Split workflows based on permissions (#414)

Mad-Kat · web-flow · commit 321e44fbc7ae · 2025-09-24T12:27:48.000+02:00
diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml
@@ -4,6 +4,8 @@ on:
     branches-ignore: ["changeset-release/main"]
   push:
     branches: ["main"]
+  workflow_dispatch:
+
 permissions:
   contents: read
 
@@ -20,11 +22,9 @@ jobs:
           node-version: 22
 
       - name: Install Rust
-        uses: actions-rs/toolchain@v1
+        uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: stable
-          profile: minimal
-          override: true
+          targets: wasm32-wasip1
       - name: Enable caching
         uses: Swatinem/rust-cache@v2
         with:
diff --git a/.github/workflows/changeset.yml b/.github/workflows/changeset.yml
@@ -4,6 +4,10 @@ on:
   pull_request:
     branches:
       - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   check-changeset:
diff --git a/.github/workflows/codspeed.yml b/.github/workflows/codspeed.yml
@@ -17,6 +17,9 @@ on:
       - ".github/workflows/codspeed.yml"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   benchmarks:
     runs-on: ubuntu-latest
@@ -36,14 +39,9 @@ jobs:
           run_install: false
 
       - name: Install Rust
-        uses: actions-rs/toolchain@v1
+        uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: stable
-          profile: minimal
-          override: true
-
-      - name: Add wasm32-wasip1 target
-        run: rustup target add wasm32-wasip1
+          targets: wasm32-wasip1
 
       - name: Enable caching
         uses: Swatinem/rust-cache@v2
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -4,12 +4,6 @@ env:
   VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
 
 on:
-  workflow_dispatch:
-    inputs:
-      pr_number:
-        description: "Pull Request Number"
-        required: true
-        type: string
   push:
     branches:
       - main
@@ -18,23 +12,27 @@ on:
       - "packages/yak-swc/**"
       - "packages/next-yak/**"
       - ".github/workflows/docs.yml"
-  pull_request:
-    branches:
-      - main
-    paths:
-      - "packages/docs/**"
-      - "packages/yak-swc/**"
-      - "packages/next-yak/**"
-      - ".github/workflows/docs.yml"
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: "Pull Request Number"
+        required: true
+        type: string
+
+permissions:
+  contents: read
 
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
+    env:
+      IS_PRODUCTION: ${{ github.event_name == 'push' }}
+      PR_NUMBER: ${{ github.event.inputs.pr_number }}
     steps:
       - name: Checkout
         uses: actions/checkout@v3
         with:
-          ref: ${{ github.event.pull_request.head.sha || github.event.inputs.pr_number && format('refs/pull/{0}/head', github.event.inputs.pr_number) || github.ref }}
+          ref: ${{ github.event.inputs.pr_number && format('refs/pull/{0}/head', github.event.inputs.pr_number) || github.ref }}
 
       - name: Install pnpm
         uses: pnpm/action-setup@v4
@@ -52,14 +50,9 @@ jobs:
         run: pnpm install
 
       - name: Install Rust
-        uses: actions-rs/toolchain@v1
+        uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: stable
-          profile: minimal
-          override: true
-
-      - name: Add wasm32-wasip1 target
-        run: rustup target add wasm32-wasip1
+          targets: wasm32-wasip1
 
       - name: Install wasm-pack
         run: curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh
@@ -80,48 +73,30 @@ jobs:
 
