From 5054ade27962037b08a7bb3803a92730efdf673f Mon Sep 17 00:00:00 2001 From: findolor <16416963+findolor@users.noreply.github.com> Date: Thu, 14 May 2026 10:47:36 +0000 Subject: [PATCH] ci: remove PR target Vercel preview workflow (#2573) ## Related Issue Fixes RAI-538 - [RAI-538: Remove PR target Vercel preview workflow](https://linear.app/makeitrain/issue/RAI-538/remove-pr-target-vercel-preview-workflow) ## Motivation The PR-target Vercel preview workflow is no longer needed. Removing it also eliminates the privileged `pull_request_target` path that checked out and built PR head code before using preview deployment secrets. ## Solution - Delete the Vercel preview PR-target workflow. - Keep the existing internal branch Vercel preview workflow unchanged. ## Checks By submitting this for review, I confirm I have done the following: - [x] made this PR as small as possible - [ ] unit-tested any new functionality - [x] linked any relevant issues or PRs - [ ] included screenshots (if this involves a front-end change) Additional validation run: - `rg -n "pull_request_target" .github/workflows || true` - `git diff --check main...HEAD` ## Summary by CodeRabbit * **Chores** * Removed pull request preview deployment workflow --- .../workflows/vercel-preview-pr-target.yaml | 105 ------------------ 1 file changed, 105 deletions(-) delete mode 100644 .github/workflows/vercel-preview-pr-target.yaml diff --git a/.github/workflows/vercel-preview-pr-target.yaml b/.github/workflows/vercel-preview-pr-target.yaml deleted file mode 100644 index 48da26a3e1..0000000000 --- a/.github/workflows/vercel-preview-pr-target.yaml +++ /dev/null @@ -1,105 +0,0 @@ -## -## SECURITY MODEL FOR VERCEL PREVIEW DEPLOYS (PR TARGET) — READ BEFORE EDITING -## -## This workflow allows preview deploys for fork PRs with strict safeguards: -## - Uses pull_request_target so secrets are available only in the base repo context. -## - Additionally requires a maintainer to add the 'vercel-preview' label AND approve the 'vercel-preview' environment. -## - Never runs when files in '.github/workflows/**' change (paths-ignore). -## - Builds PR code WITHOUT secrets using a placeholder env value. -## - Secrets are passed only to the Vercel CLI steps (not to build/test steps). -## - Shell runs with 'bash --noprofile --norc -euo pipefail'. -## - The Vercel CLI is invoked via an absolute path stored in $VERCEL_BIN to avoid PATH hijacking. -## -## WARNING: Changing any of the following may break the security model: -## - Triggers (pull_request_target), label requirement, or environment approval. -## - The '.github/workflows/**' paths-ignore. -## - Introducing PR-controlled inputs into steps that use secrets. -## - Relaxing the shell/ PATH hardening, or calling 'vercel' via PATH. -## - Moving secrets to top-level env or earlier steps. -## If you modify this file, re-validate these invariants. -## -name: GitHub Actions Vercel Preview Deployment (PR Target) -on: - pull_request_target: - types: [opened, synchronize, reopened, labeled] - paths-ignore: - - ".github/workflows/**" -concurrency: - group: ${{ format('pr-{0}-vercel-preview', github.event.pull_request.number) }} - cancel-in-progress: true -jobs: - Deploy-Preview-PR: - if: contains(github.event.pull_request.labels.*.name, 'vercel-preview') - runs-on: ubuntu-latest - permissions: - contents: read - env: - COMMIT_SHA: ${{ github.sha }} - environment: vercel-preview - steps: - - name: Checkout PR head - uses: actions/checkout@v4 - with: - submodules: recursive - fetch-depth: 0 - repository: ${{ github.event.pull_request.head.repo.full_name }} - ref: ${{ github.event.pull_request.head.sha }} - persist-credentials: false - - uses: nixbuild/nix-quick-install-action@v30 - with: - nix_conf: | - keep-env-derivations = true - keep-outputs = true - - - run: ./prep-webapp.sh - env: - PUBLIC_WALLETCONNECT_PROJECT_ID: test - - - run: nix develop .#webapp-shell -c npm run build - working-directory: packages/webapp - env: - PUBLIC_WALLETCONNECT_PROJECT_ID: test - - # check for npm package blacklists pkgs across all packages - - uses: rainlanguage/github-chore/.github/actions/npm-blacklist@main - - - uses: rainlanguage/github-chore/.github/actions/npm-blacklist@main - with: - working-directory: packages/orderbook - - - uses: rainlanguage/github-chore/.github/actions/npm-blacklist@main - with: - working-directory: packages/ui-components - - - name: Install Vercel CLI (local, pinned) - shell: bash --noprofile --norc -euo pipefail {0} - run: | - VERCEL_DIR="$(mktemp -d)" - npm install --no-audit --no-fund --no-save --ignore-scripts --prefix "$VERCEL_DIR" vercel@51.8.0 - echo "VERCEL_BIN=$VERCEL_DIR/node_modules/.bin/vercel" >> "$GITHUB_ENV" - test -x "$VERCEL_DIR/node_modules/.bin/vercel" - - name: Pull Vercel Environment Information - shell: bash --noprofile --norc -euo pipefail {0} - env: - VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID_PREVIEWS }} - VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID_PREVIEWS }} - VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN_PREVIEWS }} - run: | - "$VERCEL_BIN" pull --yes --environment=preview --token="$VERCEL_TOKEN" - - name: Deploy Project Artifacts to Vercel - shell: bash --noprofile --norc -euo pipefail {0} - env: - VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID_PREVIEWS }} - VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID_PREVIEWS }} - VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN_PREVIEWS }} - run: | - "$VERCEL_BIN" deploy --prebuilt --token="$VERCEL_TOKEN" packages/webapp - - # forwards status to telegram chat if this ci fails or gets canceled, only runs for default branch - - name: Forward CI Status - if: always() - uses: rainlanguage/github-chore/.github/actions/telegram-status-report@main - with: - status: ${{ job.status }} - telegram-bot-token: ${{ secrets.TELEGRAM_BOT_TOKEN }} - telegram-chat-id: ${{ secrets.TELEGRAM_CHAT_ID }}