fix preview checkout

[nerdCopter]

• ensure checkout of ref: ${{ github.event.pull_request.head.sha }} for the Deployment Preview

Summary by CodeRabbit

• Chores
  • Updated preview deployment workflow to trigger only on specific pull request events and ensure deployments use the exact commit from the pull request.
  • Separated build and deploy processes to improve deployment reliability and security.

[coderabbitai]

"""

Walkthrough

The deploy-preview GitHub Actions workflow was restructured to separate build and deploy phases. It now triggers on specific pull request events targeting the master branch, builds the project artifact in one job, and deploys using that artifact in a dependent job with expanded permissions and secret usage isolated to deployment.

Changes

File(s)	Change Summary
.github/workflows/deploy-preview.yml	Split single deploy job into separate build and deploy jobs; restricted triggers to specific PR events on master; build job checks out PR head SHA and uploads artifact; deploy job depends on build, downloads artifact, uses expanded permissions, and deploys with secrets.

Sequence Diagram(s)

sequenceDiagram
    participant Developer
    participant GitHub
    participant DeployWorkflow

    Developer->>GitHub: Open/Synchronize/Reopen PR targeting master
    GitHub->>DeployWorkflow: Trigger deploy-preview workflow
    DeployWorkflow->>DeployWorkflow: Build job: checkout PR head SHA, install, build, upload artifact
    DeployWorkflow->>DeployWorkflow: Deploy job: download artifact, deploy using secrets, comment on PR

Loading

Possibly related PRs

• Adding cloudflare preview builds #822: Introduced the initial deploy-preview workflow, which this PR refines by adjusting triggers and checkout behavior.

Suggested labels

housekeeping

Poem

A hop and a skip on the master branch,
The workflow now triggers with more nuance.
Build hops first, then deploys with care,
Secrets tucked safely, all laid bare.
Artifacts carried, no code unchecked,
Deployment’s swift, no step neglect! 🐇🚀
"""

Note

⚡️ AI Code Reviews for VS Code, Cursor, Windsurf

CodeRabbit now has a plugin for VS Code, Cursor and Windsurf. This brings AI code reviews directly in the code editor. Each commit is reviewed immediately, finding bugs before the PR is raised. Seamless context handoff to your AI code agent ensures that you can easily incorporate review feedback.
Learn more here.

---

Note

⚡️ Faster reviews with caching

CodeRabbit now supports caching for code and dependencies, helping speed up reviews. This means quicker feedback, reduced wait times, and a smoother review experience overall. Cached data is encrypted and stored securely. This feature will be automatically enabled for all accounts on May 16th. To opt out, configure Review - Disable Cache at either the organization or repository level. If you prefer to disable all data retention across your organization, simply turn off the Data Retention setting under your Organization Settings.
Enjoy the performance boost—your workflow just got faster.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[nerdCopter]

@coderabbitai , why does this not work as expected. the pull-request deployment preview should checkout the pr branch head commit.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Let's examine the workflow file and the changes in this PR
cat .github/workflows/deploy-preview.yml
echo "---------- PR DIFF ----------"
git diff origin/master..HEAD -- .github/workflows/deploy-preview.yml

Length of output: 2274

---

@nerdCopter I can see why this isn't working as expected. Your PR is actually trying to fix this exact issue by adding ref: ${{ github.event.pull_request.head.sha }} to the checkout action, but you're hitting a common GitHub Actions limitation.

When you modify a workflow file in a PR, GitHub still uses the version of that workflow from the target branch (master), not the version being proposed in your PR. This creates a "chicken and egg" situation - your fix won't be applied until after it's merged.

The workflow that ran on your PR was using the old version from master that doesn't have the explicit checkout reference, which is why it didn't check out the PR head commit as expected.

Your changes look correct and should fix the issue once they're merged. After merging, future PRs will properly check out their head commits for previews.

(_/）
(•ㅅ•）
/ 　 づ ♥ <Learning something new!>

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/deploy-preview.yml (2)

4-4: Verify event filter covers all desired triggers
Restricting to opened, synchronize, and reopened on PRs targeting master avoids unnecessary runs, but if you need previews on other actions (e.g. labeled, unlabeled) or want a manual trigger, consider adding those event types or a workflow_dispatch.

---

20-21: Pin checkout to the exact PR commit
Specifying ref: ${{ github.event.pull_request.head.sha }} is correct to deploy the precise PR head. As an optional improvement, you can harden and extend the clone step:

with:
  ref: ${{ github.event.pull_request.head.sha }}
+ fetch-depth: 0            # retrieve full history if you rely on tags or deep logs
+ persist-credentials: false  # don’t persist GITHUB_TOKEN in the workspace

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6eb3711 and 5e54963.

📒 Files selected for processing (1)

• .github/workflows/deploy-preview.yml (2 hunks)

[nerdCopter]

@blckmn , please confirm and merge as needed.

[demvlad]

Yes, i've tryed to use preview url recently, and seen strange bbe version.

[nerdCopter]

@coderabbitai, please review. does this have the same security issue as betaflight/betaflight-configurator#4468 (review) ?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

Response from running the script:

name: Preview Deployment

on:
  pull_request_target:
    types: [opened, synchronize, reopened]
    branches:
      - master

jobs:
  preview-deploy:
    name: Deploy Preview
    environment: preview
    permissions:
      contents: read
      deployments: write
      issues: write
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
    
      - name: Upload
        id: deploy
        uses: cloudflare/[email protected]
        with:
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          projectName: betaflight-blackbox
          directory: ./
          gitHubToken: ${{ secrets.GITHUB_TOKEN }}

Let me look at the security issue referenced in the other repository:

Response from running the script:

> [!WARNING]  
> This is a potentially dangerous PR because it uses `pull_request_target` with `ref: ${{ github.event.pull_request.head.ref }}`.
> 
> When a PR from a fork is opened, the `pull_request_target` event will execute the workflow with access to secrets from the target repo, and this workflow specifically checks out code from the PR branch. This means any workflow code from the PR will be executed with access to your repository secrets. This is a common attack vector for secret exfiltration.
> 
> **Recommended fix:**
> 
> 1. Use regular `pull_request` instead of `pull_request_target` if you don't need access to secrets.
> 2. If you do need access to secrets, never check out code from the PR. Instead, always use the base branch code.
> 3. If you absolutely must check out PR code with `pull_request_target`, add a separate verification step that runs before any PR code is executed, and terminate the workflow if malicious code is detected.

@nerdCopter Yes, this PR has exactly the same security issue as the one you referenced. The workflow uses pull_request_target (which has access to repository secrets) and explicitly checks out the PR code with ref: ${{ github.event.pull_request.head.sha }}.

This combination is problematic because:

1. pull_request_target runs with access to all repository secrets
2. By checking out the PR code, any malicious code in that PR could access those secrets
3. This creates a security vulnerability where attackers could submit PRs specifically to steal your secrets

Possible solutions:

1. Use regular pull_request instead of pull_request_target (but you'll lose access to secrets)
2. If you need secrets, don't check out PR code - use the base branch code instead
3. If you absolutely must check out PR code with pull_request_target, add a validation step that runs before any PR code executes to verify it's not malicious

Let me know if you'd like more details about implementing any of these solutions!

---

🏁 Script executed:

#!/bin/bash
# Let's examine the current workflow file
cat .github/workflows/deploy-preview.yml

Length of output: 1558

---

🏁 Script executed:

#!/bin/bash
# Let's use GitHub CLI to fetch the review comment mentioned in the URL
gh api repos/betaflight/betaflight-configurator/pulls/4468/reviews/2840764026 --jq '.body'

Length of output: 1256

---

@nerdCopter Yes, this workflow has the same security vulnerability. The workflow uses pull_request_target (which runs with access to repository secrets) while explicitly checking out PR code with ref: ${{ github.event.pull_request.head.sha }}.

This combination creates a security risk because:

• pull_request_target workflows run with access to repository secrets
• By checking out and building code from the PR (yarn install and yarn build), malicious code in that PR could be executed
• This malicious code would have access to secrets and tokens defined in your workflow

Recommended fixes:

1. Preferred option: Use regular pull_request instead of pull_request_target if you don't need access to secrets

2. Alternative: If you need access to secrets for deployment but not during build:

   • Use a two-workflow approach: build with pull_request (no secrets), then deploy with pull_request_target (with secrets)
   • Ensure no PR code is executed during the pull_request_target workflow

3. Last resort: Add code scanning/validation steps before running any PR code with access to secrets

This is a commonly overlooked security issue in GitHub Actions that can lead to secret exfiltration.

[nerdCopter]

@coderabbitai, please implement the fix in the single .yml file.

EDIT: number 2 Alternative

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

A summary of the edits CodeRabbit can apply:

The workflow will be updated to trigger on pull_request instead of pull_request_target to prevent untrusted PR code from running with access to secrets.

A plan of each step that CodeRabbit will take in order to execute the edits for each file (with inline rough draft snippets):

✏️ .github/workflows/deploy-preview.yml

Replace the existing on: block (lines 2–7) so that the workflow triggers on pull requests instead of pull_request_target. Specifically, change:

on:
  pull_request_target:
    types: [opened, synchronize, reopened]
    branches:
      - master

to:

on:
  pull_request:
    types: [opened, synchronize, reopened]
    branches:
      - master

A summary of the context that CodeRabbit is considering across the codebase:

Locate the pull_request_target trigger in the workflow so we know exactly which lines to replace with a safer pull_request trigger.

• ✅ Create PR with these edits

• 📌 Create commit in current branch

• 📋 Get copyable edits

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Preview URL: https://a7f82e12.betaflight-blackbox.pages.dev

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

.github/workflows/deploy-preview.yml (3)

15-17: Consider adding fetch-depth: 0 for full Git history
By default actions/checkout fetches only a single commit. If your build relies on Git history (e.g., generating changelogs, tags, or versioning), you should set fetch-depth: 0. Otherwise you can skip this.

-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          persist-credentials: false
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
+          fetch-depth: 0

---

34-38: Pin upload-artifact to the latest stable version and set retention
You’ve chosen actions/upload-artifact@v4, which may be a beta. Pinning to v3 ensures stability. You can also add retention-days to automatically expire build artifacts.

-      - name: Upload build artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: dist-files
-          path: dist
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: dist-files
+          path: dist
+          retention-days: 1

---

40-48: Restrict deploy job permissions to least privilege
The deploy job currently requests:

permissions:
  actions: read
  contents: read
  deployments: write
  issues: write
  pull-requests: write

If you only need to create deployments and comment on the PR, you can drop issues: write and the default contents: read:

-    permissions:
-      actions: read
-      contents: read
-      deployments: write
-      issues: write
-      pull-requests: write
+    permissions:
+      deployments: write
+      pull-requests: write

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between b044d60 and 05b6fa5.

📒 Files selected for processing (1)

• .github/workflows/deploy-preview.yml (2 hunks)

🔇 Additional comments (2)

.github/workflows/deploy-preview.yml (2)

49-51: Reevaluate the deploy job timeout
The deploy job is capped at 5 minutes. Make sure your Cloudflare Pages deploy reliably finishes within this window; otherwise consider raising timeout-minutes.

Please verify your average deploy duration and adjust the timeout accordingly.

---

52-57: The artifact download step cleanly separates code execution from secrets—good job. The syntax and inputs look correct.

[haslinghuis]

Approving (untested)

[blckmn]

@coderabbitai , why does this not work as expected. the pull-request deployment preview should checkout the pr branch head commit.

Thes URL hash is a unique URL hash for the deployment, it is NOT the same as the git short hash.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@blckmn Thanks for the clarification! You're absolutely correct - the hash in the Cloudflare Pages deployment URL (a7f82e12 in this case) is a unique identifier generated by Cloudflare for that specific deployment and is completely unrelated to the git commit hash.

Cloudflare generates these unique URL hashes for each deployment to ensure they have stable, distinct URLs. This is standard behavior for their preview deployments regardless of which git commit triggered the build.

[demvlad]

It works.
Thank's!