Run safe CI for external contributors, add /deploy-preview slash command#201
Merged
southpolesteve merged 3 commits intomainfrom Feb 28, 2026
Merged
Run safe CI for external contributors, add /deploy-preview slash command#201southpolesteve merged 3 commits intomainfrom
southpolesteve merged 3 commits intomainfrom
Conversation
Fork PRs don't have access to repository secrets (CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID), so deploy/smoke-test/comment steps always fail. Add a fork detection condition to skip these steps gracefully. The build steps still run, so example builds are still validated for fork PRs.
Switch ci.yml from pull_request to pull_request_target so lint, typecheck, vitest, and e2e run automatically for fork PRs without needing approval. No secrets are used, so this is safe with untrusted code. Add a /deploy-preview slash command workflow that lets maintainers trigger deploy previews on fork PRs. Gated by author_association (org members, collaborators, repo owners only). Cloudflare employees who push branches to the main repo continue to get automatic deploy previews via the existing deploy-examples.yml workflow.
commit: |
|
Simpler approach: keep ci.yml on pull_request (first-time contributor approval is fine, avoids cache poisoning concern with pull_request_target). The actual fix: add a job-level if condition to deploy-examples.yml so the entire workflow is skipped for fork PRs. This prevents the noisy failed/skipped deploy checks on external contributor PRs. Update docs in AGENTS.md and README.md to reflect the approach.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
deploy-examples.ymlentirely for fork PRs via a job-levelifcondition. This is the main fix: no more noisy failed/skipped deploy checks on external contributor PRs./deploy-previewslash command workflow (deploy-preview-command.yml) that lets maintainers trigger deploy previews on fork PRs. Gated byauthor_association(org members, collaborators, repo owners).ci.ymlis unchanged. It uses no secrets and runs for all PRs. First-time contributors need one manual approval, then subsequent PRs run automatically.deploy-examples.yml.How it works
/deploy-preview/deploy-preview