chore: update-fork-flow

ryanbas21 · ryanbas21 · commit fc51e0258637 · 2025-10-27T15:07:36.000-04:00
diff --git a/.github/actions/publish-beta/action.yml b/.github/actions/publish-beta/action.yml
@@ -1,6 +1,5 @@
 name: 'Publish Beta Steps'
 description: 'Steps to run when packages are not published (beta branch)'
-inputs:
 
 runs:
   using: 'composite'
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -1,13 +1,6 @@
 name: 'Setup Project'
 description: 'Centralized setup for CI jobs'
 inputs:
-  fetch-depth:
-    description: 'Git fetch depth'
-    required: false
-    default: '0'
-  token:
-    description: 'GitHub token'
-    required: true
   node-version-file:
     description: 'Node version file'
     required: false
@@ -16,14 +9,13 @@ inputs:
     description: 'pnpm cache folder'
     required: false
     default: '.pnpm-store'
+  CODECOV_TOKEN:
+    description: 'CODECOV_TOKEN'
+    required: true
+
 runs:
   using: 'composite'
   steps:
-    - uses: actions/checkout@v4
-      with:
-        fetch-depth: ${{ inputs.fetch-depth }}
-        token: ${{ inputs.token }}
-
     - uses: pnpm/action-setup@v4
       with:
         run_install: false
@@ -50,7 +42,7 @@ runs:
       run: pnpm dlx nx-cloud start-ci-run --distribute-on=".nx/workflows/dynamic-changesets.yml" --stop-agents-after="e2e-ci" --with-env-vars="CODECOV_TOKEN"
       shell: bash
       env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        CODECOV_TOKEN: ${{ inputs.CODECOV_TOKEN }}
 
     - name: Cache Playwright browsers
       uses: actions/cache@v4
diff --git a/.github/workflows/ci-fork.yml b/.github/workflows/ci-fork.yml
@@ -1,14 +1,23 @@
 name: ForgeRock Fork Pull Request CI
+
 on:
-  pull_request_target:
-    types: [opened, synchronize, reopened]
-    branches:
-      - main
+  pull_request:
+
+permissions:
+  contents: read
+  actions: read
+
+concurrency:
+  group: pr-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
 
 jobs:
   pr:
+    # Only run for forks
+    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
     runs-on: ubuntu-latest
     timeout-minutes: 20
+
     steps:
       - uses: actions/checkout@v4
         with:
@@ -20,26 +29,28 @@ jobs:
           run_install: false
 
       - uses: actions/setup-node@v4
-        id: cache
         with:
           node-version-file: '.node-version'
           cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
 
       - run: pnpm install --frozen-lockfile
 
-      - name: Cache Playwright browsers
-        uses: actions/cache@v4
+      # Restore-only cache to avoid save attempts/noise on forks
+      - name: Restore Playwright browsers cache
+        uses: actions/cache/restore@v4
         with:
           path: ~/.cache/ms-playwright
           key: ${{ runner.os }}-playwright-${{ hashFiles('**/pnpm-lock.yaml') }}
           restore-keys: |
             ${{ runner.os }}-playwright-
 
-      - run: pnpm exec playwright install
+      - run: pnpm exec playwright install --with-deps
 
       - uses: nrwl/nx-set-shas@v4
-      # This line is needed for nx affected to work when CI is running on a PR
-      - run: git branch --track main origin/main
+
+      # Needed so nx affected can diff against main
+      - run: git branch --track main origin/main || true
 
       - run: pnpm nx format:check
       - run: pnpm nx affected -t build typecheck lint test e2e-ci
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,6 +16,7 @@ concurrency:
 
 jobs:
   pr:
+    if: ${{github.event.pull_request.head.repo.full_name == github.repository}}
     runs-on: ubuntu-latest
     timeout-minutes: 20
     permissions:
@@ -37,8 +38,6 @@ jobs:
 
       - run: pnpm install --frozen-lockfile
 
-      # This line enables distribution
-      # The "--stop-agents-after" is optional, but allows idle agents to shut down once the "e2e-ci" targets have been requested
       - run: pnpm dlx nx-cloud start-ci-run --distribute-on=".nx/workflows/dynamic-changesets.yml" --stop-agents-after="e2e-ci" --with-env-vars="CODECOV_TOKEN"
       - run: pnpm nx sync:check
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -43,18 +43,16 @@ jobs:
       id-token: write
     runs-on: ubuntu-latest
     steps:
-      - name: Setup Project
-        uses: ./.github/actions/setup
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           token: ${{ secrets.GH_TOKEN }}
 
-      - uses: actions/setup-node@v5
-        id: cache
+      - name: Setup Project
+        uses: ./.github/actions/setup
         with:
-          node-version-file: '.node-version'
-          pnpm-cache-folder: .pnpm-store
-        env:
+          fetch-depth: 0
+          token: ${{ secrets.GH_TOKEN }}
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
       - name: publish
@@ -81,14 +79,6 @@ jobs:
       - name: Publish Beta Steps
         if: steps.changesets.outputs.published == 'false'
         uses: ./.github/actions/publish-beta
-        with:
-          branch: main
-
-      - uses: JamesIves/github-pages-deploy-action@v4.7.3
-        with:
-          folder: docs
-          commit-message: 'chore: release-api-docs-beta'
-          target-folder: 'beta'
 
       - name: Calculate baseline bundle sizes
         run: |
@@ -118,6 +108,12 @@ jobs:
     env:
       HUSKY: 0
     steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GH_TOKEN }}
+          ref: ${{ inputs.branch }}
+
       - name: Setup Project
         uses: ./.github/actions/setup
         with:
