# This workflow uploads preview tarballs to Vercel Blob after build-and-deploy
# completes. It uses workflow_run so it always executes the DEFAULT BRANCH
# version of this file -- an attacker who modifies this file on a feature branch
# cannot change the code that touches the blob write token.
name: upload-preview-tarballs
on:
workflow_run:
workflows: ['build-and-deploy']
types: [completed]
env:
NODE_LTS_VERSION: 20
permissions:
actions: read
contents: read
jobs:
upload:
name: Upload preview tarballs to Blob
runs-on: ubuntu-latest
if: github.event.workflow_run.conclusion == 'success'
environment: preview-builds
steps:
- name: Setup node
uses: actions/setup-node@v6
with:
node-version: ${{ env.NODE_LTS_VERSION }}
check-latest: true
# Checkout from the default branch (canary) -- workflow_run always uses
# the default branch's version of the workflow file and this checkout
# matches that, ensuring the upload script is trusted.
- uses: actions/checkout@v6
with:
ref: ${{ github.event.repository.default_branch }}
fetch-depth: 1
- name: Enable corepack
run: corepack enable
- name: Setup pnpm
run: corepack prepare
- name: Cache dependencies
uses: actions/cache@v3
with:
path: ~/.pnpm-store
key: ${{ runner.os }}-${{ runner.arch }}-pnpm-v2-${{
hashFiles('**/pnpm-lock.yaml') }}
# Do not use restore-keys since it leads to indefinite growth of the cache.
- name: Install node_modules
run: pnpm install --frozen-lockfile
- name: Download preview-tarballs artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: preview-tarballs
path: ${{ runner.temp }}/preview-tarballs
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
- name: Upload tarballs to Vercel Blob
run: node scripts/upload-preview-tarballs.js "${{
github.event.workflow_run.head_sha }}" "${{ runner.temp
}}/preview-tarballs"
env:
BLOB_ACCESS: ${{ vars.PREVIEW_BUILDS_ACCESS }}
BLOB_READ_WRITE_TOKEN: ${{ secrets.PREVIEW_BUILDS_BLOB_READ_WRITE_TOKEN }}
v2.0.0