I've seen this a few times. Most recently, when I pushed to PR #147, the "Preview" job failed here, with an apparent permissions error[^1]. It really confused me at first that we were deploying for each PR, but this does seem to be intentional. It looks like preview.yml deploys the HTML artifacts to a a directory based on the PR number, so we're not clobbering the tip-of-tree build like I was afraid of. Still, the undesirable effect is that PRs from users without write access are guaranteed to fail CI.
Maybe we should just convert the "Preview" job to a "Validate" job and skip the deployment to the gh-pages branch? Pushes to main should still be covered by build.yml.
As for the little "preview" links that get edited into PR descriptions — those actually come from the "pr-preview" bot[^2] and the previews are hosted on AWS. I think it's completely distinct from the preview.yml.
[^1]: For posterity, here's the error message:
$ git push --force-with-lease origin "gh-pages"
remote: Permission to patcg-individual-drafts/private-aggregation-api.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/patcg-individual-drafts/private-aggregation-api.git/': The requested URL returned error: 403
{
message: 'Command `git push --force-with-lease origin "gh-pages"` failed with exit code: 128.',
stdout: '',
stderr: 'remote: Permission to patcg-individual-drafts/private-aggregation-api.git denied to github-actions[bot].\n' +
"fatal: unable to access 'https://github.com/patcg-individual-drafts/private-aggregation-api.git/': The requested URL returned error: 403",
code: 128
}
I've seen this a few times. Most recently, when I pushed to PR #147, the "Preview" job failed here, with an apparent permissions error[^1]. It really confused me at first that we were deploying for each PR, but this does seem to be intentional. It looks like preview.yml deploys the HTML artifacts to a a directory based on the PR number, so we're not clobbering the tip-of-tree build like I was afraid of. Still, the undesirable effect is that PRs from users without write access are guaranteed to fail CI.
Maybe we should just convert the "Preview" job to a "Validate" job and skip the deployment to the
gh-pages
branch? Pushes tomain
should still be covered by build.yml.As for the little "preview" links that get edited into PR descriptions — those actually come from the "pr-preview" bot[^2] and the previews are hosted on AWS. I think it's completely distinct from the preview.yml.
[^1]: For posterity, here's the error message:
[^2]: