fix: restrict PR preview deploys to team members

nicolethoen · claude · nicolethoen · commit 44a4c3657854 · 2026-04-02T16:49:46.000-04:00
Adds a permission check so previews only deploy when a team member
(OWNER, MEMBER, or COLLABORATOR) opens the PR or comments /deploy-preview.
Removes tests/a11y from the preview workflow since those run separately
via check-pr. Uses the shared surge-preview action.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml
@@ -1,29 +1,60 @@
-### WARNING -- this file was generated by generate-workflows
 name: pr-preview
-on: pull_request_target
+on:
+  pull_request_target:
+  issue_comment:
+    types: [created]
+
 jobs:
-  build-upload:
+  check-permissions:
+    runs-on: ubuntu-latest
+    if: >-
+      github.event_name == 'pull_request_target' ||
+      (github.event_name == 'issue_comment' &&
+        github.event.issue.pull_request &&
+        contains(github.event.comment.body, '/deploy-preview'))
+    outputs:
+      allowed: ${{ steps.check-team.outputs.allowed }}
+      pr-number: ${{ steps.check-team.outputs.number }}
+    steps:
+      - name: Get PR info and check permissions
+        id: check-team
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_ASSOCIATION: ${{ github.event.pull_request.author_association }}
+          COMMENT_NUMBER: ${{ github.event.issue.number }}
+          COMMENT_ASSOCIATION: ${{ github.event.comment.author_association }}
+        run: |
+          if [[ "$EVENT_NAME" == "pull_request_target" ]]; then
+            echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT
+            ASSOCIATION="$PR_ASSOCIATION"
+          else
+            echo "number=$COMMENT_NUMBER" >> $GITHUB_OUTPUT
+            ASSOCIATION="$COMMENT_ASSOCIATION"
+          fi
+
+          if [[ "$ASSOCIATION" == "OWNER" || "$ASSOCIATION" == "MEMBER" || "$ASSOCIATION" == "COLLABORATOR" ]]; then
+            echo "allowed=true" >> $GITHUB_OUTPUT
+            echo "User is a repo $ASSOCIATION — allowed"
+          else
+            echo "allowed=false" >> $GITHUB_OUTPUT
+            echo "User association is $ASSOCIATION — not allowed"
+          fi
+
+  deploy-preview:
     runs-on: ubuntu-latest
+    needs: check-permissions
+    if: needs.check-permissions.outputs.allowed == 'true'
     env:
       SURGE_LOGIN: ${{ secrets.SURGE_LOGIN }}
       SURGE_TOKEN: ${{ secrets.SURGE_TOKEN }}
       GH_PR_TOKEN: ${{ secrets.GH_PR_TOKEN }}
-      GH_PR_NUM:   ${{ github.event.number }}
+      GH_PR_NUM: ${{ needs.check-permissions.outputs.pr-number }}
     steps:
       - uses: actions/checkout@v4
-      # Yes, we really want to checkout the PR
       - run: |
           git fetch origin pull/$GH_PR_NUM/head:tmp
           git checkout tmp
-
-      - run: |
-          git rev-parse origin/main
-          git rev-parse HEAD
-          git rev-parse origin/main..HEAD
-          git log origin/main..HEAD --format="%b"
-
-      # Yes, we really want to checkout the PR
-      # Injected by generate-workflows.js
       - uses: actions/setup-node@v4
         with:
           node-version: '20'
@@ -37,27 +68,9 @@ jobs:
         if: steps.npm-cache.outputs.cache-hit != 'true'
       - run: npm run build
         name: Build data view
-      - uses: actions/cache@v4
-        id: docs-cache
-        name: Load webpack cache
-        with:
-          path: '.cache'
-          key: ${{ runner.os }}-v4-${{ hashFiles('package-lock.json') }}
       - run: npm run build:docs
         name: Build docs
-      - run: node .github/upload-preview.js packages/module/public
-        name: Upload docs
-        if: always()
-      - uses: actions/cache@v4
-        id: puppeteer-cache
-        name: Cache Puppeteer browsers
+      - name: Upload docs
+        uses: patternfly/.github/.github/actions/surge-preview@main
         with:
-          path: ~/.cache/puppeteer
-          key: ${{ runner.os }}-puppeteer-${{ hashFiles('package-lock.json') }}
-      - name: Install Chrome for Puppeteer
-        run: npx puppeteer browsers install chrome
-      - run: npm run serve:docs & npm run test:a11y
-        name: a11y tests
-      - run: node .github/upload-preview.js packages/module/coverage
-        name: Upload a11y report
-        if: always()
+          folder: packages/module/public
