Skip to content

enable demo preview deployment #397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

enable demo preview deployment #397

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 13 additions & 41 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,69 +187,40 @@ jobs:
fi

- name: Post deployment comment
if: always()
if: steps.check-affected.outputs.affected == 'true'
uses: ./.github/actions/deployment-comment
with:
project-name: Website
preview-url: https://pr-${{ github.event.pull_request.number }}.pgflow.pages.dev
production-url: https://pgflow.dev
deployment-status: ${{ steps.deploy-website.outcome }}

# ────────────────────────────────── 4. DEPLOY DEMO ───────────────────────────
deploy-demo:
if: false # temporarily disabled
if: github.event_name == 'pull_request'
needs: [build-and-test, edge-worker-e2e]
runs-on: ubuntu-latest
environment: ${{ github.event_name == 'pull_request' && 'preview' || 'production' }}
environment: preview
# environment: ${{ github.event_name == 'pull_request' && 'preview' || 'production' }}
env:
NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
Comment on lines +200 to 208
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Guard demo deployment from forked PRs lacking secrets

This job now runs for every pull_request, but it immediately depends on repository secrets (NX_CLOUD_ACCESS_TOKEN, CLOUDFLARE_*, DEMO_PREVIEW_*). For PRs opened from forks those secrets are intentionally unavailable, so the workflow will fail before any tests run and block external contributors. Consider gating the job to only run when github.event.pull_request.head.repo.fork == false or similar, or switch to pull_request_target if safe.

Useful? React with 👍 / 👎.

VITE_SUPABASE_URL: ${{ github.event_name == 'pull_request' && secrets.DEMO_PREVIEW_SUPABASE_URL || secrets.DEMO_PRODUCTION_SUPABASE_URL }}
VITE_SUPABASE_ANON_KEY: ${{ github.event_name == 'pull_request' && secrets.DEMO_PREVIEW_SUPABASE_ANON_KEY || secrets.DEMO_PRODUCTION_SUPABASE_ANON_KEY }}
VITE_SUPABASE_URL: ${{ secrets.DEMO_PREVIEW_SUPABASE_URL }}
# VITE_SUPABASE_URL: ${{ github.event_name == 'pull_request' && secrets.DEMO_PREVIEW_SUPABASE_URL || secrets.DEMO_PRODUCTION_SUPABASE_URL }}
VITE_SUPABASE_ANON_KEY: ${{ secrets.DEMO_PREVIEW_SUPABASE_ANON_KEY }}
# VITE_SUPABASE_ANON_KEY: ${{ github.event_name == 'pull_request' && secrets.DEMO_PREVIEW_SUPABASE_ANON_KEY || secrets.DEMO_PRODUCTION_SUPABASE_ANON_KEY }}
PREVIEW_NAME: pr-${{ github.event.pull_request.number }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- uses: ./.github/actions/setup

- name: Set Nx base for affected commands
run: |
echo "NX_BASE=origin/main" >> $GITHUB_ENV
echo "NX_HEAD=HEAD" >> $GITHUB_ENV

- name: Verify NX_BASE and NX_HEAD are set
run: echo "BASE=$NX_BASE HEAD=$NX_HEAD"

- name: Validate Supabase environment variables
run: |
if [ -z "$VITE_SUPABASE_URL" ]; then
echo "❌ Error: VITE_SUPABASE_URL is not set"
echo "Required GitHub secret missing: DEMO_${{ github.event_name == 'pull_request' && 'PREVIEW' || 'PRODUCTION' }}_SUPABASE_URL"
exit 1
fi
if [ -z "$VITE_SUPABASE_ANON_KEY" ]; then
echo "❌ Error: VITE_SUPABASE_ANON_KEY is not set"
echo "Required GitHub secret missing: DEMO_${{ github.event_name == 'pull_request' && 'PREVIEW' || 'PRODUCTION' }}_SUPABASE_ANON_KEY"
exit 1
fi
if [[ ! "$VITE_SUPABASE_URL" =~ ^https:// ]]; then
echo "❌ Error: VITE_SUPABASE_URL must use https:// (not http://)"
echo "Current value: $VITE_SUPABASE_URL"
exit 1
fi
echo "✅ Supabase environment variables are valid"

- name: Deploy demo
- name: Deploy demo preview
id: deploy-demo
env:
PREVIEW_NAME: pr-${{ github.event.pull_request.number }}
run: |
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
pnpm nx affected -t deploy:preview --projects=demo --base="$NX_BASE" --head="$NX_HEAD"
else
pnpm nx affected -t deploy --projects=demo --base="$NX_BASE" --head="$NX_HEAD"
fi
run: pnpm nx affected -t deploy:preview --base=origin/main --head=HEAD
Comment on lines +221 to +223
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restrict Nx deploy to the demo project only

The Deploy demo preview step now executes pnpm nx affected -t deploy:preview without the previous --projects=demo filter. When the PR touches any other project that also has a deploy:preview target (e.g. the website), Nx will attempt to deploy that project in this job as well, but the job only sets demo-specific environment variables. This can cause the step to fail due to missing secrets or deploy the wrong project. Keep the --projects=demo restriction to limit the job to the intended target.

Useful? React with 👍 / 👎.


- name: Post deployment comment
if: success()
Expand All @@ -258,3 +229,4 @@ jobs:
project-name: Demo
preview-url: https://pr-${{ github.event.pull_request.number }}-pgflow-demo.jumski.workers.dev
production-url: https://demo.pgflow.dev
deployment-status: ${{ steps.deploy-demo.outcome }}