsFile=known_hosts" \
-      --archive --chmod=D755,F644 --compress --verbose \
+rsync --archive --chmod=D755,F644 --compress --verbose \
       "$HTML_OUTPUT/$COMMITS_DIR" "$HTML_OUTPUT/$REVIEW_DIR" "deploy@$SERVER:/var/www/$WEB_ROOT"
 
 echo ""
@@ -77,8 +70,7 @@ pdfsizeopt --v=40 "$PDF_TMP" "$HTML_OUTPUT/print.pdf"
 
 echo ""
 echo "Deploying PDF..."
-rsync --rsh="ssh -o UserKnownHostsFile=known_hosts" \
-      --archive --compress --verbose \
+rsync --archive --compress --verbose \
       "$HTML_OUTPUT/print.pdf" "deploy@$SERVER:/var/www/$WEB_ROOT/print.pdf"
 
 echo ""
diff --git a/ci-deploy/outside-container.sh b/ci-deploy/outside-container.sh
index 9eeaea2..62605e4 100644
--- a/ci-deploy/outside-container.sh
+++ b/ci-deploy/outside-container.sh
@@ -10,12 +10,10 @@ DOCKER_USERNAME="domenicdenicola"
 DOCKER_HUB_REPO="whatwg/html-deploy"
 
 # Set from the outside:
-TRAVIS_PULL_REQUEST=${TRAVIS_PULL_REQUEST:-false}
 IS_TEST_OF_HTML_BUILD_ITSELF=${IS_TEST_OF_HTML_BUILD_ITSELF:-false}
 
 # When not running pull request builds:
 # - DOCKER_PASSWORD is set from the outside
-# - ENCRYPTION_LABEL is set from the outside
 
 git clone --depth 1 https://github.com/pts/pdfsizeopt.git pdfsizeopt
 
@@ -27,19 +25,8 @@ cp "$HERE"/{.dockerignore,Dockerfile} .
 docker pull "$DOCKER_HUB_REPO:latest"
 docker build --cache-from "$DOCKER_HUB_REPO:latest" \
              --tag "$DOCKER_HUB_REPO:latest" \
-             --build-arg "travis_pull_request=$TRAVIS_PULL_REQUEST" \
              --build-arg "is_test_of_html_build_itself=$IS_TEST_OF_HTML_BUILD_ITSELF" \
              .
-if [[ "$TRAVIS_PULL_REQUEST" == "false" && "$IS_TEST_OF_HTML_BUILD_ITSELF" == "false" ]]; then
-  # Decrypt the deploy key from this script's location into the html/ directory, since that's the
-  # directory that will be shared with the container (but not built into the image).
-  ENCRYPTED_KEY_VAR="encrypted_${ENCRYPTION_LABEL}_key"
-  ENCRYPTED_IV_VAR="encrypted_${ENCRYPTION_LABEL}_iv"
-  ENCRYPTED_KEY=${!ENCRYPTED_KEY_VAR}
-  ENCRYPTED_IV=${!ENCRYPTED_IV_VAR}
-  openssl aes-256-cbc -K "$ENCRYPTED_KEY" -iv "$ENCRYPTED_IV" \
-          -in "$HERE/deploy-key.enc" -out html/deploy-key -d
-fi
 
 # Run the inside-container.sh script, with the html/ directory mounted inside the container.
 echo ""