upload-preview-tarballs #3195
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow uploads preview tarballs to Vercel Blob after build-and-deploy | |
| # completes. It uses workflow_run so it always executes the DEFAULT BRANCH | |
| # version of this file -- an attacker who modifies this file on a feature branch | |
| # cannot change the code that touches the blob write token. | |
| name: upload-preview-tarballs | |
| on: | |
| workflow_run: | |
| workflows: ['build-and-deploy'] | |
| types: [completed] | |
| env: | |
| NODE_LTS_VERSION: 20 | |
| permissions: | |
| actions: read | |
| contents: read | |
| jobs: | |
| upload: | |
| name: Upload preview tarballs to Blob | |
| runs-on: ubuntu-latest | |
| if: github.event.workflow_run.conclusion == 'success' | |
| environment: preview-builds | |
| steps: | |
| - name: Setup node | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: ${{ env.NODE_LTS_VERSION }} | |
| check-latest: true | |
| # Checkout from the default branch (canary) -- workflow_run always uses | |
| # the default branch's version of the workflow file and this checkout | |
| # matches that, ensuring the upload script is trusted. | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: ${{ github.event.repository.default_branch }} | |
| fetch-depth: 1 | |
| - name: Enable corepack | |
| run: corepack enable | |
| - name: Setup pnpm | |
| run: corepack prepare | |
| - name: Cache dependencies | |
| uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0 | |
| with: | |
| path: ~/.pnpm-store | |
| key: ${{ runner.os }}-${{ runner.arch }}-pnpm-v2-${{ | |
| hashFiles('**/pnpm-lock.yaml') }} | |
| # Do not use restore-keys since it leads to indefinite growth of the cache. | |
| - name: Install node_modules | |
| run: pnpm install --frozen-lockfile | |
| - name: Download preview-tarballs artifact | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: preview-tarballs | |
| path: ${{ runner.temp }}/preview-tarballs | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| - name: Upload tarballs to Vercel Blob | |
| run: node scripts/upload-preview-tarballs.js "${{ | |
| github.event.workflow_run.head_sha }}" "${{ runner.temp | |
| }}/preview-tarballs" | |
| env: | |
| BLOB_ACCESS: ${{ vars.PREVIEW_BUILDS_ACCESS }} | |
| BLOB_READ_WRITE_TOKEN: ${{ secrets.PREVIEW_BUILDS_BLOB_READ_WRITE_TOKEN }} |