Skip to content

feat: add PR website preview via Cloudflare Pages#13

Merged
slemeur merged 1 commit into
openkaiden:mainfrom
benoitf:pr-preview-cloudflare
Jul 2, 2026
Merged

feat: add PR website preview via Cloudflare Pages#13
slemeur merged 1 commit into
openkaiden:mainfrom
benoitf:pr-preview-cloudflare

Conversation

@benoitf

@benoitf benoitf commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add pr-check.yaml workflow that builds the website on non-draft PRs and uploads the build artifact
  • Add publish-website-pr-cloudflare.yaml workflow that deploys the artifact to Cloudflare Pages on successful build
  • Uses the two-workflow pattern (workflow_run) to safely access Cloudflare secrets from fork PRs

Fixes #6

Prerequisites

  • A Cloudflare Pages project named kaiden-website-pr must be created via the Cloudflare dashboard (Direct Upload)

Test plan

  • Create the kaiden-website-pr project in Cloudflare Pages
  • Merge this PR to main
  • Open a test PR and verify pr-check builds successfully
  • Verify publish-website-pr-cloudflare deploys and a "View deployment" link appears on the PR

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds two new GitHub Actions workflows: pr-check, which builds the website on pull requests targeting main and uploads build output with PR metadata as an artifact, and publish-website-pr-cloudflare, which downloads that artifact after pr-check succeeds and deploys it to Cloudflare Pages.

Changes

PR Check and Cloudflare Preview Deployment

Layer / File(s) Summary
PR check build workflow
.github/workflows/pr-check.yaml
New workflow triggers on pull requests to main, sets concurrency/permissions, skips draft PRs, builds on ubuntu-24.04 with Node 24, writes PR_NUMBER/PR_SHA, and uploads build output as the website-content artifact.
Cloudflare Pages publish workflow
.github/workflows/publish-website-pr-cloudflare.yaml
New workflow triggers on successful workflow_run completion of pr-check, downloads the website-content artifact, and deploys content/build to the kaiden-website-pr Cloudflare Pages project.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Contributor
  participant PrCheck as pr-check workflow
  participant Runner as ubuntu-24.04 runner
  participant Publish as publish-website-pr-cloudflare
  participant Cloudflare as Cloudflare Pages

  Contributor->>PrCheck: open/update pull request
  PrCheck->>Runner: checkout, setup Node 24, npm ci
  Runner->>Runner: npm run build, write PR_NUMBER/PR_SHA
  Runner-->>PrCheck: upload website-content artifact
  PrCheck-->>Publish: workflow_run completed (success)
  Publish->>Publish: download website-content artifact
  Publish->>Cloudflare: deploy content/build to kaiden-website-pr
Loading

Related issues: #6 (add PR checks)

Suggested labels: ci, github-actions

Suggested reviewers: none identified

Poem

A rabbit hops through YAML fields so neat,
Building sites with npm, quick and fleet,
Artifacts packed and passed along,
To Cloudflare's stage where previews belong,
Draft PRs skipped, only the real ones greet! 🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning Issue #6 also asks for an approval-request step, but the PR only adds build checks and preview deployment workflows. Add the approval-request mechanism for merge gating, or clarify that this requirement is handled elsewhere.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: PR website preview support via Cloudflare Pages.
Description check ✅ Passed The description is directly related to the added build and Cloudflare preview workflows.
Out of Scope Changes check ✅ Passed The added workflows align with the PR preview/build-check goal and do not introduce unrelated changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@benoitf benoitf force-pushed the pr-preview-cloudflare branch from ab075e0 to e449162 Compare July 1, 2026 20:24
Add two workflows to enable website preview deployments for pull requests:
- pr-check.yaml: builds the website on PRs and uploads the artifact
- publish-website-pr-cloudflare.yaml: deploys the artifact to Cloudflare Pages

Co-Authored-By: Claude Opus 4.6 <[email protected]>
Signed-off-by: Florent Benoit <[email protected]>
@benoitf benoitf force-pushed the pr-preview-cloudflare branch from 4e2d839 to d73fa42 Compare July 1, 2026 20:43
@benoitf

benoitf commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Action performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (4)
.github/workflows/pr-check.yaml (2)

33-52: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

Consider adding timeout-minutes to the build job.

Without an explicit timeout, a hung npm ci/npm run build step could occupy the runner up to the default 360-minute limit, wasting Actions minutes and delaying PR feedback.

