From 4abe196091ce7d4cf95d64eda5718dd0352f0c04 Mon Sep 17 00:00:00 2001 From: nicolethoen Date: Thu, 2 Apr 2026 16:28:33 -0400 Subject: [PATCH] fix: gate PR previews on team membership and add /deploy-preview comment trigger Separates PR preview deployment from tests so that tests run unconditionally on all PRs while previews only deploy when the PR author is an OWNER, MEMBER, or COLLABORATOR. External contributors can get a preview via a team member commenting /deploy-preview on the PR. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/pr-preview.yml | 83 ++++++++++++++++++++------------ 1 file changed, 51 insertions(+), 32 deletions(-) diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml index 430eb172..4a2fcc9b 100644 --- a/.github/workflows/pr-preview.yml +++ b/.github/workflows/pr-preview.yml @@ -1,57 +1,76 @@ -### WARNING -- this file was generated by generate-workflows name: pr-preview -on: pull_request_target +on: + pull_request_target: + issue_comment: + types: [created] + jobs: - build-upload: + check-permissions: + runs-on: ubuntu-latest + if: >- + github.event_name == 'pull_request_target' || + (github.event_name == 'issue_comment' && + github.event.issue.pull_request && + contains(github.event.comment.body, '/deploy-preview')) + outputs: + allowed: ${{ steps.check-team.outputs.allowed }} + pr-number: ${{ steps.check-team.outputs.number }} + steps: + - name: Get PR info and check permissions + id: check-team + env: + EVENT_NAME: ${{ github.event_name }} + PR_NUMBER: ${{ github.event.pull_request.number }} + PR_ASSOCIATION: ${{ github.event.pull_request.author_association }} + COMMENT_NUMBER: ${{ github.event.issue.number }} + COMMENT_ASSOCIATION: ${{ github.event.comment.author_association }} + run: | + if [[ "$EVENT_NAME" == "pull_request_target" ]]; then + echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT + ASSOCIATION="$PR_ASSOCIATION" + else + echo "number=$COMMENT_NUMBER" >> $GITHUB_OUTPUT + ASSOCIATION="$COMMENT_ASSOCIATION" + fi + + if [[ "$ASSOCIATION" == "OWNER" || "$ASSOCIATION" == "MEMBER" || "$ASSOCIATION" == "COLLABORATOR" ]]; then + echo "allowed=true" >> $GITHUB_OUTPUT + echo "User is a repo $ASSOCIATION — allowed" + else + echo "allowed=false" >> $GITHUB_OUTPUT + echo "User association is $ASSOCIATION — not allowed" + fi + + deploy-preview: runs-on: ubuntu-latest + needs: check-permissions + if: needs.check-permissions.outputs.allowed == 'true' env: SURGE_LOGIN: ${{ secrets.SURGE_LOGIN }} SURGE_TOKEN: ${{ secrets.SURGE_TOKEN }} GH_PR_TOKEN: ${{ secrets.GH_PR_TOKEN }} - GH_PR_NUM: ${{ github.event.number }} + GH_PR_NUM: ${{ needs.check-permissions.outputs.pr-number }} steps: - uses: actions/checkout@v4 - # Yes, we really want to checkout the PR - run: | git fetch origin pull/$GH_PR_NUM/head:tmp git checkout tmp - - - run: | - git rev-parse origin/main - git rev-parse HEAD - git rev-parse origin/main..HEAD - git log origin/main..HEAD --format="%b" - - # Yes, we really want to checkout the PR - # Injected by generate-workflows.js - uses: actions/setup-node@v4 with: node-version: '20' - uses: actions/cache@v4 id: npm-cache - name: Load npm deps from cache + name: Cache npm deps with: - path: '**/node_modules' + path: | + node_modules + **/node_modules key: ${{ runner.os }}-npm-14-${{ secrets.CACHE_VERSION }}-${{ hashFiles('package-lock.json') }} - run: npm install --frozen-lockfile --legacy-peer-deps - if: steps.yarn-cache.outputs.cache-hit != 'true' + if: steps.npm-cache.outputs.cache-hit != 'true' - run: npm run build - name: Build component groups - - uses: actions/cache@v4 - id: docs-cache - name: Load webpack cache - with: - path: '.cache' - key: ${{ runner.os }}-v4-${{ hashFiles('yarn.lock') }} + name: Build - run: npm run build:docs name: Build docs - run: node .github/upload-preview.js packages/module/public name: Upload docs - if: always() - - run: npx puppeteer browsers install chrome - name: Install Chrome for Puppeteer - - run: npm run serve:docs & npm run test:a11y - name: a11y tests - - run: node .github/upload-preview.js packages/module/coverage - name: Upload a11y report - if: always()