fix: gate PR previews on team membership and add /deploy-preview comment trigger

Separates PR preview deployment from tests so that tests run unconditionally
on all PRs while previews only deploy when the PR author is an OWNER, MEMBER,
or COLLABORATOR. External contributors can get a preview via a team member
commenting /deploy-preview on the PR.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: nicolethoen

.github/workflows/pr-preview.yml

@@ -1,57 +1,76 @@
-### WARNING -- this file was generated by generate-workflows
 name: pr-preview
-on: pull_request_target
+on:
+  pull_request_target:
+  issue_comment:
+    types: [created]
+
 jobs:
-  build-upload:
+  check-permissions:
+    runs-on: ubuntu-latest
+    if: >-
+      github.event_name == 'pull_request_target' ||
+      (github.event_name == 'issue_comment' &&
+        github.event.issue.pull_request &&
+        contains(github.event.comment.body, '/deploy-preview'))
+    outputs:
+      allowed: ${{ steps.check-team.outputs.allowed }}
+      pr-number: ${{ steps.check-team.outputs.number }}
+    steps:
+      - name: Get PR info and check permissions
+        id: check-team
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_ASSOCIATION: ${{ github.event.pull_request.author_association }}
+          COMMENT_NUMBER: ${{ github.event.issue.number }}
+          COMMENT_ASSOCIATION: ${{ github.event.comment.author_association }}
+        run: |
+          if [[ "$EVENT_NAME" == "pull_request_target" ]]; then
+            echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT
+            ASSOCIATION="$PR_ASSOCIATION"
+          else
+            echo "number=$COMMENT_NUMBER" >> $GITHUB_OUTPUT
+            ASSOCIATION="$COMMENT_ASSOCIATION"
+          fi
+
+          if [[ "$ASSOCIATION" == "OWNER" || "$ASSOCIATION" == "MEMBER" || "$ASSOCIATION" == "COLLABORATOR" ]]; then
+            echo "allowed=true" >> $GITHUB_OUTPUT
+            echo "User is a repo $ASSOCIATION — allowed"
+          else
+            echo "allowed=false" >> $GITHUB_OUTPUT
+            echo "User association is $ASSOCIATION — not allowed"
+          fi
+
+  deploy-preview:
     runs-on: ubuntu-latest
+    needs: check-permissions
+    if: needs.check-permissions.outputs.allowed == 'true'
     env:
       SURGE_LOGIN: ${{ secrets.SURGE_LOGIN }}
       SURGE_TOKEN: ${{ secrets.SURGE_TOKEN }}
       GH_PR_TOKEN: ${{ secrets.GH_PR_TOKEN }}
-      GH_PR_NUM:   ${{ github.event.number }}
+      GH_PR_NUM: ${{ needs.check-permissions.outputs.pr-number }}
     steps:
       - uses: actions/checkout@v4
-      # Yes, we really want to checkout the PR
       - run: |
           git fetch origin pull/$GH_PR_NUM/head:tmp
           git checkout tmp
-
-      - run: |
-          git rev-parse origin/main
-          git rev-parse HEAD
-          git rev-parse origin/main..HEAD
-          git log origin/main..HEAD --format="%b"
-
-      # Yes, we really want to checkout the PR
-      # Injected by generate-workflows.js
       - uses: actions/setup-node@v4
         with:
           node-version: '20'
       - uses: actions/cache@v4
         id: npm-cache
-        name: Load npm deps from cache
+        name: Cache npm deps
         with:
-          path: '**/node_modules'
+          path: |
+            node_modules
+            **/node_modules
           key: ${{ runner.os }}-npm-14-${{ secrets.CACHE_VERSION }}-${{ hashFiles('package-lock.json') }}
       - run: npm install --frozen-lockfile --legacy-peer-deps
-        if: steps.yarn-cache.outputs.cache-hit != 'true'
+        if: steps.npm-cache.outputs.cache-hit != 'true'
       - run: npm run build
-        name: Build component groups
-      - uses: actions/cache@v4
-        id: docs-cache
-        name: Load webpack cache
-        with:
-          path: '.cache'
-          key: ${{ runner.os }}-v4-${{ hashFiles('yarn.lock') }}
+        name: Build
       - run: npm run build:docs
         name: Build docs
       - run: node .github/upload-preview.js packages/module/public
         name: Upload docs
-        if: always()
-      - run: npx puppeteer browsers install chrome
-        name: Install Chrome for Puppeteer
-      - run: npm run serve:docs & npm run test:a11y
-        name: a11y tests
-      - run: node .github/upload-preview.js packages/module/coverage
-        name: Upload a11y report
-        if: always()