Skip to content

feat: deploy dev pages preview for fork pull requests#122

Merged
amanabiy merged 2 commits into
mainfrom
feat/allow-test-pages-for-prs
Jul 9, 2026
Merged

feat: deploy dev pages preview for fork pull requests#122
amanabiy merged 2 commits into
mainfrom
feat/allow-test-pages-for-prs

Conversation

@amanabiy

@amanabiy amanabiy commented Jul 1, 2026

Copy link
Copy Markdown
Member

Description of changes:
Forked-PR workflows run without secrets, so they can't deploy previews. Add a workflow_run-based privileged deploy that runs after the build, behind the existing environment approval gate, so a maintainer can approve and publish a fork's dev-pages preview.

Merging this PR won't make it automatically deploy the dev pages. It needs to be added to each repository for example for chat-components example draft PR

Approach:

  • The build stays on pull_request (unprivileged, no secrets) and uploads the dev-pages artifact this already works for forks.
  • A new workflow_run triggered deploy runs after the build, from the default branch, with secrets, and never checks out or runs fork code. It only downloads the prebuilt artifact and uploads it via the existing deploy-static action.

How consuming repos use it
Each repo does two small things: let its build run for forks (so the artifact is produced), and add a tiny workflow_run wrapper that calls this reusable workflow. The wrapper is the only new per-repo file (workflow_run must live in the same repo).

for example for chat-components example draft PR

Issue #, if available: AWSUI-53554

I tested it here on a personal repository. Here is an example of a deploy that requires approval.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@amanabiy amanabiy force-pushed the feat/allow-test-pages-for-prs branch 2 times, most recently from f0556ec to 4a09a15 Compare July 1, 2026 10:00
if: github.event_name == 'pull_request'
if: >
github.event_name == 'pull_request' &&
github.event.pull_request.head.repo.full_name == github.repository

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Internal PRs only. Fork PRs can't deploy here (no secrets), and they are handled separately by deploy-fork-preview.yml. Keeping this guard here means consumers don't need to add it to their own deploy caller job.

runs-on: ubuntu-latest
continue-on-error: true
environment:
name: fork-${{ inputs.artifact-name }}

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using a separate environment is helpful for example, if we later want to require an extra layer of approval before forked-PR previews are deployed, we can enable it on this environment.

with:
name: ${{ inputs.artifact-name }}
path: build
run-id: ${{ github.event.workflow_run.id }}

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the artifact lives in the build run (a different run), so we fetch it by run-id via the REST API (hence github-token + actions: read). The run id comes from the caller's workflow_run payload.

@amanabiy amanabiy marked this pull request as ready for review July 1, 2026 10:13
@amanabiy amanabiy requested a review from a team as a code owner July 1, 2026 10:13
@amanabiy amanabiy requested review from avinashbot and removed request for a team July 1, 2026 10:13
id: deploy
uses: cloudscape-design/actions/.github/actions/deploy-static@main
with:
role-to-assume: ${{ secrets.AWS_PREVIEW_ROLE_ARN }}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do the secrets work on workflows running for forks? Is there a risk that a fork can modify the workflow on their end to log out the secrets? Or are we relying on manual approval of the deploys to enforce that?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It mainly relies on human review to make sure we don't deploy anything unexpected. On top of that, we can add an approval step on each repository's environment so every deployment is intentional.

Is it gated technically/automatically? Yes, unless I missed something, what I did is split the flow: the artifact is built in the pull_request run, where no secrets are available, and a separate workflow only uploads that pre-built artifact so the run that has the secrets never builds or runs the fork's code.

name: Deploy fork preview

on:
workflow_call:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A new workflow_run triggered deploy

This uses workflow_call — should there be some other workflow that calls this? Or should this be workflow_run?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is called from the workflow_run of other repositories. For example, in chat-components I will add a workflow that will fire after the build end, and it will be using this deply fork preview workflow_call.

@amanabiy amanabiy marked this pull request as draft July 1, 2026 13:39
@amanabiy amanabiy requested a review from michaeldowseza July 6, 2026 11:20
@amanabiy amanabiy marked this pull request as ready for review July 6, 2026 11:20
@amanabiy amanabiy requested a review from avinashbot July 7, 2026 13:11
@amanabiy amanabiy enabled auto-merge (squash) July 9, 2026 12:21
@amanabiy amanabiy disabled auto-merge July 9, 2026 12:22
@amanabiy amanabiy enabled auto-merge (squash) July 9, 2026 12:22
amanabiy added 2 commits July 9, 2026 14:22
Pass --no-follow-symlinks to  so the deploy step never dereferences symlinks in the source directory.

The deploy runs with the AWS preview credentials, and for fork PR previews. Without this flag,  follows symlinks by default, so a symlink planted in the artifact could cause the runner's temporary AWS credentials to be copied into the public, CloudFront-fronted preview bucket.
@amanabiy amanabiy force-pushed the feat/allow-test-pages-for-prs branch from ed4e072 to 5c2237f Compare July 9, 2026 12:22
@amanabiy amanabiy merged commit a22f49a into main Jul 9, 2026
13 checks passed
@amanabiy amanabiy deleted the feat/allow-test-pages-for-prs branch July 9, 2026 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants