Skip to content

improve CI workflow #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hasparus merged 5 commits into from
Mar 6, 2026
Merged

improve CI workflow #70

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e563ee6
chore: improve CI workflow
hasparus Mar 6, 2026
98ab9b9
fix: run astro sync before lint, handle workflow_dispatch deploys
hasparus Mar 6, 2026
3cdcd1c
fix: gate pull_request_target on trusted label at job level
hasparus Mar 6, 2026
4eebf23
refactor: use case() for OG_IMAGE_SECRET conditional
hasparus Mar 6, 2026
5f72082
fix: use correct GitHub API endpoint to remove trusted label
hasparus Mar 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 31 additions & 33 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,13 @@ on:
pull_request:
pull_request_target:
types: [labeled]
workflow_dispatch:

jobs:
build-and-deploy:
if: >-
github.event_name != 'pull_request_target'
|| contains(github.event.pull_request.labels.*.name, 'trusted')
runs-on: ubuntu-latest
permissions:
deployments: write
Expand All @@ -18,15 +22,14 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0
# Empty on push/workflow_dispatch — falls back to default ref
ref: "${{ github.event.pull_request.merge_commit_sha }}"

- uses: pnpm/action-setup@v2
with:
version: 10
- uses: pnpm/action-setup@v4

- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
with:
node-version: "22"
node-version: "24"
cache: "pnpm"

- name: Install
Expand All @@ -40,8 +43,10 @@ jobs:
with:
{ add: "pnpm-lock.yaml", fetch: false, message: "Update lockfile" }

- name: Sync Astro types
- name: Generate types
run: pnpm astro sync
env:
OG_IMAGE_SECRET: placeholder

- name: Run linter
run: pnpm lint --quiet
Expand All @@ -63,50 +68,45 @@ jobs:
id: test
run: pnpm test

- name: Upload Playwright artifacts
if: failure()
- name: Upload Playwright report
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: playwright-artifacts
path: playwright-report
name: playwright-report
path: playwright-report/
retention-days: 7

- name: Deploy Production to Vercel
if: github.ref_name == 'main'
if: ${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref_name == 'main' }}
run:
node .github/scripts/deploy.mjs --token=${{ secrets.VERCEL_TOKEN }}
--prod

- name: Deploy Preview to Vercel
if:
${{ github.event_name != 'push' && (!github.event.pull_request.head.repo.fork ||
${{ github.event_name != 'push' && github.event_name != 'workflow_dispatch' &&
(!github.event.pull_request.head.repo.fork ||
(github.event_name == 'pull_request_target' &&
contains(github.event.pull_request.labels.*.name, 'trusted'))) }}
run: node .github/scripts/deploy.mjs --token=${{ secrets.VERCEL_TOKEN }}

- name: Debug Conditions
run: |
echo "Event: ${{ github.event_name }}"
echo "Is fork: ${{ github.event.pull_request.head.repo.fork }}"
echo "Ref name: ${{ github.ref_name }}"
echo "Has trusted: ${{ contains(github.event.pull_request.labels.*.name, 'trusted') }}"
echo "Condition eval: ${{ !github.event.pull_request.head.repo.fork || (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'trusted')) }}"

- name: Create GitHub Preview Deployment
uses: chrnorm/deployment-action@v2
if:
${{ !github.event.pull_request.head.repo.fork || (github.event_name ==
'pull_request_target' &&
contains(github.event.pull_request.labels.*.name, 'trusted')) }}
${{ github.event_name != 'push' && github.event_name != 'workflow_dispatch' &&
(!github.event.pull_request.head.repo.fork ||
(github.event_name == 'pull_request_target' &&
contains(github.event.pull_request.labels.*.name, 'trusted'))) }}
uses: chrnorm/deployment-action@v2
with:
token: "${{ github.token }}"
environment-url: https://${{ env.DEPLOYMENT_ALIAS }} # <- set by deploy.mjs
environment-url: https://${{ env.DEPLOYMENT_ALIAS }}
environment: Preview
production-environment: false
initial-status: success
ref: ${{ github.event.pull_request.merge_commit_sha }}

- name: Create GitHub Production Deployment
if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
if: ${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref_name == 'main' }}
uses: chrnorm/deployment-action@v2
with:
token: "${{ github.token }}"
Expand All @@ -121,15 +121,13 @@ jobs:
needs: build-and-deploy
runs-on: ubuntu-latest
if:
${{ !github.event.pull_request.head.repo.fork || (github.event_name ==
'pull_request_target' && contains(github.event.pull_request.labels.*.name,
'trusted')) }}
${{ !github.event.pull_request.head.repo.fork ||
(github.event_name == 'pull_request_target' &&
contains(github.event.pull_request.labels.*.name, 'trusted')) }}
steps:
- uses: actions/checkout@v4
- name: Audit Preview
- name: Audit URLs
uses: treosh/lighthouse-ci-action@v12
# todo: we should post a link to report to the PR in a sticky comment
# this prints " No GitHub token set, skipping GitHub status check.""
with:
urls: |
https://${{ needs.build-and-deploy.outputs.deployment }}/
Expand All @@ -146,7 +144,7 @@ jobs:
steps:
- name: Remove trusted label
run: |
gh api /repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels -X DELETE -F label=trusted
gh api /repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/trusted -X DELETE
env:
GITHUB_TOKEN: "${{ github.token }}"

Expand Down