feat(ci): add PR preview system for GitHub Pages (#6636)
* docs(ci): add PR preview system design
Document the design for GitHub Pages PR previews including:
- Selective deployment of changed pages only
- Reuse of existing content-utils.js change detection
- URL parsing from PR descriptions for layout/asset changes
- Automatic cleanup on PR close
- Storage budget management
* docs(ci): add PR preview implementation plan
Detailed task-by-task implementation plan including:
- 8 tasks with complete code and exact file paths
- Reuses existing content-utils.js for change detection
- Scripts for URL parsing, change detection, file staging
- Main workflow and cleanup workflow
- Setup documentation and testing steps
* feat(ci): add PR URL parser for preview page detection
* fix(ci): harden PR URL parser against malicious input
- Add path validation to reject path traversal attacks (..)
- Add validation to reject HTML/script injection attempts
- Add validation to reject URL-encoded characters
- Update regex to capture markdown link paths: [text](/path/)
- Add comprehensive test suite with 27 security and functionality tests
Security improvements:
- Reject paths containing '..' to prevent directory traversal
- Reject paths with suspicious characters: <, >, |, {, }, `, etc.
- Reject URL-encoded characters to prevent encoding attacks
- Validate all paths against known product prefixes
Functionality improvements:
- Support markdown link syntax: [text](/influxdb3/core/)
- Support reference-style markdown links
- Maintain existing support for production URLs, localhost URLs, and relative paths
* feat(ci): add change detection script for PR previews
* fix(ci): remove unused import from detect-preview-pages.js
* feat(ci): add preview file staging script for selective deployment
* fix(ci): add input validation to preview file staging script
- Add path traversal validation to urlToHtmlPath() to reject paths containing '..'
- Add array validation at start of preparePreviewFiles() with clear error message
- Fix copiedCount to only increment when safeCopy() actually succeeds
- Add return value to copyPage() to track success/failure
Addresses security vulnerabilities and improves accuracy of preview stats.
* feat(ci): add preview comment manager for sticky PR comments
* fix(ci): sanitize user input in preview comments to prevent XSS
* feat(ci): add PR preview workflow for GitHub Pages deployment
* fix(ci): correct environment variables and checkout in PR preview workflow
* feat(ci): add weekly stale preview cleanup workflow
* docs(ci): add PR preview setup guide
* Delete docs/plans/2025-12-16-pr-preview-design.md
* Delete docs/plans/2025-12-16-pr-preview-implementation.md
* fix(ci): add input validation for PR preview security
- Add single quote to rejected characters in URL path validation
to prevent JavaScript injection in workflow string interpolation
- Add BASE_REF validation regex to prevent command injection,
allowing slashes for feature branches (e.g., feature/new-auth)
- Add PR_NUM numeric validation in cleanup workflow
- Add tests for single quote handling and BASE_REF validation
e203482b62