feat: allow PR workflows from forks #1547
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| name: Deploy Vercel preview | ||
|
|
||
| description: Build and deploy a preview to Vercel | ||
|
|
||
| inputs: | ||
| github-token: | ||
| description: GitHub token used by Vercel action to comment on PRs | ||
| required: true | ||
| vercel-token: | ||
| description: Vercel token | ||
| required: true | ||
| vercel-org-id: | ||
| description: Vercel organization id | ||
| required: true | ||
| vercel-project-id: | ||
| description: Vercel project id | ||
| required: true | ||
| vercel-project-name: | ||
| description: Vercel project name | ||
| required: true | ||
| working-directory: | ||
| description: Working directory for deployment | ||
| required: false | ||
| default: ${{ github.workspace }} | ||
|
|
||
| runs: | ||
| using: composite | ||
| steps: | ||
| - name: Prepare build command for preview | ||
| working-directory: ${{ inputs.working-directory }} | ||
| run: | | ||
| sed -i 's/yarn vercel-build/yarn vercel-preview-build/' vercel.json | ||
| shell: bash | ||
|
|
||
| - name: Deploy to Vercel | ||
| uses: amondnet/vercel-action@v42.3.0 | ||
| id: vercel-deploy | ||
| with: | ||
| github-token: ${{ inputs.github-token }} | ||
| vercel-token: ${{ inputs.vercel-token }} | ||
| vercel-org-id: ${{ inputs.vercel-org-id }} | ||
| vercel-project-id: ${{ inputs.vercel-project-id }} | ||
| vercel-project-name: ${{ inputs.vercel-project-name }} | ||
| working-directory: ${{ inputs.working-directory }} | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| name: deploy-fork-pr-preview | ||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| prNumber: | ||
| description: 'Pull request number to deploy preview for' | ||
| required: true | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| jobs: | ||
| deploy: | ||
| name: Deploy fork PR preview | ||
| runs-on: ubuntu-latest | ||
| # Manual approval gate before exposing deployment secrets to reviewed PR code | ||
| environment: production | ||
| steps: | ||
| - name: Validate PR and extract refs | ||
| id: pr | ||
| uses: actions/github-script@v7 | ||
| with: | ||
| script: | | ||
| const REQUIRED_LABEL = 'safe-to-deploy'; | ||
| const prNumber = Number('${{ github.event.inputs.prNumber }}'); | ||
| if (!Number.isInteger(prNumber) || prNumber <= 0) { | ||
| core.setFailed('Invalid prNumber input'); | ||
| return; | ||
| } | ||
|
|
||
| const {owner, repo} = context.repo; | ||
| const {data: pr} = await github.rest.pulls.get({owner, repo, pull_number: prNumber}); | ||
|
|
||
| if (pr.state !== 'open') { | ||
| core.setFailed(`PR #${prNumber} is not open`); | ||
| return; | ||
| } | ||
|
|
||
| if (!pr.head.repo.fork) { | ||
| core.setFailed(`PR #${prNumber} is not from a fork. Use deploy-pull-requests workflow for internal PRs.`); | ||
| return; | ||
| } | ||
|
|
||
| const labels = (pr.labels || []).map((label) => label.name); | ||
| if (!labels.includes(REQUIRED_LABEL)) { | ||
| core.setFailed(`PR #${prNumber} is missing required label: ${REQUIRED_LABEL}`); | ||
| return; | ||
| } | ||
|
|
||
| core.setOutput('merge_ref', `refs/pull/${prNumber}/merge`); | ||
| core.setOutput('pr_number', String(prNumber)); | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
|
Yermanaco marked this conversation as resolved.
|
||
| ref: ${{ steps.pr.outputs.merge_ref }} | ||
| persist-credentials: false | ||
|
|
||
| - uses: ./.github/actions/deploy-vercel-preview | ||
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| vercel-token: ${{ secrets.VERCEL_TOKEN }} | ||
| vercel-org-id: ${{ secrets.MISTICA_WEB_VERCEL_ORG_ID }} | ||
| vercel-project-id: ${{ secrets.MISTICA_WEB_VERCEL_PROJECT_ID }} | ||
| vercel-project-name: mistica-web | ||
| working-directory: ${{ github.workspace }} | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| name: Auto-dispatch deploy on label | ||
|
|
||
| on: | ||
| pull_request_target: | ||
| types: [labeled] | ||
|
|
||
| permissions: | ||
| actions: write | ||
| contents: read | ||
|
Yermanaco marked this conversation as resolved.
