Skip to content

feat: deploy dev pages preview for fork pull requests#122

Draft
amanabiy wants to merge 2 commits into
mainfrom
feat/allow-test-pages-for-prs
Draft

feat: deploy dev pages preview for fork pull requests#122
amanabiy wants to merge 2 commits into
mainfrom
feat/allow-test-pages-for-prs

Conversation

@amanabiy

@amanabiy amanabiy commented Jul 1, 2026

Copy link
Copy Markdown
Member

Description of changes:
Forked-PR workflows run without secrets, so they can't deploy previews. Add a workflow_run-based privileged deploy that runs after the build, behind the existing environment approval gate, so a maintainer can approve and publish a fork's dev-pages preview.

Approach:

  • The build stays on pull_request (unprivileged, no secrets) and uploads the dev-pages artifact this already works for forks.
  • A new workflow_run triggered deploy runs after the build, from the default branch, with secrets, and never checks out or runs fork code. It only downloads the prebuilt artifact and uploads it via the existing deploy-static action.

How consuming repos use it
Each repo does two small things: let its build run for forks (so the artifact is produced), and add a tiny workflow_run wrapper that calls this reusable workflow. The wrapper is the only new per-repo file (workflow_run must live in the same repo).

for example for chat-components example draft PR

Issue #, if available: AWSUI-53554

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@amanabiy amanabiy force-pushed the feat/allow-test-pages-for-prs branch from 36cb4af to f0556ec Compare July 1, 2026 09:59
@amanabiy amanabiy force-pushed the feat/allow-test-pages-for-prs branch from f0556ec to 4a09a15 Compare July 1, 2026 10:00
if: github.event_name == 'pull_request'
if: >
github.event_name == 'pull_request' &&
github.event.pull_request.head.repo.full_name == github.repository

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Internal PRs only. Fork PRs can't deploy here (no secrets), and they are handled separately by deploy-fork-preview.yml. Keeping this guard here means consumers don't need to add it to their own deploy caller job.

runs-on: ubuntu-latest
continue-on-error: true
environment:
name: fork-${{ inputs.artifact-name }}

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using a separate environment is helpful for example, if we later want to require an extra layer of approval before forked-PR previews are deployed, we can enable it on this environment.

with:
name: ${{ inputs.artifact-name }}
path: build
run-id: ${{ github.event.workflow_run.id }}

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the artifact lives in the build run (a different run), so we fetch it by run-id via the REST API (hence github-token + actions: read). The run id comes from the caller's workflow_run payload.

@amanabiy amanabiy marked this pull request as ready for review July 1, 2026 10:13
@amanabiy amanabiy requested a review from a team as a code owner July 1, 2026 10:13
@amanabiy amanabiy requested review from avinashbot and removed request for a team July 1, 2026 10:13
id: deploy
uses: cloudscape-design/actions/.github/actions/deploy-static@main
with:
role-to-assume: ${{ secrets.AWS_PREVIEW_ROLE_ARN }}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do the secrets work on workflows running for forks? Is there a risk that a fork can modify the workflow on their end to log out the secrets? Or are we relying on manual approval of the deploys to enforce that?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It mainly relies on human review to make sure we don't deploy anything unexpected. On top of that, we can add an approval step on each repository's environment so every deployment is intentional.

Is it gated technically/automatically? Yes, unless I missed something, what I did is split the flow: the artifact is built in the pull_request run, where no secrets are available, and a separate workflow only uploads that pre-built artifact so the run that has the secrets never builds or runs the fork's code.

name: Deploy fork preview

on:
workflow_call:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A new workflow_run triggered deploy

This uses workflow_call — should there be some other workflow that calls this? Or should this be workflow_run?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is called from the workflow_run of other repositories. For example, in chat-components I will add a workflow that will fire after the build end, and it will be using this deply fork preview workflow_call.

Pass --no-follow-symlinks to  so the deploy step never dereferences symlinks in the source directory.

The deploy runs with the AWS preview credentials, and for fork PR previews. Without this flag,  follows symlinks by default, so a symlink planted in the artifact could cause the runner's temporary AWS credentials to be copied into the public, CloudFront-fronted preview bucket.
@amanabiy amanabiy marked this pull request as draft July 1, 2026 13:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants