ci: refactor wait-for-vercel-project to use GitHub Deployments API#1861
Merged
TooTallNate merged 4 commits intomainfrom Apr 28, 2026
Merged
ci: refactor wait-for-vercel-project to use GitHub Deployments API#1861TooTallNate merged 4 commits intomainfrom
TooTallNate merged 4 commits intomainfrom
Conversation
Replaces the Vercel SDK / Vercel API token-based implementation with one that resolves the deployment URL via the GitHub Deployments API: - Find the GitHub Deployment for (target SHA, environment) where environment matches the Vercel-app-created "Preview \u2013 <slug>" or "Production \u2013 <slug>" naming pattern. - Wait for the latest deployment status to be `success` (or `inactive` when Vercel skips a duplicate build, in which case its environment_url still points at the live deployment). - Probe the URL to confirm the edge can route to it (any non-5xx response counts as live, including 401/403 from Deployment Protection and 404/405 from the app). Manual redirect handling treats redirects to vercel.com as "still building". - Resolve the dpl_xxx deployment ID from the matching commit status (Vercel posts `Vercel \u2013 <slug>` statuses where target_url's last path segment is the inspector ID == deployment ID without the prefix). Inputs change: project-slug + bypass-secret + github-token (with GITHUB_TOKEN default) replace team-id + project-id + vercel-token. Removes the @vercel/sdk dependency, shrinking the bundled dist from 5.4MB to 829KB. The VERCEL_DOCS_TOKEN secret is no longer referenced anywhere in the repo and can be deleted from GH after this lands.
Contributor
|
Contributor
🧪 E2E Test Results✅ All tests passed Summary
Details by Category✅ ▲ Vercel Production
✅ 💻 Local Development
✅ 📦 Local Production
✅ 🐘 Local Postgres
✅ 🪟 Windows
✅ 📋 Other
|
Contributor
📊 Benchmark Results
workflow with no steps💻 Local Development
workflow with 1 step💻 Local Development
workflow with 10 sequential steps💻 Local Development
workflow with 25 sequential steps💻 Local Development
workflow with 50 sequential steps💻 Local Development
Promise.all with 10 concurrent steps💻 Local Development
Promise.all with 25 concurrent steps💻 Local Development
Promise.all with 50 concurrent steps💻 Local Development
Promise.race with 10 concurrent steps💻 Local Development
Promise.race with 25 concurrent steps💻 Local Development
Promise.race with 50 concurrent steps💻 Local Development
workflow with 10 sequential data payload steps (10KB)💻 Local Development
workflow with 25 sequential data payload steps (10KB)💻 Local Development
workflow with 50 sequential data payload steps (10KB)💻 Local Development
workflow with 10 concurrent data payload steps (10KB)💻 Local Development
workflow with 25 concurrent data payload steps (10KB)💻 Local Development
workflow with 50 concurrent data payload steps (10KB)💻 Local Development
Stream Benchmarks (includes TTFB metrics)workflow with stream💻 Local Development
stream pipeline with 5 transform steps (1MB)💻 Local Development
10 parallel streams (1MB each)💻 Local Development
fan-out fan-in 10 streams (1MB each)💻 Local Development
SummaryFastest Framework by WorldWinner determined by most benchmark wins
Fastest World by FrameworkWinner determined by most benchmark wins
Column Definitions
Worlds:
Check the workflow run for details. |
TooTallNate
requested review from
VaguelySerious,
ijjk,
karthikscale3 and
pranaygp
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
Refactors the internal wait-for-vercel-project GitHub Action to discover and poll Vercel deployments via the GitHub Deployments API (rather than Vercel’s API), simplifying secrets management and reducing the action bundle/deps.
Changes:
- Reworked the action implementation to list GitHub Deployments by
(sha, environment)and poll deployment statuses + probe the environment URL. - Updated CI workflows to pass
project-slug/bypass-secretinstead of Vercel team/project IDs and Vercel API tokens. - Removed
@vercel/sdkfrom the action package dependencies and updated the lockfile accordingly.
Reviewed changes
Copilot reviewed 7 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/tests.yml | Updates action invocation to use project-slug and bypass secret. |
| .github/workflows/benchmarks.yml | Updates action invocation to use project-slug and bypass secret. |
| .github/workflows/docs-checks.yml | Updates action invocation and removes forwarding of the unused docs Vercel token env var. |
| .github/workflows/dispatch-front-workflow-release-pr.yml | Updates docs deployment wait step to use the new action inputs. |
| .github/actions/wait-for-vercel-project/src/wait-for-deployment.ts | Implements GitHub Deployments API polling, readiness probing, and deployment-id resolution from commit statuses. |
| .github/actions/wait-for-vercel-project/action.yml | Updates inputs/outputs documentation for the new mechanism and parameters. |
| .github/actions/wait-for-vercel-project/package.json | Drops @vercel/sdk, updates description, adds @types/node. |
| .github/actions/wait-for-vercel-project/pnpm-lock.yaml | Reflects dependency removals/additions for the action package. |
Files not reviewed (1)
- .github/actions/wait-for-vercel-project/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The GitHub Deployment status transitions to `success` only after the Vercel app finishes building and routing is live, so an extra HTTP liveness probe of the deployment URL was redundant. Removing it lets us also drop the bypass-secret input \u2014 protected deployments don't need a workaround anymore because we never make the request. Reduces the action surface area and eliminates a runtime fetch.
