cloudflare
diff --git a/‎.github/actions/setup/action.yaml‎
Lines changed: 28 additions & 0 deletions b/‎.github/actions/setup/action.yaml‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 90 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 90 additions & 0 deletions
diff --git a/‎.github/workflows/branches.yaml‎
Lines changed: 0 additions & 24 deletions b/‎.github/workflows/branches.yaml‎
Lines changed: 0 additions & 24 deletions
diff --git a/‎.github/workflows/main.yaml‎
Lines changed: 6 additions & 13 deletions b/‎.github/workflows/main.yaml‎
Lines changed: 6 additions & 13 deletions
diff --git a/‎.github/workflows/pull-request-dont-block-previews.yaml‎
Lines changed: 26 additions & 0 deletions b/‎.github/workflows/pull-request-dont-block-previews.yaml‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎.github/workflows/pull-request-workflow-run.yaml‎
Lines changed: 71 additions & 0 deletions b/‎.github/workflows/pull-request-workflow-run.yaml‎
Lines changed: 71 additions & 0 deletions
diff --git a/‎.github/workflows/pull-request.yaml‎
Lines changed: 39 additions & 0 deletions b/‎.github/workflows/pull-request.yaml‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎.github/workflows/release.yaml‎
Lines changed: 23 additions & 0 deletions b/‎.github/workflows/release.yaml‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎.github/workflows/staging.yaml‎
Lines changed: 12 additions & 13 deletions b/‎.github/workflows/staging.yaml‎
Lines changed: 12 additions & 13 deletions
@@ -0,0 +1,28 @@
+name: "Setup Environment"
+description: "Performs the repo setup including cloning, dependency installation, and node setup."
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/checkout@v4
+
+    - name: Cache turbo build setup
+      uses: actions/cache@v4
+      with:
+        path: .turbo
+        key: ${{ runner.os }}-turbo-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-turbo-
+
+    - name: Install pnpm
+      uses: pnpm/action-setup@v4
+
+    - name: Use Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: "20.x"
+        cache: "pnpm"
+
+    - name: Install dependencies
+      run: pnpm install --frozen-lockfile --child-concurrency=10
+      shell: bash
@@ -10,4 +10,94 @@ updates:
       - "**/*"
     target-branch: "staging"
     schedule:
+      # just in time for on-call handoff
       interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "America/New_York"
+    groups:
+      # consolidates dependabot PRs into a single grouped PR
+      non-breaking-wrangler-updates:
+        applies-to: version-updates
+        patterns:
+          - "wrangler"
+        update-types:
+          - "minor"
+          - "patch"
+      breaking-wrangler-updates:
+        applies-to: version-updates
+        patterns:
+          - "wrangler"
+        update-types:
+          - "major"
+      non-breaking-vite-updates:
+        applies-to: version-updates
+        patterns:
+          - "vite"
+          - "vitest"
+          - "@cloudflare/vite*"
+        update-types:
+          - "minor"
+          - "patch"
+      breaking-vite-updates:
+        applies-to: version-updates
+        patterns:
+          - "vite"
+          - "vitest"
+          - "@cloudflare/vite*"
+        update-types:
+          - "major"
+      non-breaking-typescript-updates:
+        applies-to: version-updates
+        patterns:
+          - "typescript"
+        update-types:
+          - "minor"
+          - "patch"
+      breaking-typescript-updates:
+        applies-to: version-updates
+        patterns:
+          - "typescript"
+        update-types:
+          - "major"
+      non-breaking-eslint-updates:
+        applies-to: version-updates
+        patterns:
+          - "eslint*"
+        update-types:
+          - "minor"
+          - "patch"
+      breaking-eslint-updates:
+        applies-to: version-updates
+        patterns:
+          - "eslint*"
+        update-types:
+          - "major"
+      non-breaking-react-updates:
+        applies-to: version-updates
+        patterns:
+          - "react"
+          - "react-dom"
+        update-types:
+          - "minor"
+          - "patch"
+      breaking-react-updates:
+        applies-to: version-updates
+        patterns:
+          - "react"
+          - "react-dom"
+        update-types:
+          - "major"
+      non-breaking-astro-updates:
+        applies-to: version-updates
+        patterns:
+          - "@astro/*"
+        update-types:
+          - "minor"
+          - "patch"
+      breaking-astro-updates:
+        applies-to: version-updates
+        patterns:
+          - "astro/*"
+        update-types:
+          - "major"
@@ -5,26 +5,19 @@ on:
     branches: ["main"]
 
 jobs:
-  check-and-deploy:
+  check-and-deploy-main:
     name: Check and Deploy
     runs-on: ubuntu-latest
     timeout-minutes: 20
-    concurrency: templates-check-and-deploy
+    concurrency: templates-check-and-deploy-main
     env:
       CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
       CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
       TEMPLATES_API_CLIENT_ID: ${{ secrets.TEMPLATES_API_CLIENT_ID }}
       TEMPLATES_API_CLIENT_SECRET: ${{ secrets.TEMPLATES_API_CLIENT_SECRET }}
     steps:
       - uses: actions/checkout@v4
-      - name: Install pnpm
-        uses: pnpm/action-setup@v4
-      - name: Use Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: "20.x"
-          cache: "pnpm"
-      - run: pnpm install --frozen-lockfile
-      - run: pnpm -w check:ci
-      - run: pnpm run deploy
-      - run: pnpm run upload
+      - uses: ./.github/actions/setup
+      - run: pnpm -w check
+      - run: pnpm -w test
+      - run: pnpm -w deploy
@@ -0,0 +1,26 @@
+# runs additional checks that can block the PR, but still allow preview links to be generated
+name: "Pull Request Supplemental Checks"
+
+on:
+  pull_request: # this action runs in an untrusted but secure context with no secrets
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+jobs:
+  supplemental-check:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-check
+      cancel-in-progress: true
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup
+
+      - name: Validate live demo links
+        run: pnpm -w validate-live-demo-links
+
+      - name: Validate Deploy to Cloudflare buttons
+        run: pnpm -w validate-d2c-buttons
@@ -0,0 +1,71 @@
+name: "Pull Request Workflow Run"
+
+on:
+  workflow_run: # this action runs in a trusted context, but passed info from the "Pull Request" untrusted workflow
+    workflows: ["Pull Request"]
+    types:
+      - completed
+
+permissions:
+  pull-requests: write
+
+env:
+  PR_DIR: "_pr"
+  PR_ZIP: "_pr.zip"
+  PREVIEW_DIR: "_preview-templates"
+
+jobs:
+  preview:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      TEMPLATES_API_CLIENT_ID: ${{ secrets.TEMPLATES_API_CLIENT_ID }}
+      TEMPLATES_API_CLIENT_SECRET: ${{ secrets.TEMPLATES_API_CLIENT_SECRET }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup
+
+      - name: "Download pull request info"
+        uses: actions/github-script@v7
+        with:
+          script: |
+            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{github.event.workflow_run.id }},
+            });
+            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "pr"
+            })[0];
+            var download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            var path = require('path');
+            fs.writeFileSync(path.join('${{github.workspace}}', process.env.PR_ZIP), Buffer.from(download.data));
+
+      - name: "Load PR info into environment variables"
+        run: mkdir $PR_DIR && unzip $PR_ZIP -d $PR_DIR && cat $PR_DIR/env >> $GITHUB_ENV
+        #
+        # Note: Checking out the source of the PR means checking out untrusted code.
+        # We shouldn't run any tests or package installs past this point.
+        # Simply checking out to fetch the files is reasonable, however.
+        # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
+        #
+      - uses: actions/checkout@v4
+        with:
+          repository: ${{ env.PR_REPOSITORY }}
+          ref: ${{ env.PR_REF }}
+          path: ${{ env.PREVIEW_DIR }}
+          persist-credentials: "false"
+
+      - name: "Make preview"
+        run: |
+          pnpm -w preview $PREVIEW_DIR \
+            --repoFullName $PR_REPOSITORY \
+            --branch $PR_REF \
+            --pr $PR_ID
@@ -0,0 +1,39 @@
+name: "Pull Request"
+
+on:
+  pull_request: # this action runs in an untrusted but secure context with no secrets
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-check
+      cancel-in-progress: true
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup
+
+      - name: Run checks
+        run: pnpm -w check
+
+      - name: Run tests
+        run: pnpm -w test
+
+      - name: Save PR info # extract the info we need to run in the trusted context later
+        run: |
+          mkdir -p ./pr
+          echo PR_ID=${{ github.event.number }} >> ./pr/env
+          echo PR_REPOSITORY=${{ github.event.pull_request.head.repo.full_name }} >> ./pr/env
+          echo PR_SHA=${{ github.event.pull_request.head.sha }} >> ./pr/env
+          echo PR_REF=${{ github.event.pull_request.head.ref }} >> ./pr/env
+
+      - name: Upload PR info
+        uses: actions/upload-artifact@v4
+        with:
+          name: pr
+          path: pr/
@@ -0,0 +1,23 @@
+name: "Release"
+
+on:
+  release:
+    types:
+      - released
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-upload
+      cancel-in-progress: true
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup
+
+      - name: Make templates live and publicly accessible in the dash
+        run: |
+          pnpm run upload . \
+            --repoFullName ${{ github.repository }} \
+            --branch ${{ github.ref_name }}
@@ -5,25 +5,24 @@ on:
     branches: ["staging"]
 
 jobs:
-  check-and-deploy:
-    name: Check and Deploy
+  check-and-upload-staging:
+    name: Check and Upload
     runs-on: ubuntu-latest
     timeout-minutes: 20
-    concurrency: templates-check-and-deploy
+    concurrency: templates-check-and-upload-staging
     env:
       CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
       CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
       TEMPLATES_API_CLIENT_ID: ${{ secrets.TEMPLATES_API_CLIENT_ID }}
       TEMPLATES_API_CLIENT_SECRET: ${{ secrets.TEMPLATES_API_CLIENT_SECRET }}
     steps:
       - uses: actions/checkout@v4
-      - name: Install pnpm
-        uses: pnpm/action-setup@v4
-      - name: Use Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: "20.x"
-          cache: "pnpm"
-      - run: pnpm install --frozen-lockfile
-      - run: pnpm -w check:ci
-      - run: pnpm run upload --staging
+      - uses: ./.github/actions/setup
+
+      - run: pnpm -w check
+      - run: pnpm -w test
+      - run: |
+          pnpm run upload . \
+            --staging \
+            --repoFullName ${{ github.repository }} \
+            --branch ${{ github.ref_name }}