Only use pull_request_target for pr preview (#212)

RubenSandwich · web-flow · commit c16c990d4893 · 2025-03-19T11:59:20.000-04:00
diff --git a/.github/workflows/build-pr-preview.yml b/.github/workflows/build-pr-preview.yml
@@ -2,34 +2,62 @@ name: Build Preview
 run-name: 'Build Preview for "${{ github.event.pull_request.title }}" (#${{ github.event.pull_request.number }})'
 
 on:
-  # pull_request_target:
-  #   types: [opened, synchronize]
-  #   branches:
-  #     - main
-  #   paths:
-  #     - 'content/**'
-
-  pull_request:
-    paths:
-      - 'content/**'
-      - 'app/**'
-      - 'scripts/**'
-      - '!scripts/**/*.test.ts'
-      - '!scripts/**/*.test.mjs'
-      - '!app/**/*.test.ts'
+  pull_request_target:
+    types: [opened, synchronize]
+    branches:
+      - main
+      - develop
+  # paths:
+    # Hello Security 👋, we are checking to make sure forked repo PR changed paths are only in content/** inside the job security-check.
+    # We are doing this so we can also reuse this workflow for internal PRs, as pull_request_target also triggers on internal PRs. (As does pull_request)
 
 concurrency:
   group: ${{ github.workflow }}-${{github.event_name}}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
-# permissions:
-#   pull-requests: write
-#   contents: read # for embargoed content repos
+permissions:
+  pull-requests: write
+  contents: read # for embargoed content repos
 
 jobs:
+  get-changed-files:
+    runs-on: ubuntu-latest
+    outputs:
+      changed_content_files: ${{ steps.changed-files.outputs.content_all_changed_files }}
+      changed_content_files_count: ${{ steps.changed-files.outputs.content_all_changed_files_count }}
+
+      not_content_bad_boy_naughty_files_count: ${{ steps.changed-files.outputs.not_content_bad_boy_naughty_all_changed_files_count }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Get changed files in the content/ subdirectories
+        id: changed-files
+        uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8 # v45.0.7
+        with:
+          files_yaml: |
+            content:
+              - 'content/**'
+            not_content_bad_boy_naughty:
+              - '!content/**'
+          base_sha: ${{ github.event.pull_request.base.sha }}
+          sha: ${{ github.event.pull_request.head.sha }}
+
+  security-check:
+    name: Security Check
+    runs-on: ubuntu-latest
+    needs: [get-changed-files]
+    if: needs.get-changed-files.outputs.not_content_bad_boy_naughty_files_count > 0 && ${{ github.event.pull_request.head.repo.full_name }} != ${{ github.repository }}
+    steps:
+      - name: If in a forked repo, fail if any changes outside of content/**
+        run: |
+          echo "😠 This is a PR from a forked repo. Please only edit files in the content/** directory." >> $GITHUB_STEP_SUMMARY
+          exit 1
+
+
   deploy-unified-docs-api-preview:
     name: Deploy Unified Docs API Preview
     runs-on: ubuntu-latest
+    needs: [get-changed-files]
     # Don't rerun this job if the PR is from a forked repo, as pull_request_target will trigger the job first
     # if: github.event.pull_request.head.repo.full_name == github.repository
     outputs:
@@ -218,32 +246,10 @@ jobs:
             | Dev Portal | ✅ Ready ([Inspect](${{ steps.dev_portal_inspector_url.outputs.inspector_url }})) | [Visit Preview](${{ steps.deploy_dev_portal_preview.outputs.preview_url }}) | ${{ steps.deploy_dev_portal_preview.outputs.created_utc }} |
             | Unified Docs API | ✅ Ready ([Inspect](${{ needs.deploy-unified-docs-api-preview.outputs.inspector_url }} )) | [Visit Preview](${{ needs.deploy-unified-docs-api-preview.outputs.preview_url }}) | ${{ needs.deploy-unified-docs-api-preview.outputs.created_utc }} |
 
-  get-changed-files:
-    runs-on: ubuntu-latest
-    needs: [deploy-dev-portal-preview]
-    outputs:
-      changed_files: ${{ steps.changed-files.outputs.all_changed_files }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Get changed files in the content/ subdirectories
-        id: changed-files
-        uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8 # v45.0.7
-        with:
-          files: |
-            content/**/*.mdx
-          base_sha: ${{ github.event.pull_request.base.sha }}
-          sha: ${{ github.event.pull_request.head.sha }}
-
-      - name: Print changed files
-        run: |
-          echo "Changed files:"
-          echo ${{ steps.changed-files.outputs.all_changed_files }}
-
   check-links:
     name: check links
     needs: [get-changed-files, deploy-dev-portal-preview]
-    if: needs.get-changed-files.outputs.changed_files != ''
+    if: needs.get-changed-files.outputs.changed_content_files_count > 0
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -252,7 +258,7 @@ jobs:
         id: lychee
         uses: lycheeverse/lychee-action@f613c4a64e50d792e0b31ec34bbcbba12263c6a6 # v2.3.0
         with:
-          args: ${{ needs.get-changed-files.outputs.changed_files }} -b ${{ needs.deploy-dev-portal-preview.outputs.preview_url }} --exclude-all-private --exclude '\.(svg|gif|jpg|png)' --accept 200,429 --timeout=60 --max-concurrency 24 --no-progress --verbose
+          args: ${{ needs.get-changed-files.outputs.changed_content_files }} -b ${{ needs.deploy-dev-portal-preview.outputs.preview_url }} --exclude-all-private --exclude '\.(svg|gif|jpg|png)' --accept 200,429 --timeout=60 --max-concurrency 24 --no-progress --verbose
           fail: false
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
@@ -295,7 +301,7 @@ jobs:
   skip-check-links:
     name: skip link checker
     needs: [get-changed-files]
-    if: needs.get-changed-files.outputs.changed_files == ''
+    if: needs.get-changed-files.outputs.changed_content_files_count == 0
     runs-on: ubuntu-latest
     steps:
       - name: Update PR comment
