feat: add PR website preview via Cloudflare Pages#13
Conversation
📝 WalkthroughWalkthroughAdds two new GitHub Actions workflows: ChangesPR Check and Cloudflare Preview Deployment
Estimated code review effort: 2 (Simple) | ~10 minutes Sequence Diagram(s)sequenceDiagram
participant Contributor
participant PrCheck as pr-check workflow
participant Runner as ubuntu-24.04 runner
participant Publish as publish-website-pr-cloudflare
participant Cloudflare as Cloudflare Pages
Contributor->>PrCheck: open/update pull request
PrCheck->>Runner: checkout, setup Node 24, npm ci
Runner->>Runner: npm run build, write PR_NUMBER/PR_SHA
Runner-->>PrCheck: upload website-content artifact
PrCheck-->>Publish: workflow_run completed (success)
Publish->>Publish: download website-content artifact
Publish->>Cloudflare: deploy content/build to kaiden-website-pr
Related issues: Suggested labels: ci, github-actions Suggested reviewers: none identified Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
ab075e0 to
e449162
Compare
Add two workflows to enable website preview deployments for pull requests: - pr-check.yaml: builds the website on PRs and uploads the artifact - publish-website-pr-cloudflare.yaml: deploys the artifact to Cloudflare Pages Co-Authored-By: Claude Opus 4.6 <[email protected]> Signed-off-by: Florent Benoit <[email protected]>
4e2d839 to
d73fa42
Compare
|
@coderabbitai review |
Action performedReview triggered.
|
There was a problem hiding this comment.
🧹 Nitpick comments (4)
.github/workflows/pr-check.yaml (2)
33-52: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick winConsider adding
timeout-minutesto the build job.Without an explicit timeout, a hung
npm ci/npm run buildstep could occupy the runner up to the default 360-minute limit, wasting Actions minutes and delaying PR feedback.⏱️ Suggested fix
website-build: if: ${{ !github.event.pull_request.draft }} name: Build website runs-on: ubuntu-24.04 + timeout-minutes: 15🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/pr-check.yaml around lines 33 - 52, The website-build job in pr-check.yaml needs an explicit timeout to prevent a hung npm ci or npm run build step from consuming the runner for too long. Add a timeout-minutes setting on the website-build job itself so the workflow fails fast on stalled builds while keeping the existing Checkout, Setup Node, Install dependencies, and Build steps unchanged.
39-40: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winHarden checkout: disable credential persistence.
Static analysis flags this checkout as not setting
persist-credentials: false. Practical risk here is low since onlybuild,PR_NUMBER, andPR_SHAare uploaded (not the checked-out repo), but disabling persistence is a cheap defense-in-depth measure against future changes accidentally exposing the token via subsequent steps or artifacts.🔒 Suggested fix
- name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/pr-check.yaml around lines 39 - 40, The Checkout step in the workflow is persisting GitHub credentials by default; update the actions/checkout usage to explicitly disable credential persistence. Modify the Checkout step in the pr-check workflow so it sets persist-credentials to false on actions/checkout, keeping the hardening local to that step and preventing the token from being available to later steps.Source: Linters/SAST tools
.github/workflows/publish-website-pr-cloudflare.yaml (2)
32-36: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick winConsider adding
timeout-minutesto the publish job.Same rationale as the build job: an unbounded artifact-download or deploy step could hang, tying up secrets-bearing runner time.
⏱️ Suggested fix
publish: name: Publish website preview on Cloudflare Pages runs-on: ubuntu-24.04 if: ${{ github.event.workflow_run.conclusion == 'success' }} + timeout-minutes: 10🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/publish-website-pr-cloudflare.yaml around lines 32 - 36, The publish job in the Cloudflare Pages workflow is missing a timeout, so a stalled artifact download or deploy can run indefinitely; add a timeout to the publish job definition in the publish job block so the workflow terminates safely, using the existing publish job identifier and its deploy steps as the place to update.
27-30: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value
contents: readappears unused.The job never checks out the repository — it only downloads an artifact and deploys via the Cloudflare action.
contents: readcould likely be dropped for tighter least-privilege scoping.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/publish-website-pr-cloudflare.yaml around lines 27 - 30, The publish-website-pr-cloudflare workflow is granting an unnecessary contents: read permission even though the job only downloads an artifact and deploys with the Cloudflare action. Remove contents: read from the permissions block and keep only the permissions actually needed by the job, using the workflow name and deploy step as the place to verify the reduced scope.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/pr-check.yaml:
- Around line 33-52: The website-build job in pr-check.yaml needs an explicit
timeout to prevent a hung npm ci or npm run build step from consuming the runner
for too long. Add a timeout-minutes setting on the website-build job itself so
the workflow fails fast on stalled builds while keeping the existing Checkout,
Setup Node, Install dependencies, and Build steps unchanged.
- Around line 39-40: The Checkout step in the workflow is persisting GitHub
credentials by default; update the actions/checkout usage to explicitly disable
credential persistence. Modify the Checkout step in the pr-check workflow so it
sets persist-credentials to false on actions/checkout, keeping the hardening
local to that step and preventing the token from being available to later steps.
In @.github/workflows/publish-website-pr-cloudflare.yaml:
- Around line 32-36: The publish job in the Cloudflare Pages workflow is missing
a timeout, so a stalled artifact download or deploy can run indefinitely; add a
timeout to the publish job definition in the publish job block so the workflow
terminates safely, using the existing publish job identifier and its deploy
steps as the place to update.
- Around line 27-30: The publish-website-pr-cloudflare workflow is granting an
unnecessary contents: read permission even though the job only downloads an
artifact and deploys with the Cloudflare action. Remove contents: read from the
permissions block and keep only the permissions actually needed by the job,
using the workflow name and deploy step as the place to verify the reduced
scope.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 19adca3f-68f0-4c6d-a913-2ed4b5cc7aae
📒 Files selected for processing (2)
.github/workflows/pr-check.yaml.github/workflows/publish-website-pr-cloudflare.yaml
|
Caution Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted. Error details |
Summary
pr-check.yamlworkflow that builds the website on non-draft PRs and uploads the build artifactpublish-website-pr-cloudflare.yamlworkflow that deploys the artifact to Cloudflare Pages on successful buildworkflow_run) to safely access Cloudflare secrets from fork PRsFixes #6
Prerequisites
kaiden-website-prmust be created via the Cloudflare dashboard (Direct Upload)Test plan
kaiden-website-prproject in Cloudflare Pagesmainpr-checkbuilds successfullypublish-website-pr-cloudflaredeploys and a "View deployment" link appears on the PR