11name : Test build
22
33on :
4- # Triggered by human-created PRs. Checks out the PR branch directly so all
5- # changes (docs, config, workflows) are tested as-is.
64 pull_request :
75 branches :
86 - main
9- # Triggered by bot-created PRs (e.g. automated submodule updates from
10- # github-actions[bot]). Using pull_request_target so the workflow fires even
11- # when the PR author is a bot — pull_request is intentionally suppressed by
12- # GitHub for bot authors to prevent infinite loops.
13- # The job condition below ensures this path only runs for bot PRs, so human
14- # PRs are never handled by both triggers at the same time.
15- pull_request_target :
16- branches :
17- - main
7+ # Review gh actions docs if you want to further define triggers, paths, etc
8+ # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#on
189 workflow_dispatch :
1910 inputs :
2011 ref :
@@ -26,53 +17,17 @@ jobs:
2617 test-deploy :
2718 name : Test build
2819 runs-on : ubuntu-latest
29- # For pull_request_target: only run when the PR was opened by the bot.
30- # Human PRs are already covered by the pull_request trigger above, so we
31- # skip them here to avoid double runs and prevent untrusted PR code from
32- # running in the pull_request_target context (which has secrets access).
33- if : >
34- github.event_name == 'workflow_dispatch' ||
35- github.event_name == 'pull_request' ||
36- (github.event_name == 'pull_request_target' && github.event.pull_request.user.login == 'github-actions[bot]')
3720 steps :
38- # For human PRs (pull_request): checks out the PR branch so all changes
39- # are tested, including config and workflow file modifications.
40- # For bot PRs (pull_request_target): checks out main to ensure only
41- # trusted build scripts are executed — the submodule override step below
42- # then injects the new submodule content from the PR.
43- # For manual runs (workflow_dispatch): uses the provided ref or falls
44- # back to main.
4521 - uses : actions/checkout@v4
4622 with :
47- ref : ${{ inputs.ref || (github.event_name == 'pull_request_target' && 'main') || github.sha }}
23+ ref : ${{ inputs.ref || github.sha }}
4824 fetch-depth : 0
4925 submodules : recursive
50-
51- # Only runs for bot PRs (pull_request_target).
52- # Safely injects the new submodule content from the PR without checking
53- # out any PR-branch code: the GitHub API is used to resolve which
54- # submodule changed and to what SHA, then that SHA is fetched directly
55- # from the provider repo. Build scripts always come from main.
56- - name : Override changed submodule with PR content
57- if : github.event_name == 'pull_request_target'
58- env :
59- GH_TOKEN : ${{ github.token }}
60- run : |
61- CHANGED=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files --jq '.[].filename')
62- for path in $CHANGED; do
63- if git submodule status "$path" > /dev/null 2>&1; then
64- NEW_SHA=$(gh api "repos/${{ github.repository }}/contents/${path}?ref=${{ github.event.pull_request.head.sha }}" --jq '.sha')
65- cd "$path"
66- git fetch origin
67- git checkout "$NEW_SHA"
68- cd -
69- fi
70- done
71-
7226 - uses : actions/setup-node@v4
7327 with :
7428 node-version : 20
7529 cache : npm
30+
7631 - name : Install dependencies
7732 run : npm ci
7833 - name : Test build website
0 commit comments