Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Enables controlled workflows for forked PRs by separating untrusted computation from trusted actions that require write permissions or secrets (deploy previews and PR commenting).
Changes:
- Updates
size-statsto upload results as an artifact in the PR workflow, and adds a trustedworkflow_runworkflow to upsert the PR comment. - Adds a
pull_request_targetlabel listener to dispatch a manual, environment-gated fork preview deployment workflow. - Refactors internal PR preview deploy logic into a reusable composite action used by both internal and fork preview workflows.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/size-stats.yml | Uploads size-stats output as an artifact instead of commenting directly (fork-safe). |
| .github/workflows/size-stats-comment.yml | New trusted workflow_run job to download artifact and upsert the PR comment. |
| .github/workflows/label-trigger-deploy.yml | New label-triggered dispatcher to start fork preview deploy workflow. |
| .github/workflows/deploy-pull-requests.yml | Switches internal PR deploy to a shared composite action. |
| .github/workflows/deploy-fork-pr-preview.yml | New environment-approved workflow to deploy fork PR previews by PR number. |
| .github/actions/deploy-vercel-preview/action.yml | New composite action encapsulating checkout + preview build tweak + Vercel deploy. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Accessibility report ℹ️ You can run this locally by executing |
|
Deploy preview for mistica-web ready!
Deployed with vercel-action |
| needs: [master-size-stats, branch-size-stats] | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| with: |
Contributor
Author
There was a problem hiding this comment.
if I do this, this PR would fail
atabel
approved these changes
May 6, 2026
Collaborator
|
🎉 This PR is included in version 16.62.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
MurilloLeoni
pushed a commit
to MurilloLeoni/mistica-web
that referenced
this pull request
May 8, 2026
# [16.62.0](Telefonica/mistica-web@v16.61.0...v16.62.0) (2026-05-08) ### Features * **AiCard:** add new component aicard ([Telefonica#1544](Telefonica#1544)) ([96959e9](Telefonica@96959e9)) * allow PR workflows from forks ([Telefonica#1547](Telefonica#1547)) ([2270adc](Telefonica@2270adc)), closes [/github.com/Telefonica/tf-github-cdo-repos/blob/main/novum/repositories/mistica-web/terraform.tfvars#L23-L32](https://github.com//github.com/Telefonica/tf-github-cdo-repos/blob/main/novum/repositories/mistica-web/terraform.tfvars/issues/L23-L32) * **Icons:** update artificial intelligence icons in vivo ([Telefonica#1545](Telefonica#1545)) ([f732114](Telefonica@f732114)) * **MenuItem:** Added description to MenuItem ([Telefonica#1543](Telefonica#1543)) ([a1f2e7d](Telefonica@a1f2e7d))
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fork PR workflows
Problems
size-statsfailed on fork PRs because it requiredGH_TOKEN_ACTIONSto checkout a private repository, and that secret is not available in fork-triggeredpull_requestruns.Solution
workflow_dispatchsafe-to-deployenvironment: productionapproval before using deploy secretssize-statsnow works for forks using a two-step flow:pull_request): compute stats and upload artifact (no private token needed)workflow_run): trusted workflow reads artifact and updates PR commentResult
size-statsworks for fork PRs without exposing private credentials.Note on label safe-to-deploy
The
safe-to-deploylabel is a manual signal that a PR is ready for deployment. It is not a security boundary by itself, but it serves as a checkpoint for maintainers to review the PR before allowing deploys. In the current setup, theenvironmentapproval is the actual security gate that protects secrets, while the label is a workflow control mechanism.Repo permissions note for labels
Who can apply labels depends on repository permissions. According to the repository configuration, the following teams have elevated roles:
pushteams: niji4home, novum-engineering, mistica-design, vivo-collaboratorsadminteams: novum-web-corepullteams (review-focused): network-tokenization, picaraOnly collaborators or teams with at least
Triage/Write/Maintain/Admincan add labels; non-collaborator external users cannot. If you rely on label-driven automation, make sure these teams are the ones trusted to apply thesafe-to-deploylabel as it is set in terraform repository settings here