       # Preview deployment (for pull requests, manual triggers, and non-main pushes)
       - name: Pull Vercel environment information (Preview)
-        if: github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref != 'refs/heads/main')
+        if: env.IS_PRODUCTION == 'false'
         run: vercel pull --yes --environment=preview --token ${{ secrets.VERCEL_TOKEN }}
+
       - name: Build project artifacts (Preview)
-        if: github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref != 'refs/heads/main')
+        if: env.IS_PRODUCTION == 'false'
         run: vercel build --token ${{ secrets.VERCEL_TOKEN }}
+
       - name: Deploy to Vercel (Preview)
         id: deploy-preview
-        if: github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref != 'refs/heads/main')
+        if: env.IS_PRODUCTION == 'false'
         run: |
           DEPLOYMENT_URL=$(vercel deploy --prebuilt --token ${{ secrets.VERCEL_TOKEN }})
           echo "deployment_url=$DEPLOYMENT_URL" >> $GITHUB_OUTPUT
-      - name: Find Documentation Comment
-        uses: peter-evans/find-comment@v3
-        id: find-comment
-        if: github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch'
-        with:
-          issue-number: ${{ github.event.number || github.event.inputs.pr_number }}
-          comment-author: "github-actions[bot]"
-          body-includes: "📚 Documentation Preview Deployed!"
-      - name: Create or Update Documentation Comment
-        if: github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch'
-        uses: peter-evans/create-or-update-comment@v4
-        with:
-          comment-id: ${{ steps.find-comment.outputs.comment-id }}
-          issue-number: ${{ github.event.number || github.event.inputs.pr_number }}
-          body: |
-            ## 📚 Documentation Preview Deployed!
-
-            A preview of the documentation changes in this PR has been deployed to Vercel:
-
-            🔗 [View Documentation Preview](${{ steps.deploy-preview.outputs.deployment_url }})
-
-            This preview will update automatically with new commits to this PR.
-          edit-mode: replace
+          echo "Preview deployment URL: $DEPLOYMENT_URL"
 
       # Production deployment (for main branch pushes)
       - name: Pull Vercel environment information (Production)
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: env.IS_PRODUCTION == 'true'
         run: vercel pull --yes --environment=production --token ${{ secrets.VERCEL_TOKEN }}
+
       - name: Build project artifacts (Production)
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: env.IS_PRODUCTION == 'true'
         run: vercel build --prod --token ${{ secrets.VERCEL_TOKEN }}
+
       - name: Deploy to Vercel (Production)
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: env.IS_PRODUCTION == 'true'
         run: vercel deploy --prebuilt --prod --token ${{ secrets.VERCEL_TOKEN }}
diff --git a/.github/workflows/example.yml b/.github/workflows/example.yml
@@ -1,15 +1,10 @@
 name: Build and Deploy packages/example
+
 env:
   VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }}
   VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
 
 on:
-  workflow_dispatch:
-    inputs:
-      pr_number:
-        description: "Pull Request Number"
-        required: true
-        type: string
   push:
     branches:
       - main
@@ -18,33 +13,42 @@ on:
       - "packages/yak-swc/**"
       - "packages/next-yak/**"
       - ".github/workflows/example.yml"
-  pull_request:
-    branches:
-      - main
-    paths:
-      - "packages/example/**"
-      - "packages/yak-swc/**"
-      - "packages/next-yak/**"
-      - ".github/workflows/example.yml"
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: "Pull Request Number"
+        required: true
+        type: string
+
+permissions:
+  contents: read
 
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
+    # Define whether this is a production deployment
+    env:
+      IS_PRODUCTION: ${{ github.event_name == 'push' }}
+      PR_NUMBER: ${{ github.event.inputs.pr_number }}
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
         with:
-          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+          ref: ${{ github.event.inputs.pr_number && format('refs/pull/{0}/head', github.event.inputs.pr_number) || github.ref }}
+
       - uses: pnpm/action-setup@v4
         name: Install pnpm
         with:
           version: 10.15.0
           run_install: false
+
       - name: Install Node.js
         uses: actions/setup-node@v3
         with:
           node-version: 22
           cache: "pnpm"
+
       - name: Install node_modules
         run: pnpm install
 
@@ -55,13 +59,10 @@ jobs:
         run: pnpm --filter next-yak-example lint
 
       - name: Install Rust
-        uses: actions-rs/toolchain@v1
+        uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: stable
-          profile: minimal
-          override: true
-      - name: Add wasm32-wasip1 target
-        run: rustup target add wasm32-wasip1
+          targets: wasm32-wasip1
+
       - name: Enable caching
         uses: Swatinem/rust-cache@v2
         with:
@@ -72,53 +73,36 @@ jobs:
 
