feat: allow PR workflows from forks (#1547)

Yermanaco · web-flow · commit 2270adc92e35 · 2026-05-07T08:23:10.000Z
# Fork PR workflows ## Problems 1. Fork PR previews were blocked by design, because deploy jobs with secrets must not run automatically on untrusted fork code. 2. `size-stats` failed on fork PRs because it required `GH_TOKEN_ACTIONS` to checkout a private repository, and that secret is not available in fork-triggered `pull_request` runs. ## Solution 1. Fork preview deploys now use a controlled manual flow: - dedicated `workflow_dispatch` - PR must be open and from a fork - required label: `safe-to-deploy` - `environment: production` approval before using deploy secrets 2. `size-stats` now works for forks using a two-step flow: - step A (`pull_request`): compute stats and upload artifact (no **private token** needed) - step B (`workflow_run`): trusted workflow reads artifact and updates PR comment ## Result - Internal PR previews continue to run automatically. - Fork PR previews can be deployed under maintainer control. - `size-stats` works for fork PRs without exposing private credentials. ## Note on label safe-to-deploy The `safe-to-deploy` label is a manual signal that a PR is ready for deployment. It is not a security boundary by itself, but it serves as a checkpoint for maintainers to review the PR before allowing deploys. In the current setup, the `environment` approval is the actual security gate that protects secrets, while the label is a workflow control mechanism. ## Repo permissions note for labels Who can apply labels depends on repository permissions. According to the repository configuration, the following teams have elevated roles: - `push` teams: niji4home, novum-engineering, mistica-design, vivo-collaborators - `admin` teams: novum-web-core - `pull` teams (review-focused): network-tokenization, picara Only collaborators or teams with at least `Triage`/`Write`/`Maintain`/`Admin` can add labels; non-collaborator external users cannot. If you rely on label-driven automation, make sure these teams are the ones trusted to apply the `safe-to-deploy` label as it is set in terraform repository settings [here](https://github.com/Telefonica/tf-github-cdo-repos/blob/main/novum/repositories/mistica-web/terraform.tfvars#L23-L32)
diff --git a/.github/actions/deploy-vercel-preview/action.yml b/.github/actions/deploy-vercel-preview/action.yml
@@ -0,0 +1,44 @@
+name: Deploy Vercel preview
+
+description: Build and deploy a preview to Vercel
+
+inputs:
+  github-token:
+    description: GitHub token used by Vercel action to comment on PRs
+    required: true
+  vercel-token:
+    description: Vercel token
+    required: true
+  vercel-org-id:
+    description: Vercel organization id
+    required: true
+  vercel-project-id:
+    description: Vercel project id
+    required: true
+  vercel-project-name:
+    description: Vercel project name
+    required: true
+  working-directory:
+    description: Working directory for deployment
+    required: false
+    default: ${{ github.workspace }}
+
+runs:
+  using: composite
+  steps:
+    - name: Prepare build command for preview
+      working-directory: ${{ inputs.working-directory }}
+      run: |
+        sed -i 's/yarn vercel-build/yarn vercel-preview-build/' vercel.json
+      shell: bash
+
+    - name: Deploy to Vercel
+      uses: amondnet/vercel-action@v42.3.0
+      id: vercel-deploy
+      with:
+        github-token: ${{ inputs.github-token }}
+        vercel-token: ${{ inputs.vercel-token }}
+        vercel-org-id: ${{ inputs.vercel-org-id }}
+        vercel-project-id: ${{ inputs.vercel-project-id }}
+        vercel-project-name: ${{ inputs.vercel-project-name }}
+        working-directory: ${{ inputs.working-directory }}
diff --git a/.github/workflows/deploy-fork-pr-preview.yml b/.github/workflows/deploy-fork-pr-preview.yml
@@ -0,0 +1,65 @@
+name: deploy-fork-pr-preview
+on:
+  workflow_dispatch:
+    inputs:
+      prNumber:
+        description: 'Pull request number to deploy preview for'
+        required: true
+
+permissions:
+    contents: read
+    pull-requests: write
+
+jobs:
+    deploy:
+        name: Deploy fork PR preview
+        runs-on: ubuntu-latest
+        # Manual approval gate before exposing deployment secrets to reviewed PR code
+        environment: production
+        steps:
+            - name: Validate PR and extract refs
+              id: pr
+              uses: actions/github-script@v7
+              with:
+                  script: |
+                      const REQUIRED_LABEL = 'safe-to-deploy';
+                      const prNumber = Number('${{ github.event.inputs.prNumber }}');
+                      if (!Number.isInteger(prNumber) || prNumber <= 0) {
+                        core.setFailed('Invalid prNumber input');
+                        return;
+                      }
+
+                      const {owner, repo} = context.repo;
+                      const {data: pr} = await github.rest.pulls.get({owner, repo, pull_number: prNumber});
+
+                      if (pr.state !== 'open') {
+                        core.setFailed(`PR #${prNumber} is not open`);
+                        return;
+                      }
+
+                      if (!pr.head.repo.fork) {
+                        core.setFailed(`PR #${prNumber} is not from a fork. Use deploy-pull-requests workflow for internal PRs.`);
+                        return;
+                      }
+
+                      const labels = (pr.labels || []).map((label) => label.name);
+                      if (!labels.includes(REQUIRED_LABEL)) {
+                        core.setFailed(`PR #${prNumber} is missing required label: ${REQUIRED_LABEL}`);
+                        return;
+                      }
+
+                      core.setOutput('merge_ref', `refs/pull/${prNumber}/merge`);
+                      core.setOutput('pr_number', String(prNumber));
+            - uses: actions/checkout@v6
+              with:
+                  ref: ${{ steps.pr.outputs.merge_ref }}
+                  persist-credentials: false
+
+            - uses: ./.github/actions/deploy-vercel-preview
+              with:
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
+                  vercel-token: ${{ secrets.VERCEL_TOKEN }}
+                  vercel-org-id: ${{ secrets.MISTICA_WEB_VERCEL_ORG_ID }}
+                  vercel-project-id: ${{ secrets.MISTICA_WEB_VERCEL_PROJECT_ID }}
+                  vercel-project-name: mistica-web
+                  working-directory: ${{ github.workspace }}
diff --git a/.github/workflows/deploy-master.yml b/.github/workflows/deploy-master.yml
@@ -19,7 +19,7 @@ jobs:
               with:
                   persist-credentials: false
 
