Merge branch 'master' into fix-templates-location

nobu · web-flow · commit dfffac650dcf · 2025-07-03T09:12:39.000+09:00
diff --git a/.github/workflows/cloudflare-preview.yml b/.github/workflows/cloudflare-preview.yml
@@ -1,129 +1,64 @@
-name: Cloudflare Pages Preview Deployment
+name: Build and Deploy Cloudflare Preview
 
 on:
-  # Runs automatically for PRs from ruby/rdoc
-  # Fork PRs will be filtered out by the if condition
-  pull_request:
+  repository_dispatch:
+    types: [pr-preview-deploy]
 
-  # Allows manual triggering for fork PRs
-  workflow_dispatch:
-    inputs:
-      pull_request_number:
-        description: 'Pull Request Number (for fork PRs)'
-        required: true
-        type: string
+permissions:
+  pull-requests: write # To allow commenting on the PR
 
 jobs:
-  deploy-preview:
+  build-deploy-and-comment:
+    name: Build, Deploy, and Comment
     runs-on: ubuntu-latest
-    # Skip if PR from fork and NOT manually triggered
-    if: ${{ github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == 'ruby/rdoc' }}
-
     steps:
-      - name: Checkout for PR from main repo
-        if: ${{ github.event_name == 'pull_request' }}
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.ref }}
-
-      # For fork PRs that are manually triggered, we need to get the PR details first
-      - name: Get PR details for fork
-        if: ${{ github.event_name == 'workflow_dispatch' }}
-        id: pr_details
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const prNumber = ${{ inputs.pull_request_number }};
-
-            // Get PR details to find the head SHA
-            const { data: pr } = await github.rest.pulls.get({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: prNumber
-            });
-
-            console.log(`Fork PR head SHA: ${pr.head.sha}`);
-            console.log(`Fork PR head ref: ${pr.head.ref}`);
-            console.log(`Fork PR repo: ${pr.head.repo.full_name}`);
-
-            // Set outputs for checkout step
-            core.setOutput('head_sha', pr.head.sha);
-            core.setOutput('head_ref', pr.head.ref);
-            core.setOutput('repo_full_name', pr.head.repo.full_name);
-
-      - name: Checkout for manually triggered fork PR
-        if: ${{ github.event_name == 'workflow_dispatch' }}
+      - name: Checkout PR Code
         uses: actions/checkout@v4
         with:
-          ref: ${{ steps.pr_details.outputs.head_sha }}
-          repository: ${{ steps.pr_details.outputs.repo_full_name }}
+          repository: ${{ github.event.client_payload.pr_checkout_repository }}
+          ref: ${{ github.event.client_payload.pr_head_sha }}
 
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
           ruby-version: '3.4'
           bundler-cache: true
 
-      - name: Install dependencies
-        run: bundle install
-
       - name: Build site
         run: bundle exec rake rdoc
 
-      - name: Set PR Number
-        id: pr_number
-        run: |
-          if [ "${{ github.event_name }}" == "pull_request" ]; then
-            echo "PR_NUMBER=${{ github.event.pull_request.number }}" >> $GITHUB_ENV
-          else
-            echo "PR_NUMBER=${{ inputs.pull_request_number }}" >> $GITHUB_ENV
-          fi
-
-      # Deploy to Cloudflare Pages using wrangler-action
       - name: Deploy to Cloudflare Pages
         id: deploy
         uses: cloudflare/wrangler-action@v3
         with:
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          command: pages deploy ./_site --project-name=rdoc --branch="${{ env.PR_NUMBER }}-preview"
+          command: pages deploy ./_site --project-name=rdoc --branch="${{ github.event.client_payload.pr_number }}-preview"
 
-      # Comment on PR with preview URL - works for both regular PRs and fork PRs
       - name: Comment on PR with preview URL
         uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.MATZBOT_GITHUB_TOKEN }}
           script: |
-            const prNumber = ${{ env.PR_NUMBER }};
+            const prNumber = ${{ github.event.client_payload.pr_number }};
             const url = "${{ steps.deploy.outputs.deployment-url }}";
             const commentMarker = "🚀 Preview deployment available at:";
+            const commitSha = '${{ github.event.client_payload.pr_head_sha }}';
 
-            // Get commit SHA based on event type
-            let commitSha;
-            if ('${{ github.event_name }}' === 'pull_request') {
-              commitSha = '${{ github.event.pull_request.head.sha }}';
-            } else {
-              // For workflow_dispatch, get the SHA from the PR details
-              commitSha = '${{ steps.pr_details.outputs.head_sha }}';
-            }
-
-            // Get all comments on the PR
             const comments = await github.rest.issues.listComments({
               issue_number: prNumber,
               owner: context.repo.owner,
               repo: context.repo.repo,
               per_page: 100
             });
 
-            // Look for our previous bot comment
             const existingComment = comments.data.find(comment =>
               comment.body.includes(commentMarker)
             );
 
             const commentBody = `${commentMarker} [${url}](${url}) (commit: ${commitSha})`;
 
             if (existingComment) {
-              // Update existing comment
               await github.rest.issues.updateComment({
                 comment_id: existingComment.id,
                 owner: context.repo.owner,
@@ -132,12 +67,11 @@ jobs:
               });
               console.log("Updated existing preview comment");
             } else {
-              // Create new comment
               await github.rest.issues.createComment({
                 issue_number: prNumber,
                 owner: context.repo.owner,
                 repo: context.repo.repo,
                 body: commentBody
               });
               console.log("Created new preview comment");
-            }
+            }
diff --git a/.github/workflows/fork-preview-deploy.yml b/.github/workflows/fork-preview-deploy.yml
@@ -0,0 +1,66 @@
+name: Dispatch Fork PR Preview Deployment
+
+on:
+  workflow_run:
+    workflows: ["PR Preview Check"]
+    types: [completed]
+
+jobs:
+  deploy-fork:
+    name: Trigger Preview Build and Deploy (Fork)
+    runs-on: ubuntu-latest
+    if: |
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: Download PR information
+        uses: actions/download-artifact@v4
+        with:
+          name: pr
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+          
+      - name: Read PR information and trigger deployment
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            
+            // Check if this was a fork PR by checking if approve-fork job ran
+            const jobs = await github.rest.actions.listJobsForWorkflowRun({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              run_id: context.payload.workflow_run.id,
+            });
+
+            const approveJob = jobs.data.jobs.find(job => job.name === 'Approve Fork PR');
+            if (!approveJob || approveJob.conclusion !== 'success') {
+              core.setFailed('Not a fork PR approval workflow run');
+              return;
+            }
+            
+            // Read PR information from artifacts
+            let prNumber, prHeadSha, prCheckoutRepo;
+            try {
+              prNumber = fs.readFileSync('./pr_number', 'utf8').trim();
+              prHeadSha = fs.readFileSync('./pr_head_sha', 'utf8').trim();
+              prCheckoutRepo = fs.readFileSync('./pr_checkout_repository', 'utf8').trim();
+            } catch (error) {
+              core.setFailed(`Failed to read PR information: ${error.message}`);
+              return;
+            }
+
+            console.log(`Deploying approved fork PR #${prNumber}`);
+
+            // Trigger deployment via repository dispatch
+            await github.rest.repos.createDispatchEvent({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              event_type: 'pr-preview-deploy',
+              client_payload: {
+                pr_number: prNumber,
+                pr_head_sha: prHeadSha,
+                pr_checkout_repository: prCheckoutRepo,
+                is_fork: 'true'
+              }
+            });
diff --git a/.github/workflows/pr-preview-check.yml b/.github/workflows/pr-preview-check.yml
@@ -0,0 +1,51 @@
+name: PR Preview Check
+
+on:
+  pull_request:
+
+jobs:
+  # Deploy main repo PRs directly
+  deploy-for-main:
+    name: Trigger Preview Build and Deploy (Main Repo)
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.head.repo.fork == false
+    steps:
+      - name: Trigger preview deployment
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            await github.rest.repos.createDispatchEvent({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              event_type: 'pr-preview-deploy',
+              client_payload: {
+                pr_number: '${{ github.event.pull_request.number }}',
+                pr_head_sha: '${{ github.event.pull_request.head.sha }}',
+                pr_checkout_repository: '${{ github.repository }}',
+                is_fork: 'false'
+              }
+            });
+            console.log('Triggered main repo preview deployment');
+
+  # Approval gate for fork PRs
+  approve-for-fork:
+    name: Approve Fork PR
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.head.repo.fork == true
+    environment: fork-preview-protection
+    steps:
+      - name: Save PR information
+        run: |
+          echo "Fork PR #${{ github.event.pull_request.number }} approved for preview deployment"
+          mkdir -p ./pr
+          echo "${{ github.event.pull_request.number }}" > ./pr/pr_number
+          echo "${{ github.event.pull_request.head.sha }}" > ./pr/pr_head_sha
+          echo "${{ github.event.pull_request.head.repo.full_name }}" > ./pr/pr_checkout_repository
+      
+      - name: Upload PR information
+        uses: actions/upload-artifact@v4
+        with:
+          name: pr
+          path: pr/
+          retention-days: 1
diff --git a/.github/workflows/pr-preview-comment.yml b/.github/workflows/pr-preview-comment.yml
diff --git a/.github/workflows/push_gem.yml b/.github/workflows/push_gem.yml
@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
 