       - name: Install Vercel CLI
         run: npm install -g vercel@35
+
       - name: Link Vercel project
         run: vercel link --yes --token ${{ secrets.VERCEL_TOKEN }}
 
-      # Preview deployment (for pull requests and non-main pushes)
+      # Preview deployment (for workflow_dispatch)
       - name: Pull Vercel environment information (Preview)
-        if: github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref != 'refs/heads/main')
+        if: env.IS_PRODUCTION == 'false'
         run: vercel pull --yes --environment=preview --token ${{ secrets.VERCEL_TOKEN }}
+
       - name: Build project artifacts (Preview)
-        if: github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref != 'refs/heads/main')
+        if: env.IS_PRODUCTION == 'false'
         run: vercel build --token ${{ secrets.VERCEL_TOKEN }}
+
       - name: Deploy to Vercel (Preview)
         id: deploy-preview
-        if: github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref != 'refs/heads/main')
+        if: env.IS_PRODUCTION == 'false'
         run: |
           DEPLOYMENT_URL=$(vercel deploy --prebuilt --token ${{ secrets.VERCEL_TOKEN }})
           echo "deployment_url=$DEPLOYMENT_URL" >> $GITHUB_OUTPUT
-      - name: Find Documentation Comment
-        uses: peter-evans/find-comment@v3
-        id: find-comment
-        if: github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch'
-        with:
-          issue-number: ${{ github.event.number }}
-          comment-author: "github-actions[bot]"
-          body-includes: "🧪 Example App Preview Deployed!"
-      - name: Create or Update Documentation Comment
-        if: github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch'
-        uses: peter-evans/create-or-update-comment@v4
-        with:
-          comment-id: ${{ steps.find-comment.outputs.comment-id }}
-          issue-number: ${{ github.event.number }}
-          body: |
-            ## 🧪 Example App Preview Deployed!
-
-            A preview of the example app changes in this PR has been deployed to Vercel:
-
-            🔗 [View Example App Preview](${{ steps.deploy-preview.outputs.deployment_url }})
-
-            This preview will update automatically with new commits to this PR.
-          edit-mode: replace
+          echo "Preview deployment URL: $DEPLOYMENT_URL"
 
       # Production deployment (for main branch pushes)
       - name: Pull Vercel environment information (Production)
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: env.IS_PRODUCTION == 'true'
         run: vercel pull --yes --environment=production --token ${{ secrets.VERCEL_TOKEN }}
+
       - name: Build project artifacts (Production)
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: env.IS_PRODUCTION == 'true'
         run: vercel build --prod --token ${{ secrets.VERCEL_TOKEN }}
+
       - name: Deploy to Vercel (Production)
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: env.IS_PRODUCTION == 'true'
         run: vercel deploy --prebuilt --prod --token ${{ secrets.VERCEL_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,11 @@ on:
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+
 jobs:
   release:
     name: Release
@@ -29,13 +34,9 @@ jobs:
           run_install: false
 
       - name: Install Rust
-        uses: actions-rs/toolchain@v1
+        uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: stable
-          profile: minimal
-          override: true
-      - name: Add wasm32-wasip1 target
-        run: rustup target add wasm32-wasip1
+          targets: wasm32-wasip1
       - name: Enable caching
         uses: Swatinem/rust-cache@v2
         with:
diff --git a/.github/workflows/swc.yml b/.github/workflows/swc.yml
@@ -4,6 +4,10 @@ on:
     branches:
       - main
   pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
 
 env:
   CARGO_TERM_COLOR: always
@@ -28,4 +32,4 @@ jobs:
       - name: Run cargo fmt
         run: cargo fmt --manifest-path packages/yak-swc/Cargo.toml --all -- --check
       - name: Run cargo clippy
-        run: cargo clippy --manifest-path packages/yak-swc/Cargo.toml
+        run: cargo clippy --manifest-path packages/yak-swc/Cargo.toml
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -15,6 +15,10 @@ on:
       - "packages/next-yak/**"
       - "packages/yak-swc/**"
       - ".github/workflows/node.js.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   build:
