Skip to content

Test preview workflow #197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
cryptodev-2s wants to merge 5 commits into from
Closed

Test preview workflow #197

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9f93248
feat: use reusable publish-preview workflow from github-tools
cryptodev-2s Mar 4, 2026
2616dff
test: trigger preview build
cryptodev-2s Mar 4, 2026
d24d47a
test: trigger preview build
cryptodev-2s Mar 5, 2026
dfd6d33
test: enable dry-run for preview builds
cryptodev-2s Mar 9, 2026
f922fe8
test: preview workflow (polyrepo)
cryptodev-2s Mar 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 7 additions & 74 deletions .github/workflows/publish-preview.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,78 +5,11 @@ on:
types: created

jobs:
is-fork-pull-request:
name: Determine whether this issue comment was on a pull request from a fork
if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot publish-preview') }}
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
outputs:
IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }}
steps:
- uses: actions/checkout@v4
- name: Determine whether this PR is from a fork
id: is-fork
run: echo "IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "${PR_NUMBER}" )" >> "$GITHUB_OUTPUT"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number }}

react-to-comment:
name: React to the comment
needs: is-fork-pull-request
# This ensures we don't publish on forks. We can't trust forks with this token.
if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4
- name: React to the comment
run: |
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"/repos/${REPO}/issues/comments/${COMMENT_ID}/reactions" \
-f content='+1'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COMMENT_ID: ${{ github.event.comment.id }}
REPO: ${{ github.repository }}

publish-preview:
name: Publish build preview
needs: react-to-comment
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4
- name: Check out pull request
run: gh pr checkout "${PR_NUMBER}"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number }}
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
is-high-risk-environment: true
- name: Get commit SHA
id: commit-sha
run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
- run: ./scripts/prepare-preview-builds.sh @metamask-previews ${{ steps.commit-sha.outputs.COMMIT_SHA }}
- run: yarn build
- name: Publish preview build
run: yarn npm publish --tag preview
env:
YARN_NPM_AUTH_TOKEN: ${{ secrets.PUBLISH_PREVIEW_NPM_TOKEN }}
- name: Post build preview in comment
run: ./scripts/generate-preview-build-message.sh | gh pr comment "${PR_NUMBER}" --body-file -
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COMMIT_SHA: ${{ steps.commit-sha.outputs.COMMIT_SHA }}
PR_NUMBER: ${{ github.event.issue.number }}
if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot publish-preview') }}
uses: MetaMask/github-tools/.github/workflows/publish-preview.yml@prepare-preview-builds-action
Copy link
Copy Markdown

@cursor cursor bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reusable workflow pinned to unstable feature branch

Medium Severity

The reusable workflow is referenced at @prepare-preview-builds-action, which looks like a feature branch on MetaMask/github-tools rather than a stable version tag or SHA. If merged, this workflow depends on a branch that could be deleted or force-pushed, breaking preview builds.

Fix in Cursor Fix in Web

with:
is-monorepo: false
dry-run: true
Copy link
Copy Markdown

@cursor cursor bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Preview publish uses dry-run mode in production

High Severity

dry-run: true is set on the reusable preview publish workflow, which will prevent any preview builds from actually being published. Given the PR title "Test preview workflow," this appears to be a testing configuration that would break preview publishing for all PRs if merged.

Fix in Cursor Fix in Web

secrets:
PUBLISH_PREVIEW_NPM_TOKEN: ${{ secrets.PUBLISH_PREVIEW_NPM_TOKEN }}
Copy link
Copy Markdown

@cursor cursor bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fork protection security check was removed entirely

Medium Severity

The old workflow explicitly checked whether the PR came from a fork (is-fork-pull-request job) and blocked publishing for fork PRs to prevent untrusted code from accessing the PUBLISH_PREVIEW_NPM_TOKEN secret. The new workflow removes this guard entirely at the caller level. If the reusable workflow doesn't implement equivalent fork protection, this could expose the npm publish token to fork PRs.

Fix in Cursor Fix in Web

Loading