|
||
| issues: write | ||
| pull-requests: read | ||
|
|
||
| jobs: | ||
| dispatch: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Dispatch deploy workflow when `safe-to-deploy` label is added | ||
| uses: actions/github-script@v7 | ||
| with: | ||
| script: | | ||
| const TARGET_LABEL = 'safe-to-deploy'; | ||
| const label = context.payload.label && context.payload.label.name; | ||
| if (label !== TARGET_LABEL) { | ||
| core.info(`Label '${label}' is not '${TARGET_LABEL}', skipping dispatch.`); | ||
| return; | ||
| } | ||
|
|
||
| const prNumber = context.payload.pull_request && context.payload.pull_request.number; | ||
| if (!prNumber) { | ||
| core.setFailed('Could not find pull request number in event payload.'); | ||
| return; | ||
| } | ||
|
|
||
| const { owner, repo } = context.repo; | ||
| const { data: pr } = await github.rest.pulls.get({ owner, repo, pull_number: prNumber }); | ||
|
|
||
| // Only dispatch the fork-preview workflow for PRs coming from forks | ||
| if (!pr.head || !pr.head.repo || !pr.head.repo.fork) { | ||
| core.info('PR is not from a fork; skipping fork preview dispatch.'); | ||
| return; | ||
| } | ||
|
|
||
| await github.rest.actions.createWorkflowDispatch({ | ||
| owner, | ||
| repo, | ||
| workflow_id: 'deploy-fork-pr-preview.yml', | ||
| ref: 'master', | ||
| inputs: { prNumber: String(prNumber) }, | ||
| }); | ||
|
|
||
| core.info(`Dispatched deploy-fork-pr-preview for PR #${prNumber}`); | ||
|
|
||
| // post an audit comment on the PR | ||
| const commentBody = `Label '${TARGET_LABEL}' added — dispatching fork preview workflow. Awaiting environment approval to expose deploy secrets.`; | ||
| await github.rest.issues.createComment({ owner, repo, issue_number: prNumber, body: commentBody }); | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| name: Size stats comment | ||
|
|
||
| on: | ||
| workflow_run: | ||
| workflows: ['Size stats'] | ||
| types: [completed] | ||
|
|
||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| jobs: | ||
| comment: | ||
| runs-on: ubuntu-latest | ||
| if: github.event.workflow_run.conclusion == 'success' | ||
| steps: | ||
| - name: Download size stats artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| run-id: ${{ github.event.workflow_run.id }} | ||
| name: size-stats-results | ||
| path: size-stats-results | ||
|
|
||
| - name: Upsert PR comment | ||
| uses: actions/github-script@v7 | ||
| with: | ||
| script: | | ||
| const fs = require('fs'); | ||
|
|
||
| const marker = '<!-- size-stats-comment -->'; | ||
| const title = '**Size stats**'; | ||
| const workflowRunPrs = context.payload.workflow_run?.pull_requests || []; | ||
| const prNumber = workflowRunPrs.length === 1 ? workflowRunPrs[0].number : NaN; | ||
| const message = fs.readFileSync('size-stats-results/message.md', 'utf8').trim(); | ||
| const body = `${marker}\n${title}\n\n${message}`; | ||
|
|
||
| if (!Number.isInteger(prNumber) || prNumber <= 0) { | ||
| core.setFailed('Could not determine a unique PR number from workflow_run payload'); | ||
| return; | ||
| } | ||
|
|
||
| const {owner, repo} = context.repo; | ||
| const {data: comments} = await github.rest.issues.listComments({ | ||
| owner, | ||
| repo, | ||
| issue_number: prNumber, | ||
| per_page: 100, | ||
| }); | ||
|
|
||
| const previous = comments.find((comment) => | ||
| comment.user?.type === 'Bot' && comment.body?.includes(marker), | ||
| ); | ||
|
|
||
| if (previous) { | ||
| await github.rest.issues.updateComment({ | ||
| owner, | ||
| repo, | ||
| comment_id: previous.id, | ||
| body, | ||
| }); | ||
| } else { | ||
| await github.rest.issues.createComment({ | ||
| owner, | ||
| repo, | ||
| issue_number: prNumber, | ||
| body, | ||
| }); | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.