chore: Push artifacts using PRs on the protected branch (#110)

zguesmi · web-flow · commit c24616908a9c · 2025-10-14T10:37:34.000+02:00
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -28,11 +28,16 @@ jobs:
   deploy:
     needs: build-and-test
     runs-on: ubuntu-latest
+    environment: ${{ inputs.network }}
+    permissions:
+      contents: write # Required to commit artifacts.
+      pull-requests: write # Required to create pull requests.
     env:
       CI: true
-    permissions:
-      contents: write # Required to commit deployment files.
-    environment: ${{ inputs.network }}
+      # For commit action
+      COMMIT_MESSAGE: 'chore: Save artifacts - ${{ inputs.network }} (runId:${{ github.run_id }})'
+      GHA_BOT_NAME: 'GitHub Actions Bot'
+      GHA_BOT_EMAIL: 'github-actions[bot]@users.noreply.github.com'
     steps:
       - uses: actions/checkout@v4
         with:
@@ -73,16 +78,39 @@ jobs:
         run: |
           make deploy-crosschain-token-and-bridge
 
-      - name: Save deployment artifacts
-        if: inputs.network != 'anvil'
+      - name: Push artifacts to the current branch
+        if: inputs.network != 'anvil' && github.ref != 'refs/heads/main'
         uses: stefanzweifel/git-auto-commit-action@v5
         with:
-          commit_message: 'chore: save deployment artifacts for ${{ inputs.network }} (Github run_id: ${{ github.run_id }})'
-          file_pattern: 'config/config.json broadcast/'
-          commit_user_name: 'GitHub Actions Bot'
-          commit_user_email: 'github-actions[bot]@users.noreply.github.com'
-          commit_author: 'GitHub Actions Bot <github-actions[bot]@users.noreply.github.com>'
-          
+          file_pattern: |
+            config/config.json
+            broadcast/
+          commit_message: ${{ env.COMMIT_MESSAGE }}
+          commit_user_name: ${{ env.GHA_BOT_NAME }}
+          commit_user_email: ${{ env.GHA_BOT_EMAIL }}
+          commit_author: '${{ env.GHA_BOT_NAME }} <${{ env.GHA_BOT_EMAIL }}>'
+
+      # Since the `main` branch is protected, create a PR to push artifacts.
+      - name: Push artifacts through a pull request
+        if: inputs.network != 'anvil' && github.ref == 'refs/heads/main'
+        uses: peter-evans/create-pull-request@v7
+        with:
+          add-paths: |
+            config/config.json
+            broadcast/
+          commit-message: ${{ env.COMMIT_MESSAGE }}
+          committer: '${{ env.GHA_BOT_NAME }} <${{ env.GHA_BOT_EMAIL }}>'
+          author: '${{ env.GHA_BOT_NAME }} <${{ env.GHA_BOT_EMAIL }}>'
+          branch: chore/save-artifacts-${{ inputs.network }}
+          title: ${{ env.COMMIT_MESSAGE }}
+          draft: true
+          body: |
+            🤖 This is an automated pull request to save deployment artifacts.
+            * Network: `${{ inputs.network }}`
+            * Job: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+
+            **Note**: Verify deployment before merging this PR.
+
       - name: Verify contracts
         if: inputs.network != 'anvil'
         continue-on-error: true
