ci: use workflow_run pattern for PR workflows

.github/workflows/__automation.yml

@@ -2,6 +2,9 @@ name: Automation 🎛️
 
 on:
   workflow_call:
+    secrets:
+      JF_BOT_TOKEN:
+        required: true
 
 jobs:
   conflicts:

.github/workflows/__deploy.yml

@@ -2,6 +2,13 @@ name: Deploy 🏗️
 
 on:
   workflow_call:
+    secrets:
+      CLOUDFLARE_API_TOKEN:
+        required: true
+      CLOUDFLARE_ACCOUNT_ID:
+        required: true
+      JF_BOT_TOKEN:
+        required: true
     inputs:
       branch:
         required: true
@@ -16,6 +23,14 @@ on:
         required: false
         type: string
         default: frontend
+      run_id:
+        description: 'Workflow run ID to download artifacts from (for workflow_run triggers)'
+        required: false
+        type: string
+      pr_number:
+        description: 'PR number to comment on (for workflow_run triggers)'
+        required: false
+        type: string
 
 jobs:
   cf-pages:
@@ -33,6 +48,8 @@ jobs:
         with:
           name: ${{ inputs.artifact_name }}
           path: dist
+          run-id: ${{ inputs.run_id }}
+          github-token: ${{ inputs.run_id && secrets.GITHUB_TOKEN || '' }}
 
       - name: Publish to Cloudflare Pages 📃
         uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3.14.1
@@ -47,7 +64,8 @@ jobs:
     # Always run so the comment is composed for the workflow summary
     if: ${{ always() }}
     uses: ./.github/workflows/__job_messages.yml
-    secrets: inherit
+    secrets:
+      JF_BOT_TOKEN: ${{ secrets.JF_BOT_TOKEN }}
     needs:
       - cf-pages
 
@@ -57,3 +75,4 @@ jobs:
       preview_url: ${{ needs.cf-pages.outputs.url }}
       in_progress: false
       comment: ${{ inputs.comment }}
+      pr_number: ${{ inputs.pr_number }}

.github/workflows/__job_messages.yml

@@ -2,6 +2,9 @@ name: Job messages ⚙️
 
 on:
   workflow_call:
+    secrets:
+      JF_BOT_TOKEN:
+        required: true
     inputs:
       branch:
         required: false
@@ -23,6 +26,10 @@ on:
         required: false
         type: string
         default: "CFPages-deployment"
+      pr_number:
+        description: 'PR number to comment on (for workflow_run triggers)'
+        required: false
+        type: string
 
 
 jobs:
@@ -63,3 +70,4 @@ jobs:
           github-token: ${{ secrets.JF_BOT_TOKEN }}
           message: ${{ env.msg }}
           comment-tag: ${{ inputs.marker }}
+          pr-number: ${{ inputs.pr_number }}

.github/workflows/__package.yml

@@ -43,3 +43,4 @@ jobs:
         with:
           name: frontend
           path: dist
+          retention-days: 1

.github/workflows/ci-deploy.yml

@@ -0,0 +1,49 @@
+name: Deploy PR Preview 🚀
+
+on:
+  workflow_run:
+    workflows: ["CI 🔍"]
+    types: [completed]
+
+permissions:
+  contents: read
+  deployments: write
+  pull-requests: read
+
+jobs:
+  get-pr-number:
+    name: Get PR number
+    if: >
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.event == 'pull_request' &&
+      github.repository == 'jellyfin/jellyfin-web'
+    runs-on: ubuntu-latest
+    outputs:
+      pr_number: ${{ steps.pr.outputs.number }}
+    steps:
+      - name: Find PR number
+        id: pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+        run: |
+          PR_NUMBER="${{ github.event.workflow_run.pull_requests[0].number }}"
+          if [ -z "$PR_NUMBER" ]; then
+            PR_NUMBER=$(gh api "/repos/${{ github.repository }}/commits/${HEAD_SHA}/pulls" --jq '.[0].number // empty')
+          fi
+          echo "number=${PR_NUMBER}" >> $GITHUB_OUTPUT
+
+  deploy:
+    name: Deploy 🚀
+    needs: get-pr-number
+    uses: ./.github/workflows/__deploy.yml
+    secrets:
+      CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+      CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+      JF_BOT_TOKEN: ${{ secrets.JF_BOT_TOKEN }}
+    with:
+      branch: ${{ github.event.workflow_run.head_repository.full_name != github.repository && github.event.workflow_run.head_branch == 'master' && format('{0}/{1}', github.event.workflow_run.head_repository.full_name, github.event.workflow_run.head_branch) || github.event.workflow_run.head_branch }}
+      commit: ${{ github.event.workflow_run.head_sha }}
+      comment: true
+      run_id: ${{ github.event.workflow_run.id }}
+      pr_number: ${{ needs.get-pr-number.outputs.pr_number }}

.github/workflows/ci.yml

@@ -0,0 +1,66 @@
+name: CI 🔍
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+    branches:
+      - master
+      - release*
+    paths-ignore:
+      - '**/*.md'
+
+permissions: {}
+
+jobs:
+  build:
+    name: Build 🏗️
+    uses: ./.github/workflows/__package.yml
+    with:
+      commit: ${{ github.sha }}
+
+  quality_checks:
+    name: Quality checks 👌🧪
+    uses: ./.github/workflows/__quality_checks.yml
+    permissions: {}
+    with:
+      commit: ${{ github.sha }}
+
+  codeql:
+    name: GitHub CodeQL 🔬
+    uses: ./.github/workflows/__codeql.yml
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    with:
+      commit: ${{ github.sha }}
+
+  run-eslint:
+    name: Run eslint suggestions
+    runs-on: ubuntu-latest
+    # Only post suggestions for same-repo PRs (GITHUB_TOKEN is read-only for forks)
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Check out Git repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Setup node environment
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        with:
+          node-version-file: .nvmrc
+          cache: npm
+          check-latest: true
+
+      - name: Install Node.js dependencies
+        run: npm ci --no-audit
+
+      - name: Run eslint
+        uses: CatChen/eslint-suggestion-action@4ee415529307a8ca0260b4a3775484802523e5af # v4.1.19
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pull_request.yml

@@ -14,87 +14,53 @@ on:
   merge_group:
 
 jobs:
-  push-comment:
-    name: Create comments ✍️
-    if: ${{ always() && !cancelled() && github.repository == 'jellyfin/jellyfin-web' }}
-    uses: ./.github/workflows/__job_messages.yml
-    secrets: inherit
-    with:
-      commit: ${{ github.event.pull_request.head.sha }}
-      in_progress: true
-      comment: true
+  automation:
+    name: Automation 🎛️
+    if: ${{ github.event_name == 'pull_request_target' && github.repository == 'jellyfin/jellyfin-web' }}
+    uses: ./.github/workflows/__automation.yml
+    secrets:
+      JF_BOT_TOKEN: ${{ secrets.JF_BOT_TOKEN }}
 
-  build:
+  merge-queue-build:
     name: Build 🏗️
-    if: ${{ always() && !cancelled() }}
+    if: ${{ github.event_name == 'merge_group' }}
     uses: ./.github/workflows/__package.yml
     with:
-      commit: ${{ github.event.pull_request.head.sha }}
+      commit: ${{ github.sha }}
 
-  automation:
-    name: Automation 🎛️
-    if: ${{ github.repository == 'jellyfin/jellyfin-web' }}
-    uses: ./.github/workflows/__automation.yml
-    secrets: inherit
-
-  quality_checks:
+  merge-queue-quality:
     name: Quality checks 👌🧪
-    if: ${{ always() && !cancelled() }}
+    if: ${{ github.event_name == 'merge_group' }}
     uses: ./.github/workflows/__quality_checks.yml
     permissions: {}
     with:
-      commit: ${{ github.event.pull_request.head.sha }}
+      commit: ${{ github.sha }}
 
-  codeql:
+  merge-queue-codeql:
     name: GitHub CodeQL 🔬
-    if: ${{ always() && !cancelled() }}
+    if: ${{ github.event_name == 'merge_group' }}
     uses: ./.github/workflows/__codeql.yml
     permissions:
       actions: read
       contents: read
       security-events: write
     with:
-      commit: ${{ github.event.pull_request.head.sha }}
+      commit: ${{ github.sha }}
 
-  deploy:
+  merge-queue-deploy:
     name: Deploy 🚀
+    if: ${{ github.event_name == 'merge_group' && github.repository == 'jellyfin/jellyfin-web' }}
     uses: ./.github/workflows/__deploy.yml
-    if: ${{ always() && !cancelled() && needs.build.result == 'success' && github.repository == 'jellyfin/jellyfin-web' }}
     needs:
-      - push-comment
-      - build
+      - merge-queue-build
     permissions:
       contents: read
       deployments: write
-    secrets: inherit
+    secrets:
+      CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+      CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+      JF_BOT_TOKEN: ${{ secrets.JF_BOT_TOKEN }}
     with:
-      # If the PR is from the master branch of a fork, append the fork's name to the branch name
-      branch: ${{ github.event.pull_request.head.repo.full_name != github.repository && github.event.pull_request.head.ref == 'master' && format('{0}/{1}', github.event.pull_request.head.repo.full_name, github.event.pull_request.head.ref) || github.event.pull_request.head.ref }}
-      comment: true
-      commit: ${{ github.event.pull_request.head.sha }}
-
-  run-eslint:
-    name: Run eslint suggestions
-    if: ${{ github.repository == 'jellyfin/jellyfin-web' }}
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out Git repository
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Setup node environment
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
-        with:
-          node-version-file: .nvmrc
-          cache: npm
-          check-latest: true 
-
-      - name: Install Node.js dependencies
-        run: npm ci --no-audit
-
-      - name: Run eslint
-        uses: CatChen/eslint-suggestion-action@4ee415529307a8ca0260b4a3775484802523e5af # v4.1.19
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+      branch: ${{ github.head_ref }}
+      commit: ${{ github.sha }}
+      comment: false

.github/workflows/push.yml

@@ -17,7 +17,8 @@ jobs:
     name: Automation 🎛️
     if: ${{ github.repository == 'jellyfin/jellyfin-web' }}
     uses: ./.github/workflows/__automation.yml
-    secrets: inherit
+    secrets:
+      JF_BOT_TOKEN: ${{ secrets.JF_BOT_TOKEN }}
 
   main:
     name: 'Unstable release 🚀⚠️'
@@ -52,7 +53,10 @@ jobs:
     permissions:
       contents: read
       deployments: write
-    secrets: inherit
+    secrets:
+      CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+      CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+      JF_BOT_TOKEN: ${{ secrets.JF_BOT_TOKEN }}
     with:
       branch: ${{ github.ref_name }}
       comment: false