.github/workflows/deploy_preview.yml
name: Daffodil PR Preview
on:
workflow_run:
workflows: ["Daffodil Build"]
branches-ignore: ["master", "main", "develop"]
types:
- completed
#####
# WARNING: This code operates in a privileged context.
#####
# We only allow workflow runs from forks that we know are safe via a control
# in the Github UI called "Require approval for all outside collaborators".
#
# It's a little painful to have to keep clicking the button in the UI,
# but it's generally safer for us (from a security standpoint),
# while still allowing trusted users to contribute
# to the project without annoying CI failures.
#
# We have understood the risk and attempted to handle the concern outlined here:
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
jobs:
deploy_daffio:
name: Deploy Daff.io
runs-on: ubuntu-latest
if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
steps:
- uses: graycoreio/github-actions/angular-universal-vercel-wflw-run@main
id: vercel
with:
artifact: daffio-18.19.x
artifact-zip-name: daffio.zip
vercel-token: ${{ secrets.VERCEL_TOKEN }}
vercel-org: ${{ secrets.VERCEL_ORG }}
vercel-project-id: ${{ secrets.VERCEL_DAFFIO_NEXT_PROJECT_ID }}
ng-version: '17'
- name: Create Deployment
uses: actions/github-script@v7
with:
script: |
const { data } = await github.rest.repos.createDeployment({
owner: context.repo.owner,
repo: context.repo.repo,
ref: "${{ github.event.workflow_run.head_branch }}",
auto_merge: false,
required_contexts: [],
environment: 'preview'
});
await github.rest.repos.createDeploymentStatus({
owner: context.repo.owner,
repo: context.repo.repo,
deployment_id: data.id,
state: 'success',
log_url: "${{ github.event.workflow_run.workflow_url }}",
environment_url: "${{ steps.vercel.outputs.url }}",
description: 'Deployment succeeded!',
});