Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions .github/actions/deploy-static/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ inputs:
target-path:
description: Path prefix on the deployment URL
required: true
commit-sha:
description: Commit SHA used in the deployment path
required: false
default: ${{ github.event.pull_request.head.sha }}

outputs:
preview-url:
Expand All @@ -32,9 +36,9 @@ runs:
id: deployment-path
shell: bash
run: |
echo "deployment-path=${{ github.event.repository.name }}/${{ github.event.pull_request.head.sha }}/${{ inputs.target-path }}/" >> $GITHUB_OUTPUT
echo "deployment-path=${{ github.event.repository.name }}/${{ inputs.commit-sha }}/${{ inputs.target-path }}/" >> $GITHUB_OUTPUT
- name: Deploy content
id: deploy
shell: bash
run: |
aws s3 cp ${{ inputs.source-path }} s3://${{ inputs.deployment-bucket }}/${{ steps.deployment-path.outputs.deployment-path }} --recursive
aws s3 cp ${{ inputs.source-path }} s3://${{ inputs.deployment-bucket }}/${{ steps.deployment-path.outputs.deployment-path }} --recursive --no-follow-symlinks
44 changes: 44 additions & 0 deletions .github/workflows/deploy-fork-preview.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: Deploy fork preview

on:
workflow_call:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A new workflow_run triggered deploy

This uses workflow_call — should there be some other workflow that calls this? Or should this be workflow_run?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is called from the workflow_run of other repositories. For example, in chat-components I will add a workflow that will fire after the build end, and it will be using this deply fork preview workflow_call.

inputs:
artifact-name:
description: Artifact to download/deploy; also the target path and the `fork-` environment suffix
type: string
required: true

permissions:
id-token: write
contents: read
deployments: write
actions: read

jobs:
deploy:
if: >
${{ github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success' &&
github.event.workflow_run.head_repository.full_name != github.event.workflow_run.repository.full_name }}
runs-on: ubuntu-latest
continue-on-error: true
environment:
name: fork-${{ inputs.artifact-name }}

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using a separate environment is helpful for example, if we later want to require an extra layer of approval before forked-PR previews are deployed, we can enable it on this environment.

url: ${{ steps.deploy.outputs.preview-url }}index.html
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: ${{ inputs.artifact-name }}
path: build
run-id: ${{ github.event.workflow_run.id }}

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the artifact lives in the build run (a different run), so we fetch it by run-id via the REST API (hence github-token + actions: read). The run id comes from the caller's workflow_run payload.

github-token: ${{ github.token }}
- name: Deploy dev-pages
id: deploy
uses: cloudscape-design/actions/.github/actions/deploy-static@main
with:
role-to-assume: ${{ secrets.AWS_PREVIEW_ROLE_ARN }}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do the secrets work on workflows running for forks? Is there a risk that a fork can modify the workflow on their end to log out the secrets? Or are we relying on manual approval of the deploys to enforce that?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It mainly relies on human review to make sure we don't deploy anything unexpected. On top of that, we can add an approval step on each repository's environment so every deployment is intentional.

Is it gated technically/automatically? Yes, unless I missed something, what I did is split the flow: the artifact is built in the pull_request run, where no secrets are available, and a separate workflow only uploads that pre-built artifact so the run that has the secrets never builds or runs the fork's code.

deployment-bucket: ${{ secrets.AWS_PREVIEW_BUCKET_NAME }}
source-path: build
target-path: ${{ inputs.artifact-name }}
commit-sha: ${{ github.event.workflow_run.head_sha }}
4 changes: 3 additions & 1 deletion .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,9 @@ permissions:

jobs:
deploy:
if: github.event_name == 'pull_request'
if: >
github.event_name == 'pull_request' &&
github.event.pull_request.head.repo.full_name == github.repository

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Internal PRs only. Fork PRs can't deploy here (no secrets), and they are handled separately by deploy-fork-preview.yml. Keeping this guard here means consumers don't need to add it to their own deploy caller job.

runs-on: ubuntu-latest
continue-on-error: true
environment:
Expand Down
Loading