Merge remote-tracking branch 'upstream/main' into bad-tag-desc

hry-gh · hry-gh · commit e54344b91574 · 2024-11-12T16:53:13.000Z
diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
@@ -1,27 +1,63 @@
 name: Deploy PR previews
 
 on:
+  pull_request:
+    branches:
+      - main
   pull_request_target:
+    types:
+      - opened
+      - reopened
+      - labeled
+      - synchronize
     branches:
       - main
 
-    paths:
-      - "**/*.*"
-      - "!package.json"
-      - "!.github/workflows"
-
 env:
   DEPLOY_REPO_OWNER: OpenDreamProject
   DEPLOY_REPO: od-dm-reference
 
-concurrency: preview-${{ github.ref }}
+concurrency:
+  group: "ci-security-${{ github.head_ref || github.run_id }}-${{ github.event_name }}"
+  cancel-in-progress: true
 
 jobs:
+  security-checkpoint:
+    name: Check CI Clearance
+    if: github.event_name == 'pull_request_target' && (github.event.pull_request.head.repo.id != github.event.pull_request.base.repo.id || github.event.pull_request.user.id == 55142896) && github.event.pull_request.state == 'open'
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Remove Stale 'CI Cleared' Label"
+        if: github.event.action == 'synchronize' || github.event.action == 'reopened'
+        uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0
+        with:
+          labels: CI Cleared
+
+      - name: "Remove 'CI Approval Required' Label"
+        if: (github.event.action == 'synchronize' || github.event.action == 'reopened') || ((github.event.action == 'opened' || github.event.action == 'labeled') && contains(github.event.pull_request.labels.*.name, 'CI Cleared'))
+        uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0
+        with:
+          labels: CI Approval Required
+
+      - name: "Add 'CI Approval Required' Label"
+        if: (github.event.action == 'synchronize' || github.event.action == 'reopened') || ((github.event.action == 'opened' || github.event.action == 'labeled') && !contains(github.event.pull_request.labels.*.name, 'CI Cleared'))
+        uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf
+        with:
+          labels: CI Approval Required
+
+      - name: Fail if PR has Unlabeled new Commits from User
+        if: (github.event.action == 'synchronize' || github.event.action == 'reopened') || ((github.event.action == 'opened' || github.event.action == 'labeled') && !contains(github.event.pull_request.labels.*.name, 'CI Cleared'))
+        run: exit 1
+
   deploy-preview:
+    needs: security-checkpoint
+    if: (!(cancelled() || failure()) && (needs.security-checkpoint.result == 'success' || (github.event_name != 'pull_request_target' && github.event.pull_request.head.repo.id == github.event.pull_request.base.repo.id && github.event.pull_request.user.id != 55142896)))
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
+        with:
+          ref: refs/pull/${{ github.event.number }}/merge
 
       - name: Setup Node
         uses: actions/setup-node@v4
