Skip to content

Commit ef0db9d

Browse files
Gate Pages preview build/deploy to trusted authors
This workflow uses pull_request_target and checks out untrusted PR code, then builds and deploys it to a public preview domain. Add an author guard so only same-repo PRs and trusted authors (OWNER/MEMBER/COLLABORATOR) build and deploy automatically. Also re-enables the workflow (previously disabled). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 23eaaed commit ef0db9d

1 file changed

Lines changed: 74 additions & 65 deletions

File tree

Lines changed: 74 additions & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -1,65 +1,74 @@
1-
# # This workflow uses actions that are not certified by GitHub.
2-
# # They are provided by a third-party and are governed by
3-
# # separate terms of service, privacy policy, and support
4-
# # documentation.
5-
#
6-
# # Sample workflow for building and deploying a Jekyll site to GitHub Pages
7-
# name: Deploy Jekyll site to Pages preview environment
8-
# on:
9-
# # Runs on pull requests targeting the default branch
10-
# pull_request_target:
11-
# branches: ["main"]
12-
# # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
13-
# permissions:
14-
# contents: read
15-
# pages: write
16-
# id-token: write
17-
# # Allow only one concurrent deployment per PR, skipping runs queued between the run in-progress and latest queued.
18-
# # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
19-
# concurrency:
20-
# group: "pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
21-
# cancel-in-progress: false
22-
# jobs:
23-
# # Build job
24-
# build:
25-
# environment:
26-
# name: "Pages Preview"
27-
# # Limit permissions of the GITHUB_TOKEN for untrusted code
28-
# permissions:
29-
# contents: read
30-
# runs-on: ubuntu-latest
31-
# steps:
32-
# - name: Checkout
33-
# uses: actions/checkout@v6.0.2
34-
# with:
35-
# # For PRs make sure to checkout the PR branch
36-
# ref: ${{ github.event.pull_request.head.sha }}
37-
# repository: ${{ github.event.pull_request.head.repo.full_name }}
38-
# - name: Setup Pages
39-
# uses: actions/configure-pages@v6.0.0
40-
# - name: Build with Jekyll
41-
# uses: actions/jekyll-build-pages@44a6e6beabd48582f863aeeb6cb2151cc1716697 # v1
42-
# with:
43-
# source: ./
44-
# destination: ./_site
45-
# - name: Upload artifact
46-
# # Automatically uploads an artifact from the './_site' directory by default
47-
# uses: actions/upload-pages-artifact@v5.0.0
48-
# # Deployment job
49-
# deploy:
50-
# environment:
51-
# name: "Pages Preview"
52-
# url: ${{ steps.deployment.outputs.page_url }}
53-
# # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
54-
# permissions:
55-
# contents: read
56-
# pages: write
57-
# id-token: write
58-
# runs-on: ubuntu-latest
59-
# needs: build
60-
# steps:
61-
# - name: Deploy to GitHub Pages
62-
# id: deployment
63-
# uses: actions/deploy-pages@v5.0.0
64-
# with:
65-
# preview: "true"
1+
# This workflow uses actions that are not certified by GitHub.
2+
# They are provided by a third-party and are governed by
3+
# separate terms of service, privacy policy, and support
4+
# documentation.
5+
6+
# Sample workflow for building and deploying a Jekyll site to GitHub Pages
7+
name: Deploy Jekyll site to Pages preview environment
8+
on:
9+
# Runs on pull requests targeting the default branch
10+
pull_request_target:
11+
branches: ["main"]
12+
# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
13+
permissions:
14+
contents: read
15+
pages: write
16+
id-token: write
17+
# Allow only one concurrent deployment per PR, skipping runs queued between the run in-progress and latest queued.
18+
# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
19+
concurrency:
20+
group: "pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
21+
cancel-in-progress: false
22+
jobs:
23+
# Build job
24+
build:
25+
# Only build/deploy PRs from trusted authors: this workflow checks out
26+
# untrusted PR code and deploys it to a public preview domain.
27+
# `author_association` is re-evaluated on every event and cannot be set by the
28+
# PR author (unlike a label). To also allow previews for other contributors,
29+
# add Required Reviewers to the "Pages Preview" environment rather than
30+
# widening this condition.
31+
if: >-
32+
github.event.pull_request.head.repo.full_name == github.repository ||
33+
contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association)
34+
environment:
35+
name: "Pages Preview"
36+
# Limit permissions of the GITHUB_TOKEN for untrusted code
37+
permissions:
38+
contents: read
39+
runs-on: ubuntu-latest
40+
steps:
41+
- name: Checkout
42+
uses: actions/checkout@v6.0.2
43+
with:
44+
# For PRs make sure to checkout the PR branch
45+
ref: ${{ github.event.pull_request.head.sha }}
46+
repository: ${{ github.event.pull_request.head.repo.full_name }}
47+
- name: Setup Pages
48+
uses: actions/configure-pages@v6.0.0
49+
- name: Build with Jekyll
50+
uses: actions/jekyll-build-pages@44a6e6beabd48582f863aeeb6cb2151cc1716697 # v1
51+
with:
52+
source: ./
53+
destination: ./_site
54+
- name: Upload artifact
55+
# Automatically uploads an artifact from the './_site' directory by default
56+
uses: actions/upload-pages-artifact@v5.0.0
57+
# Deployment job
58+
deploy:
59+
environment:
60+
name: "Pages Preview"
61+
url: ${{ steps.deployment.outputs.page_url }}
62+
# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
63+
permissions:
64+
contents: read
65+
pages: write
66+
id-token: write
67+
runs-on: ubuntu-latest
68+
needs: build
69+
steps:
70+
- name: Deploy to GitHub Pages
71+
id: deployment
72+
uses: actions/deploy-pages@v5.0.0
73+
with:
74+
preview: "true"

0 commit comments

Comments
 (0)