Allow once-off sponsored transactions #481

Workflow file for this run

.github/workflows/deploy-preview.yaml at 158d622

	name: Deploy Preview Environment

	on:
	pull_request_target: # zizmor: ignore[dangerous-triggers] - Mitigated with label-based approval
	types: [labeled, synchronize, opened, reopened]
	branches:
	- main
	paths: ['examples/homepage/', 'packages/vechain-kit/', 'yarn.lock']

	permissions:
	contents: read

	jobs:
	# Job 1: Post instruction comment for external PRs
	comment-external-pr:
	runs-on: ubuntu-latest
	permissions:
	pull-requests: write
	if: \|
	github.event.pull_request.head.repo.full_name != github.repository &&
	github.event.action == 'opened'
	steps:
	- name: Check branch name prefix (for external PRs)
	env:
	USER_NAME: ${{ github.event.pull_request.user.login }}
	BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
	run: \|
	PREFIX="${BRANCH_NAME%%/*}"
	lower_user_name="${USER_NAME,,}"
	lower_prefix="${PREFIX,,}"
	if [[ "$lower_prefix" != "$lower_user_name" ]]; then
	echo "Invalid branch name. Please ensure that your PR branch name starts with your GitHub username in the format of <username>/<branch-name>. Eg. myusername/my-feature"
	exit 1
	fi

	- name: Comment on external PR
	uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
	with:
	issue-number: ${{ github.event.pull_request.number }}
	body: \|
	## 👋 Thanks for your contribution!

	Since this PR comes from a forked repository, preview deployment requires approval from a maintainer for security reasons.
	Please ensure that your PR branch name starts with your GitHub username in the format of <username>/<branch-name>. Eg. myusername/my-feature not main

	Next steps:
	1. A maintainer will review your code
	2. If approved, they'll add the `safe-to-deploy` label to trigger deployment
	3. After each new commit, the maintainer will need to remove and re-add the label for security

	This ensures every version of the code is explicitly reviewed before deployment. Thank you for your patience! 🙏

	# Job 2: Deploy (runs for internal PRs OR when external PR gets labeled)
	deploy:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	pull-requests: write
	# Security gate: Only run when 'safe-to-deploy' label is ADDED OR from internal branch
	if: \|
	(github.event.label.name == 'safe-to-deploy') \|\|
	(github.event.pull_request.head.repo.full_name == github.repository) && github.event.pull_request.head.ref != 'main'
	env:
	NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID: ${{ secrets.NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID }}
	NEXT_PUBLIC_PRIVY_APP_ID: ${{ secrets.NEXT_PUBLIC_PRIVY_APP_ID }}
	NEXT_PUBLIC_PRIVY_CLIENT_ID: ${{ secrets.NEXT_PUBLIC_PRIVY_CLIENT_ID }}
	NEXT_PUBLIC_DELEGATOR_URL: ${{ secrets.NEXT_PUBLIC_DELEGATOR_URL }}
	NEXT_PUBLIC_NETWORK_TYPE: 'main'
	AWS_REGION: eu-west-1
	BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
	steps:
	- name: Check branch name prefix (for external PRs)
	if: github.event.pull_request.head.repo.full_name != github.repository
	env:
	USER_NAME: ${{ github.event.pull_request.user.login }}
	run: \|
	PREFIX="${BRANCH_NAME%%/*}"
	lower_user_name="${USER_NAME,,}"
	lower_prefix="${PREFIX,,}"
	if [[ "$lower_prefix" != "$lower_user_name" ]]; then
	echo "Invalid branch name. Please ensure that your PR branch name starts with your GitHub username in the format of <username>/<branch-name>. Eg. myusername/my-feature"
	exit 1
	fi

	- name: Checkout
	uses: actions/checkout@v4
	with:
	ref: ${{ github.event.pull_request.head.sha }}

	- name: Process Branch Name
	id: process-branch-name
	run: \|
	sanitized_branch_name=$(echo "$BRANCH_NAME" \| tr '[:upper:]' '[:lower:]' \| sed 's/[^a-z0-9-]//g')
	echo "processedBranchName=$sanitized_branch_name" >> $GITHUB_OUTPUT
	echo "basePath=/$sanitized_branch_name" >> $GITHUB_OUTPUT

	- name: Build App
	env:
	NODE_OPTIONS: '--max-old-space-size=8192'
	NEXT_PUBLIC_BASE_PATH: ${{ steps.process-branch-name.outputs.basePath }}
	run: \|
	yarn install
	yarn install:all
	yarn build

	- name: Fix permissions
	run: \|
	chmod -c -R +rX "./examples/homepage/dist" \| while read line; do
	echo "::warning title=Invalid file permissions automatically fixed::$line"
	done

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
	with:
	role-to-assume: ${{ secrets.AWS_ACC_ROLE }}
	aws-region: ${{ env.AWS_REGION }}

	- name: Deploy to S3
	run: \|
	aws s3 sync ./examples/homepage/dist s3://${{ secrets.AWS_PREVIEW_BUCKET_NAME }}/${{ steps.process-branch-name.outputs.processedBranchName }} --delete

	- name: Cloudfront Invalidation
	run: \|
	AWS_MAX_ATTEMPTS=10 aws cloudfront create-invalidation --distribution-id ${{ secrets.AWS_PREVIEW_CLOUDFRONT_DISTRIBUTION_ID }} --paths '/' '/*'

	- name: Find Comment
	uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
	id: find-comment
	with:
	issue-number: ${{ github.event.pull_request.number }}
	comment-author: 'github-actions[bot]'
	body-includes: 🚀 Preview environment deployed!

	- name: Create Deployment Comment
	uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
	with:
	comment-id: ${{ steps.find-comment.outputs.comment-id }}
	issue-number: ${{ github.event.pull_request.number }}
	body: \|
	# 🚀 Preview environment deployed!
	Preview URL: https://preview.vechainkit.vechain.org/${{ steps.process-branch-name.outputs.processedBranchName }}
	edit-mode: replace

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Allow once-off sponsored transactions #481

Workflow file

Allow once-off sponsored transactions #481

Uh oh!

Jobs

Run details

Workflow file for this run