11name : Deploy Preview Environment
22
33on :
4- pull_request_target :
4+ pull_request_target : # zizmor: ignore[dangerous-triggers] - Mitigated with label-based approval
5+ types : [labeled, synchronize, opened, reopened]
56 branches :
67 - main
78 paths : ['examples/homepage/**', 'packages/vechain-kit/**', 'yarn.lock']
89
910permissions :
1011 contents : read
11- id-token : write
12- pull-requests : write
1312
1413jobs :
14+ # Job 1: Post instruction comment for external PRs
15+ comment-external-pr :
16+ runs-on : ubuntu-latest
17+ permissions :
18+ pull-requests : write
19+ if : |
20+ github.event.pull_request.head.repo.full_name != github.repository &&
21+ github.event.action == 'opened'
22+ steps :
23+ - name : Comment on external PR
24+ uses : peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
25+ with :
26+ issue-number : ${{ github.event.pull_request.number }}
27+ body : |
28+ ## 👋 Thanks for your contribution!
29+
30+ Since this PR comes from a forked repository, preview deployment requires approval from a maintainer for security reasons.
31+
32+ **Next steps:**
33+ 1. A maintainer will review your code
34+ 2. If approved, they'll add the `safe-to-deploy` label to trigger deployment
35+ 3. **After each new commit**, the maintainer will need to remove and re-add the label for security
36+
37+ This ensures every version of the code is explicitly reviewed before deployment. Thank you for your patience! 🙏
38+
39+ # Job 2: Deploy (runs for internal PRs OR when external PR gets labeled)
1540 deploy :
1641 runs-on : ubuntu-latest
42+ permissions :
43+ id-token : write
44+ pull-requests : write
45+ # Security gate: Only run when 'safe-to-deploy' label is ADDED OR from internal branch
46+ if : |
47+ (github.event.label.name == 'safe-to-deploy') ||
48+ (github.event.pull_request.head.repo.full_name == github.repository)
1749env :
1850 NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID : ${{ secrets.NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID }}
1951 NEXT_PUBLIC_PRIVY_APP_ID : ${{ secrets.NEXT_PUBLIC_PRIVY_APP_ID }}
@@ -34,11 +66,12 @@ jobs:
3466 run : |
3567 sanitized_branch_name=$(echo "$BRANCH_NAME" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9-]//g')
3668 echo "processedBranchName=$sanitized_branch_name" >> $GITHUB_OUTPUT
37- echo "NEXT_PUBLIC_BASE_PATH =/$sanitized_branch_name" >> $GITHUB_ENV
69+ echo "basePath =/$sanitized_branch_name" >> $GITHUB_OUTPUT
3870
3971name : Build App
4072 env :
4173 NODE_OPTIONS : ' --max-old-space-size=8192'
74+ NEXT_PUBLIC_BASE_PATH : ${{ steps.process-branch-name.outputs.basePath }}
4275 run : |
4376 yarn install
4477 yarn install:all
5184 done
5285
5386name : Configure AWS credentials
54- uses : aws-actions/configure-aws-credentials@v4
87+ uses : aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
5588 with :
5689 role-to-assume : ${{ secrets.AWS_ACC_ROLE }}
5790 aws-region : ${{ env.AWS_REGION }}
6598 AWS_MAX_ATTEMPTS=10 aws cloudfront create-invalidation --distribution-id ${{ secrets.AWS_PREVIEW_CLOUDFRONT_DISTRIBUTION_ID }} --paths '/' '/*'
6699
67100name : Create Deployment Comment
68- if : github.event.action == 'opened' || github.event.action == 'reopened'
69101 uses : peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
70102 with :
71103 issue-number : ${{ github.event.pull_request.number }}
0 commit comments