ci: implement prebuilt deploy with GitHub-linked deployments and hidden prod URL

JenyaL · JenyaL · commit 503fbbf63f21 · 2025-10-11T08:37:49.000-06:00
diff --git a/.github/workflows/ci-deploy.yml b/.github/workflows/ci-deploy.yml
@@ -2,9 +2,9 @@ name: CI + Deploy (prebuilt)
 
 on:
   push:
-    branches: [ '**' ]
+    branches: [ '**' ]       # prod only for main; others -> preview
   pull_request:
-    branches: [ main ]
+    branches: [ main ]       # PRs into main get preview link
 
 permissions:
   contents: read
@@ -23,33 +23,33 @@ jobs:
       # Checkout repo
       - uses: actions/checkout@v4
 
-      # Setup Node + cache
+      # Node + npm cache
       - uses: actions/setup-node@v4
         with:
           node-version: 18
           cache: 'npm'
 
-      # Install dependencies (CI preferred)
+      # Install deps
       - name: Install
         run: npm ci || npm install
 
-      # Lint if exists
+      # Lint if script exists
       - name: Lint
         run: npm run -s | grep -qE '(^| )lint( |:)' && npm run lint || echo "No lint script"
 
-      # Unit tests if exist
+      # Unit tests if script exists
       - name: Unit tests
         run: npm run -s | grep -qE '(^| )test( |:)' && npm test --ci --passWithNoTests=false || echo "No test script"
 
-      # E2E tests if exist
+      # E2E if script exists
       - name: E2E tests (optional)
         run: npm run -s | grep -qE '(^| )e2e( |:)' && npm run e2e || echo "No e2e script"
 
       # Project build
       - name: App build
         run: npm run build
 
-      # Short summary for PR checks
+      # Short build note
       - name: Build summary
         run: echo "Build & tests passed ✅" >> "$GITHUB_STEP_SUMMARY"
 
@@ -58,20 +58,20 @@ jobs:
     if: ${{ success() }}
     runs-on: ubuntu-latest
     steps:
-      # Checkout again for deploy context
+      # Fresh checkout for deploy context
       - uses: actions/checkout@v4
 
-      # Setup Node for Vercel CLI
+      # Node for Vercel CLI
       - uses: actions/setup-node@v4
         with:
           node-version: 18
           cache: 'npm'
 
-      # Install Vercel CLI
+      # Vercel CLI
       - name: Install Vercel CLI
         run: npm i -g vercel@latest
 
-      # Decide environment target
+      # Decide env: preview for PR/branches, production for main
       - name: Decide target
         id: tgt
         run: |
@@ -83,22 +83,22 @@ jobs:
             echo "target=preview" >> $GITHUB_OUTPUT
           fi
 
-      # Pull Vercel config + envs
+      # Pull project settings + envs
       - name: Pull Vercel project settings
         run: |
           vercel pull --yes \
             --environment "${{ steps.tgt.outputs.target }}" \
             --token "${{ env.VERCEL_TOKEN }}" \
             --scope "${{ env.VERCEL_ORG }}"
 
-      # Prebuild locally
+      # Build to .vercel/output (prebuilt)
       - name: Vercel prebuild
         run: |
           vercel build \
             --token "${{ env.VERCEL_TOKEN }}" \
             --scope "${{ env.VERCEL_ORG }}"
 
-      # Deploy prebuilt output (skip build on Vercel)
+      # Deploy prebuilt (no build on Vercel)
       - name: Deploy (prebuilt)
         id: deploy
         env:
@@ -113,14 +113,18 @@ jobs:
           echo "url=$URL" >> "$GITHUB_OUTPUT"
           echo "Deployed: $URL"
 
-      # Show summary in job checks
+      # Summary: hide prod URL, show preview URL
       - name: Summary
         run: |
           echo "### Deployment" >> "$GITHUB_STEP_SUMMARY"
           echo "- Target: **${{ steps.tgt.outputs.target }}**" >> "$GITHUB_STEP_SUMMARY"
-          echo "- URL: ${{ steps.deploy.outputs.url }}" >> "$GITHUB_STEP_SUMMARY"
+          if [ "${{ steps.tgt.outputs.target }}" = "production" ]; then
+            echo "- URL: (hidden for production)" >> "$GITHUB_STEP_SUMMARY"
+          else
+            echo "- URL: ${{ steps.deploy.outputs.url }}" >> "$GITHUB_STEP_SUMMARY"
+          fi
 
-      # Comment preview link for PR reviewers
+      # PR comment with preview link
       - name: Post Preview URL to PR
         if: ${{ github.event_name == 'pull_request' && steps.deploy.outputs.url != '' }}
         uses: actions/github-script@v7
@@ -132,24 +136,32 @@ jobs:
               body: `✅ Preview ready: ${{ steps.deploy.outputs.url }}`
             })
 
-      # Link deployment to merge commit (appears in PR "merged commit ..." line)
-      - name: Link deployment to merge commit
+      # GitHub Deployment card on commit:
+      # main → production (no URL); others → preview with URL
+      - name: Link deployment to commit
         if: ${{ github.event_name == 'push' && steps.deploy.outputs.url != '' }}
         uses: actions/github-script@v7
         with:
           script: |
-            const envName = '${{ github.ref_name }}';
+            const isProd = (context.ref === 'refs/heads/main');
+            const envName = isProd ? 'production' : context.ref.replace('refs/heads/', '');
+
             const { data: dep } = await github.rest.repos.createDeployment({
               ...context.repo,
               ref: context.sha,
               environment: envName,
               auto_merge: false,
               required_contexts: []
             });
-            await github.rest.repos.createDeploymentStatus({
+
+            const status = {
               ...context.repo,
               deployment_id: dep.id,
               state: 'success',
-              environment: envName,
-              environment_url: '${{ steps.deploy.outputs.url }}'
-            });
+              environment: envName
+            };
+            if (!isProd) {
+              status.environment_url = '${{ steps.deploy.outputs.url }}';
+            }
+
+            await github.rest.repos.createDeploymentStatus(status);
