feat: event workflow_run support (#732)

* chore(deps-dev): upgrade typescript from 5.9.3 to 6.0.3

* chore: tsconfig add types

Co-authored-by: Copilot <copilot@github.com>

* feat: workflow_run support

Co-authored-by: Copilot <copilot@github.com>

* docs: Fork pull requests with `workflow_run`

* chore: build

* chore: changeset

* feat: enhance workflow_run handling to validate pull requests by branch and SHA

Co-authored-by: Copilot <copilot@github.com>

* chore: changeset

Co-authored-by: Copilot <copilot@github.com>

* chore: build

* ci: update action to support forks

Co-authored-by: Copilot <copilot@github.com>

* ci: fix github-environment

---------

Co-authored-by: Copilot <copilot@github.com>

Author: andykenward

.changeset/loud-signs-obey.md

@@ -0,0 +1,5 @@
+---
+"github-actions-cloudflare-pages": minor
+---
+
+Added support for the GitHub workflow_run event to enable fork-safe preview deployments and pull request comments.

.github/workflows/deploy-main.yml

@@ -0,0 +1,39 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: deploy-main
+on:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+
+jobs:
+  cloudflare-pages-deploy:
+    permissions:
+      actions: read
+      contents: read
+      deployments: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      - id: 'cloudflare-pages'
+        uses: ./
+        with:
+          cloudflare-api-token: ${{secrets.CLOUDFLARE_API_TOKEN}}
+          cloudflare-account-id: ${{ vars.CLOUDFLARE_ACCOUNT_ID }}
+          cloudflare-project-name: ${{ vars.CLOUDFLARE_PROJECT_NAME }}
+          directory: dist
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-environment: production
+          working-directory: example
+      - id: 'cloudflare-pages-delete'
+        uses: ./delete
+        with:
+          cloudflare-api-token: ${{secrets.CLOUDFLARE_API_TOKEN}}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          # Only required for legacy action deployments.
+          github-environment: production
+          keep-latest: 2

.github/workflows/deploy.yml

@@ -2,12 +2,11 @@
 
 name: deploy
 on:
-  pull_request:
-    branches:
-      - main
-  push:
-    branches:
-      - main
+  workflow_run:
+    workflows:
+      - test
+    types:
+      - completed
   workflow_dispatch:
     inputs:
       environment:
@@ -20,6 +19,7 @@ concurrency:
 
 jobs:
   cloudflare-pages-deploy:
+    if: ${{ github.event_name != 'workflow_run' || (github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.head_branch != 'main') }}
     permissions:
       actions: read
       contents: read
@@ -28,7 +28,13 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      - if: github.event_name == 'workflow_run'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          repository: ${{ github.event.workflow_run.head_repository.full_name }}
+          ref: ${{ github.event.workflow_run.head_sha }}
+      - if: github.event_name != 'workflow_run'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
       - id: 'cloudflare-pages'
         uses: ./
         with:
@@ -39,13 +45,3 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           github-environment: ${{ inputs.environment || 'preview' }}
           working-directory: example
-      - id: 'cloudflare-pages-delete'
-        uses: ./delete
-        # if main branch
-        if: github.ref == 'refs/heads/main'
-        with:
-          cloudflare-api-token: ${{secrets.CLOUDFLARE_API_TOKEN}}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          # Only required for legacy action deployments.
-          github-environment: ${{ inputs.environment || 'preview' }}
-          keep-latest: 2

README.md

@@ -134,6 +134,44 @@ jobs:
           github-environment: ${{ vars.CLOUDFLARE_PROJECT_NAME }} ${{ (github.ref == 'refs/heads/main' && '(Production)') || '(Preview)' }}
 ```
 
+### Fork pull requests with `workflow_run`
+
+When pull requests come from forks, the initial `pull_request` workflow may not have access to secrets. Use a second workflow triggered by `workflow_run` to deploy from the original repository context after approval.
+
+```yaml
+name: Deploy PR Preview (Fork Safe)
+on:
+  workflow_run:
+    workflows: ['CI']
+    types: [completed]
+
+jobs:
+  deploy:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    permissions:
+      contents: read
+      deployments: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: ${{ github.event.workflow_run.head_repository.full_name }}
+          ref: ${{ github.event.workflow_run.head_sha }}
+
+      - name: Deploy to Cloudflare Pages
+        uses: andykenward/github-actions-cloudflare-pages@v3.0.0
+        with:
+          cloudflare-api-token: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          cloudflare-account-id: ${{ vars.CLOUDFLARE_ACCOUNT_ID }}
+          cloudflare-project-name: ${{ vars.CLOUDFLARE_PROJECT_NAME }}
+          directory: dist
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-environment: preview
+```
+
+This action supports the `workflow_run` event and will use the `workflow_run` head commit SHA and branch for deployment metadata and PR comments.
+
 ## Comment Example
 
 ![pull request comment example](./docs/comment.png)