mirror of
https://github.com/element-hq/synapse.git
synced 2025-04-16 07:06:21 +00:00
51deadec41
After the [recent supply chain attack](https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup) in `tj-actions/changed-files` and actions based on it, it's become clear that relying on git tags to pin our dependencies is not enough (as tags can simply be replaced). Therefore we need to switch to hashes. Dependabot should continue to update these dependencies for us. Best reviewed commit-by-commit. Though if CI passes, we're *probably* fine.
34 lines
1.3 KiB
YAML
34 lines
1.3 KiB
YAML
name: Deploy documentation PR preview
|
|
|
|
on:
|
|
workflow_run:
|
|
workflows: [ "Prepare documentation PR preview" ]
|
|
types:
|
|
- completed
|
|
|
|
jobs:
|
|
netlify:
|
|
if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request'
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
# There's a 'download artifact' action, but it hasn't been updated for the workflow_run action
|
|
# (https://github.com/actions/download-artifact/issues/60) so instead we get this mess:
|
|
- name: 📥 Download artifact
|
|
uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
|
|
with:
|
|
workflow: docs-pr.yaml
|
|
run_id: ${{ github.event.workflow_run.id }}
|
|
name: book
|
|
path: book
|
|
|
|
- name: 📤 Deploy to Netlify
|
|
uses: matrix-org/netlify-pr-preview@9805cd123fc9a7e421e35340a05e1ebc5dee46b5 # v3
|
|
with:
|
|
path: book
|
|
owner: ${{ github.event.workflow_run.head_repository.owner.login }}
|
|
branch: ${{ github.event.workflow_run.head_branch }}
|
|
revision: ${{ github.event.workflow_run.head_sha }}
|
|
token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
|
|
site_id: ${{ secrets.NETLIFY_SITE_ID }}
|
|
desc: Documentation preview
|
|
deployment_env: PR Documentation Preview
|