From 16c3b2ee4aa7f88d0764b7c44efafc9ca8f4a86e Mon Sep 17 00:00:00 2001 From: nerdCopter <56646290+nerdCopter@users.noreply.github.com> Date: Thu, 15 May 2025 13:58:02 -0500 Subject: [PATCH] fix preview checkout (#4468) * fix preview checkout * coderabbit recommended issues: write permission * coderabbitAI implement security improvement * newline --- .github/workflows/deploy-preview.yml | 36 ++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 7 deletions(-) diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml index 180159ad..c8afb282 100644 --- a/.github/workflows/deploy-preview.yml +++ b/.github/workflows/deploy-preview.yml @@ -1,21 +1,20 @@ name: 'Preview Deployment' on: pull_request_target: + types: [opened, synchronize, reopened] branches: - master jobs: - deploy: - permissions: - actions: read - contents: read - deployments: write - pull-requests: write + # Job 1: Build the code (no secrets here) + build: runs-on: ubuntu-latest - timeout-minutes: 5 steps: - name: Checkout code uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false # Don't persist GitHub token - name: Cache node_modules uses: actions/cache@v4 @@ -32,6 +31,29 @@ jobs: - run: yarn install - run: yarn build + - name: Upload build artifact + uses: actions/upload-artifact@v4 + with: + name: dist-files + path: src/dist + + # Job 2: Deploy with secrets (no PR code checkout) + deploy: + needs: build # Wait for build job to complete + permissions: + actions: read + contents: read + deployments: write + issues: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Download build artifact + uses: actions/download-artifact@v4 + with: + name: dist-files + path: src/dist + - name: Deploy to Cloudflare id: deploy uses: cloudflare/wrangler-action@v3