Merge pull request #2042 from gsmet/secure-preview-workflow

Improve security of our preview workflow
quarkusio · Jul 11, 2024 · 4ad00a7 · 4ad00a7
2 parents 1875512 + f71d0cd
commit 4ad00a7
Showing 1 changed file with 17 additions and 6 deletions.
diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
@@ -9,23 +9,34 @@ on:
 jobs:
   preview:
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      # this should be enough to maintain comments as commenting on pull requests is done through an issues API
+      issues: write
+      pull-requests: read
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
     steps:
     - name: Download PR Artifact
-      uses: dawidd6/action-download-artifact@v5
+      uses: actions/download-artifact@v4
       with:
-        workflow: ${{ github.event.workflow_run.workflow_id }}
-        run_id: ${{ github.event.workflow_run.id }}
-        workflow_conclusion: success
+        run-id: ${{ github.event.workflow_run.id }}
         name: site
+        github-token: ${{ secrets.GITHUB_TOKEN }}
     - name: Store PR id as variable
       id: pr
       run: |
-        echo "id=$(<pr-id.txt)" >> $GITHUB_OUTPUT
+        pr=$(<pr-id.txt)
+        if ! [[ $pr =~ ^[0-9]+$ ]] ; then
+          echo "PR id extracted from pr-id.txt is not a number: $pr"
+          exit 1
+        fi
+        echo "id=${pr}" >> $GITHUB_OUTPUT
         rm -f pr-id.txt
     - name: Publishing to surge for preview
       id: deploy
-      run: npx surge ./ --domain https://quarkus-site-pr-${{  steps.pr.outputs.id }}-preview.surge.sh --token ${{ secrets.SURGE_TOKEN }}
+      run: npx surge ./ --domain https://quarkus-site-pr-${PR_ID}-preview.surge.sh --token ${{ secrets.SURGE_TOKEN }}
+      env:
+        PR_ID: ${{  steps.pr.outputs.id }}
     - name: Update PR status comment on success
       uses: actions-cool/maintain-one-comment@v3.2.0
       with: