fix(security): PR Previews from Forks (#458)

AdrianGonz97 · kashike · web-flow · commit f9f15b240e13 · 2024-08-11T23:06:56.000-07:00
* apply fix

* Update build-preview.yaml

* Update deploy-preview.yaml

---------

Co-authored-by: Riley Park &lt;rileysebastianpark@gmail.com&gt;
diff --git a/.github/workflows/build-preview.yaml b/.github/workflows/build-preview.yaml
@@ -1,14 +1,13 @@
-name: "Deploy to Cloudflare Pages (Preview)"
+name: "Build Preview Deployment"
 
-on: [pull_request_target]
+on:
+  pull_request:
+    types: [opened, synchronize]
 
 jobs:
-  deploy:
+  build-preview:
     runs-on: "ubuntu-latest"
-    permissions:
-      contents: read
-      deployments: write
-      pull-requests: write
+    name: "Build Preview Site and Upload Build Artifact"
     steps:
       - name: "checkout"
         uses: "actions/checkout@v4"
@@ -34,13 +33,8 @@ jobs:
         run: |
           cp _headers build/
           cp _redirects build/
-      - name: "publish (push)"
-        id: "cloudflare-publish"
-        uses: "AdrianGonz97/refined-cf-pages-action@v1"
+      - name: "upload build artifact"
+        uses: "actions/upload-artifact@v4"
         with:
-          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          projectName: "papermc-docs"
-          deploymentName: "Preview"
-          gitHubToken: ${{ secrets.GITHUB_TOKEN }}
-          directory: "build"
+          name: "preview-build"
+          path: "build"
diff --git a/.github/workflows/deploy-preview.yaml b/.github/workflows/deploy-preview.yaml
@@ -0,0 +1,37 @@
+name: "Publish Preview Deployment"
+
+on:
+  workflow_run:
+    workflows: ["Build Preview Deployment"]
+    types:
+      - completed
+
+permissions:
+  actions: read
+  contents: read
+  deployments: write
+  pull-requests: write
+
+jobs:
+  deploy-preview:
+    runs-on: "ubuntu-latest"
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    name: "Deploy Preview to Cloudflare Pages"
+    steps:
+      - name: "Download build artifact"
+        uses: "actions/download-artifact@v4"
+        id: "preview-build-artifact"
+        with:
+          name: "preview-build"
+          path: "build"
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+      - name: "Deploy to Cloudflare Pages"
+        uses: "AdrianGonz97/refined-cf-pages-action@v1"
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          projectName: "papermc-docs"
+          deploymentName: "Preview"
+          directory: ${{ steps.preview-build-artifact.outputs.download-path }}
