glsp-website-source/.github/workflows/pr-preview-deploy.yml at master · eclipse-glsp/glsp-website-source · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: PR Preview Deploy

# NOTE: Do NOT add any steps that run scripts from the repository (e.g., npm install,
# npm run, or any other commands that execute repository code). Doing so would allow
# malicious PR authors to execute arbitrary code with access to repository secrets.

on:
  workflow_run:
    workflows: ['PR Preview Build']
    types: [completed]

permissions:
  actions: read
  contents: write
  pull-requests: write

concurrency:
  group: pr-preview-deploy
  cancel-in-progress: false

jobs:
  deploy:
    name: Deploy Preview
    if: >
      github.event.workflow_run.conclusion == 'success' &&
      github.event.workflow_run.event == 'pull_request'
    runs-on: ubuntu-22.04
    steps:
      - name: Download PR metadata
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: pr-metadata
          path: ./pr-metadata
          github-token: ${{ secrets.GITHUB_TOKEN }}
          run-id: ${{ github.event.workflow_run.id }}
      # The pr-number artifact comes from the untrusted (fork-controlled) build
      # job. Reading a number is low-risk, but we still sanity-check it's digits
      # only so it can't inject output or traverse paths when used below.
      - name: Read PR number
        id: pr
        run: |
          number="$(cat ./pr-metadata/pr-number)"
          [[ "$number" =~ ^[0-9]+$ ]] || { echo "::error::Refusing non-numeric PR number from build artifact"; exit 1; }
          echo "number=$number" >> "$GITHUB_OUTPUT"
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Download preview site
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: preview-site
          path: ./preview-site
          github-token: ${{ secrets.GITHUB_TOKEN }}
          run-id: ${{ github.event.workflow_run.id }}
      - name: Deploy preview
        uses: rossjrw/pr-preview-action@ffa7509e91a3ec8dfc2e5536c4d5c1acdf7a6de9 # v1.8.1
        id: preview
        with:
          source-dir: ./preview-site
          preview-branch: gh-pages
          umbrella-dir: pr-previews
          pr-number: ${{ steps.pr.outputs.number }}
          action: deploy
          comment: false
      - name: Comment on PR
        uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4
        with:
          header: pr-preview
          number: ${{ steps.pr.outputs.number }}
          message: |
            🚀 **Website preview deployed to** ${{ steps.preview.outputs.deployment-url }}index.html