- Fail loudly when the dpl_xxx deployment ID can't be resolved instead of returning an empty string. Consumers wire this into VERCEL_DEPLOYMENT_ID, which world-target uses to pick between the vercel and local worlds (packages/utils/src/world-target.ts), so an empty value would silently flip execution mode. - Pass the GitHub App token to wait-for-vercel-project in the dispatch release workflow. The job sets `permissions: contents: read`, which blocks the default GITHUB_TOKEN from reading the Deployments API. The App token (already generated for workflow,front) has the necessary scopes.
ijjk
approved these changes
Apr 28, 2026
ijjk
pushed a commit
that referenced
this pull request
Apr 28, 2026
…1861) * ci: refactor wait-for-vercel-project to use GitHub Deployments API Replaces the Vercel SDK / Vercel API token-based implementation with one that resolves the deployment URL via the GitHub Deployments API: - Find the GitHub Deployment for (target SHA, environment) where environment matches the Vercel-app-created "Preview \u2013 <slug>" or "Production \u2013 <slug>" naming pattern. - Wait for the latest deployment status to be `success` (or `inactive` when Vercel skips a duplicate build, in which case its environment_url still points at the live deployment). - Probe the URL to confirm the edge can route to it (any non-5xx response counts as live, including 401/403 from Deployment Protection and 404/405 from the app). Manual redirect handling treats redirects to vercel.com as "still building". - Resolve the dpl_xxx deployment ID from the matching commit status (Vercel posts `Vercel \u2013 <slug>` statuses where target_url's last path segment is the inspector ID == deployment ID without the prefix). Inputs change: project-slug + bypass-secret + github-token (with GITHUB_TOKEN default) replace team-id + project-id + vercel-token. Removes the @vercel/sdk dependency, shrinking the bundled dist from 5.4MB to 829KB. The VERCEL_DOCS_TOKEN secret is no longer referenced anywhere in the repo and can be deleted from GH after this lands. * ci(wait-for-vercel-project): drop URL probe and bypass-secret input The GitHub Deployment status transitions to `success` only after the Vercel app finishes building and routing is live, so an extra HTTP liveness probe of the deployment URL was redundant. Removing it lets us also drop the bypass-secret input \u2014 protected deployments don't need a workaround anymore because we never make the request. Reduces the action surface area and eliminates a runtime fetch. * ci(wait-for-vercel-project): address PR review - Fail loudly when the dpl_xxx deployment ID can't be resolved instead of returning an empty string. Consumers wire this into VERCEL_DEPLOYMENT_ID, which world-target uses to pick between the vercel and local worlds (packages/utils/src/world-target.ts), so an empty value would silently flip execution mode. - Pass the GitHub App token to wait-for-vercel-project in the dispatch release workflow. The job sets `permissions: contents: read`, which blocks the default GITHUB_TOKEN from reading the Deployments API. The App token (already generated for workflow,front) has the necessary scopes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refactors the
wait-for-vercel-projectcomposite action to discover the deployment via the GitHub Deployments API instead of the Vercel REST API. This drops the per-team Vercel API token requirement (VERCEL_DOCS_TOKENis now unreferenced anywhere in the repo) and shrinks the action's bundleddist/index.jsfrom 5.4MB → 828KB (90K LOC removed) by dropping@vercel/sdk.How it works
(sha, environment)whereenvironmentmatches the Vercel-app-created naming pattern:Preview – <project-slug>orProduction – <project-slug>(em-dash).successandinactiveare both terminal-OK — Vercel emitsinactiveimmediately for skipped duplicate builds, and theenvironment_urlin that case still points at the live previously-deployed URL.dpl_xxxdeployment ID from the matching commit status. Vercel posts aVercel – <project-slug>commit status whosetarget_url's last path segment is the inspector ID — which equals the deployment ID without thedpl_prefix. Action throws if the ID can't be resolved (consumers wire it intoVERCEL_DEPLOYMENT_ID, whichworld-targetuses to pick between the vercel and local worlds — an empty value would silently flip execution mode).The action never makes a request to the deployment URL itself. By the time GitHub's deployment status reaches
success, the Vercel app has already verified the deployment is live and routing is primed. This means there's no readiness probe and no need for a Deployment Protection bypass token in the action.Inputs
team-id(required)project-id(required,prj_xxx)vercel-token(required)project-slug(required)github-token(optional, defaults to${{ github.token }})timeout,check-interval,environmentOutputs (
deployment-url,deployment-id) are unchanged.Testing
Manually verified all three scenarios against real recent commits in this repo:
example-nextjs-workflow-webpack) — resolves URL +dpl_xxxIDdpl_xxxIDinactive(skipped duplicate build) — resolves URL of the still-live previous deploymentCall site changes
All four invocations updated:
.github/workflows/tests.yml— workbench e2e jobs.github/workflows/benchmarks.yml— benchmark jobs.github/workflows/docs-checks.yml— docs smoke checks (also dropped the unusedVERCEL_DOCS_TOKENenv var that was being forwarded intocheck-docs-smoke.mjsdespite never being read).github/workflows/dispatch-front-workflow-release-pr.yml— front release PR dispatch. This workflow has a top-levelpermissions: contents: readblock that would prevent the defaultGITHUB_TOKENfrom reading the Deployments / Statuses APIs, so it explicitly passes the GitHub App token (already generated forworkflow,front) via the newgithub-tokeninput.VERCEL_LABS_TOKENis still used to setWORKFLOW_VERCEL_AUTH_TOKENfor the e2e test runtime, so it stays.VERCEL_DOCS_TOKENis now unreferenced anywhere in the repo and can be deleted from GH after this PR merges.Notes
pnpm changeset statusconfirms).package.jsonnow depends on@types/node@^22.19.0directly instead of the workspacecatalog:entry —pnpm installagainst this package uses--ignore-workspacesince it's outside the workspace root.