Closed scottyhq closed 3 months ago
I'll take a look on Monday. Thanks!
I just recalled that I don't think the preview ever worked for PRs coming from forks. Because those workflows have a blank SURGE_TOKEN
!
I think it's great to be able to preview content coming from forks. I don't know if there is a better state-of-the art these days, but this is the approach we take for hackweek websites to accomplish this (basically anyone with repo admin permission adds a label to grant access to the token):
on:
pull_request_target:
types: [labeled, synchronize]
jobs:
add-preview:
runs-on: ubuntu-latest
# This workflow accesses secrets and checks out a PR, so only run if labelled
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
if: contains(github.event.pull_request.labels.*.name, 'preview')
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
Helpful discussion here about various options:
I think closed by #260, see https://github.com/afc163/surge-preview/pull/294 and related discussion.
Sometimes the workflow still fails with only a Warning rather than an error code:
Unable to get the PR number with API search: HttpError: You have exceeded a secondary rate limit. Please wait a few minutes before you try again.
Waiting a few minutes and 're-run all jobs' seems to sort things out.
https://github.com/xarray-contrib/xarray-tutorial/actions/runs/9135494118/job/25122893778
I'm guessing the TOKEN from last year just expired at some point. cc @lsetiawan
Might need some minor changes to the workflow (https://github.com/afc163/surge-preview/issues/255)