-            - uses: amondnet/vercel-action@master
+            - uses: amondnet/vercel-action@v42.3.0
               with:
                   github-token: ${{ secrets.GITHUB_TOKEN }} # needed to allow comments on prs
                   vercel-token: ${{ secrets.VERCEL_TOKEN }} # Required
diff --git a/.github/workflows/deploy-pull-requests.yml b/.github/workflows/deploy-pull-requests.yml
@@ -19,13 +19,7 @@ jobs:
             - uses: actions/checkout@v6
               with:
                   persist-credentials: false
-
-            # we need to run a different buildCommand for PR previews (see package.json scripts)
-            - run: sed -i 's/yarn vercel-build/yarn vercel-preview-build/' vercel.json
-              shell: bash
-
-            - uses: amondnet/vercel-action@master
-              id: vercel-deploy # identifier to reference this step
+            - uses: ./.github/actions/deploy-vercel-preview
               with:
                   github-token: ${{ secrets.GITHUB_TOKEN }} # needed to allow comments on prs
                   vercel-token: ${{ secrets.VERCEL_TOKEN }} # required
diff --git a/.github/workflows/label-trigger-deploy.yml b/.github/workflows/label-trigger-deploy.yml
@@ -0,0 +1,55 @@
+name: Auto-dispatch deploy on label
+
+on:
+  pull_request_target:
+    types: [labeled]
+
+permissions:
+  actions: write
+  contents: read
+  issues: write
+  pull-requests: read
+
+jobs:
+  dispatch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dispatch deploy workflow when `safe-to-deploy` label is added
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const TARGET_LABEL = 'safe-to-deploy';
+            const label = context.payload.label && context.payload.label.name;
+            if (label !== TARGET_LABEL) {
+              core.info(`Label '${label}' is not '${TARGET_LABEL}', skipping dispatch.`);
+              return;
+            }
+
+            const prNumber = context.payload.pull_request && context.payload.pull_request.number;
+            if (!prNumber) {
+              core.setFailed('Could not find pull request number in event payload.');
+              return;
+            }
+
+            const { owner, repo } = context.repo;
+            const { data: pr } = await github.rest.pulls.get({ owner, repo, pull_number: prNumber });
+
+            // Only dispatch the fork-preview workflow for PRs coming from forks
+            if (!pr.head || !pr.head.repo || !pr.head.repo.fork) {
+              core.info('PR is not from a fork; skipping fork preview dispatch.');
+              return;
+            }
+
+            await github.rest.actions.createWorkflowDispatch({
+              owner,
+              repo,
+              workflow_id: 'deploy-fork-pr-preview.yml',
+              ref: 'master',
+              inputs: { prNumber: String(prNumber) },
+            });
+
+            core.info(`Dispatched deploy-fork-pr-preview for PR #${prNumber}`);
+
+            // post an audit comment on the PR
+            const commentBody = `Label '${TARGET_LABEL}' added — dispatching fork preview workflow. Awaiting environment approval to expose deploy secrets.`;
+            await github.rest.issues.createComment({ owner, repo, issue_number: prNumber, body: commentBody });
diff --git a/.github/workflows/size-stats-comment.yml b/.github/workflows/size-stats-comment.yml
@@ -0,0 +1,70 @@
+name: Size stats comment
+
+on:
+    workflow_run:
+        workflows: ['Size stats']
+        types: [completed]
+
+permissions:
+    actions: read
+    contents: read
+    pull-requests: write
+
+jobs:
+    comment:
+        runs-on: ubuntu-latest
+        if: github.event.workflow_run.conclusion == 'success'
+        steps:
+            - name: Download size stats artifact
+              uses: actions/download-artifact@v4
+              with:
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
+                  run-id: ${{ github.event.workflow_run.id }}
+                  name: size-stats-results
+                  path: size-stats-results
+
+            - name: Upsert PR comment
+              uses: actions/github-script@v7
+              with:
+                  script: |
+                      const fs = require('fs');
+
+                      const marker = '<!-- size-stats-comment -->';
+                      const title = '**Size stats**';
+                      const workflowRunPrs = context.payload.workflow_run?.pull_requests || [];
+                      const prNumber = workflowRunPrs.length === 1 ? workflowRunPrs[0].number : NaN;
+                      const message = fs.readFileSync('size-stats-results/message.md', 'utf8').trim();
+                      const body = `${marker}\n${title}\n\n${message}`;
+
+                      if (!Number.isInteger(prNumber) || prNumber <= 0) {
+                        core.setFailed('Could not determine a unique PR number from workflow_run payload');
+                        return;
+                      }
+
+                      const {owner, repo} = context.repo;
+                      const {data: comments} = await github.rest.issues.listComments({
+                        owner,
+                        repo,
+                        issue_number: prNumber,
+                        per_page: 100,
+                      });
+
+                      const previous = comments.find((comment) =>
+                        comment.user?.type === 'Bot' && comment.body?.includes(marker),
+                      );
+
+                      if (previous) {
+                        await github.rest.issues.updateComment({
+                          owner,
+                          repo,
+                          comment_id: previous.id,
+                          body,
+                        });
+                      } else {
+                        await github.rest.issues.createComment({
+                          owner,
+                          repo,
+                          issue_number: prNumber,
+                          body,
+                        });
+                      }
diff --git a/.github/workflows/size-stats.yml b/.github/workflows/size-stats.yml
@@ -6,7 +6,7 @@ on:
 
 permissions:
     contents: read
-    pull-requests: write
+    pull-requests: read
 
 concurrency:
     group: size-stats-${{ github.ref }}
@@ -56,20 +56,12 @@ jobs:
             - id: stats
               uses: './.github/actions/size-stats'
 
-    show-results:
+    store-results:
         runs-on: ubuntu-latest
         needs: [master-size-stats, branch-size-stats]
         steps:
             - uses: actions/checkout@v6
               with:
-                  ref: master
-                  persist-credentials: false
-
-            - uses: actions/checkout@v6
-              with:
-                  repository: Telefonica/github-actions
-                  token: '${{ secrets.GH_TOKEN_ACTIONS }}'
-                  path: .github/shared-actions
                   persist-credentials: false
 
             - run: yarn install --immutable --immutable-cache
@@ -87,10 +79,16 @@ jobs:
                   pr-lib-overhead: ${{ needs.branch-size-stats.outputs.lib-overhead }}
                   pr-lib-overhead-gzip: ${{ needs.branch-size-stats.outputs.lib-overhead-gzip }}
 
-            - name: Comment on PR
-              uses: ./.github/shared-actions/novum/comment-pr
+            - name: Prepare artifact payload
+              run: |
+                  mkdir -p size-stats-results
+                  cat > size-stats-results/message.md <<'EOF'
+                  ${{ steps.message.outputs.message }}
+                  EOF
+
+            - name: Upload size stats results
+              uses: actions/upload-artifact@v4
               with:
-                  github-token: ${{ secrets.GITHUB_TOKEN }}
-                  title: '**Size stats**'
-                  message: ${{ steps.message.outputs.message }}
-                  update-if-present: 'true'
+                  name: size-stats-results
+                  path: size-stats-results
+                  if-no-files-found: error