⏱️ Suggested fix
   website-build:
     if: ${{ !github.event.pull_request.draft }}
     name: Build website
     runs-on: ubuntu-24.04
+    timeout-minutes: 15
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-check.yaml around lines 33 - 52, The website-build job
in pr-check.yaml needs an explicit timeout to prevent a hung npm ci or npm run
build step from consuming the runner for too long. Add a timeout-minutes setting
on the website-build job itself so the workflow fails fast on stalled builds
while keeping the existing Checkout, Setup Node, Install dependencies, and Build
steps unchanged.

39-40: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Harden checkout: disable credential persistence.

Static analysis flags this checkout as not setting persist-credentials: false. Practical risk here is low since only build, PR_NUMBER, and PR_SHA are uploaded (not the checked-out repo), but disabling persistence is a cheap defense-in-depth measure against future changes accidentally exposing the token via subsequent steps or artifacts.

🔒 Suggested fix
       - name: Checkout
         uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-check.yaml around lines 39 - 40, The Checkout step in
the workflow is persisting GitHub credentials by default; update the
actions/checkout usage to explicitly disable credential persistence. Modify the
Checkout step in the pr-check workflow so it sets persist-credentials to false
on actions/checkout, keeping the hardening local to that step and preventing the
token from being available to later steps.

Source: Linters/SAST tools

.github/workflows/publish-website-pr-cloudflare.yaml (2)

32-36: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

Consider adding timeout-minutes to the publish job.

Same rationale as the build job: an unbounded artifact-download or deploy step could hang, tying up secrets-bearing runner time.

⏱️ Suggested fix
   publish:
     name: Publish website preview on Cloudflare Pages
     runs-on: ubuntu-24.04
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    timeout-minutes: 10
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-website-pr-cloudflare.yaml around lines 32 - 36,
The publish job in the Cloudflare Pages workflow is missing a timeout, so a
stalled artifact download or deploy can run indefinitely; add a timeout to the
publish job definition in the publish job block so the workflow terminates
safely, using the existing publish job identifier and its deploy steps as the
place to update.

27-30: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

contents: read appears unused.

The job never checks out the repository — it only downloads an artifact and deploys via the Cloudflare action. contents: read could likely be dropped for tighter least-privilege scoping.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-website-pr-cloudflare.yaml around lines 27 - 30,
The publish-website-pr-cloudflare workflow is granting an unnecessary contents:
read permission even though the job only downloads an artifact and deploys with
the Cloudflare action. Remove contents: read from the permissions block and keep
only the permissions actually needed by the job, using the workflow name and
deploy step as the place to verify the reduced scope.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/pr-check.yaml:
- Around line 33-52: The website-build job in pr-check.yaml needs an explicit
timeout to prevent a hung npm ci or npm run build step from consuming the runner
for too long. Add a timeout-minutes setting on the website-build job itself so
the workflow fails fast on stalled builds while keeping the existing Checkout,
Setup Node, Install dependencies, and Build steps unchanged.
- Around line 39-40: The Checkout step in the workflow is persisting GitHub
credentials by default; update the actions/checkout usage to explicitly disable
credential persistence. Modify the Checkout step in the pr-check workflow so it
sets persist-credentials to false on actions/checkout, keeping the hardening
local to that step and preventing the token from being available to later steps.

In @.github/workflows/publish-website-pr-cloudflare.yaml:
- Around line 32-36: The publish job in the Cloudflare Pages workflow is missing
a timeout, so a stalled artifact download or deploy can run indefinitely; add a
timeout to the publish job definition in the publish job block so the workflow
terminates safely, using the existing publish job identifier and its deploy
steps as the place to update.
- Around line 27-30: The publish-website-pr-cloudflare workflow is granting an
unnecessary contents: read permission even though the job only downloads an
artifact and deploys with the Cloudflare action. Remove contents: read from the
permissions block and keep only the permissions actually needed by the job,
using the workflow name and deploy step as the place to verify the reduced
scope.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 19adca3f-68f0-4c6d-a913-2ed4b5cc7aae

📥 Commits

Reviewing files that changed from the base of the PR and between d00043b and d73fa42.

📒 Files selected for processing (2)
  • .github/workflows/pr-check.yaml
  • .github/workflows/publish-website-pr-cloudflare.yaml

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
{}

@slemeur slemeur left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@slemeur slemeur merged commit 581ce4c into openkaiden:main Jul 2, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

add PR checks

2 participants