chore: secure-proof workflows

Author: mandarini

.github/workflows/preview-build.yml

@@ -0,0 +1,86 @@
+name: Preview Build
+
+permissions:
+  contents: read
+  pull-requests: read
+
+on:
+  pull_request:
+    types: [opened, synchronize, labeled]
+    paths:
+      - 'src/**'
+      - 'package.json'
+      - 'package-lock.json'
+      - 'tsconfig.json'
+
+jobs:
+  build-preview:
+    # Only run if PR has the 'trigger: preview' label
+    if: |
+      contains(github.event.pull_request.labels.*.name, 'trigger: preview')
+    runs-on: ubuntu-latest
+    outputs:
+      preview-url: ${{ steps.preview.outputs.url }}
+      pr-number: ${{ github.event.pull_request.number }}
+    steps:
+      # Checkout fork code - safe because no secrets are available
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      # Log PR author for auditing
+      - name: Log PR author
+        run: |
+          echo "Preview build triggered by: ${{ github.event.pull_request.user.login }}"
+          echo "PR #${{ github.event.pull_request.number }} from fork: ${{ github.event.pull_request.head.repo.full_name }}"
+      
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+      
+      - name: Install dependencies
+        run: npm ci
+      
+      - name: Build
+        run: npm run build
+      
+      - name: Run tests
+        run: npm test
+        continue-on-error: true # Don't fail preview on test failures
+      
+      - name: Create preview release
+        id: preview
+        run: |
+          set -e
+          echo "Creating preview release..."
+          OUTPUT=$(npx pkg-pr-new@latest publish --compact 2>&1)
+          echo "Full output:"
+          echo "$OUTPUT"
+          
+          # Extract the preview URL
+          PREVIEW_URL=$(echo "$OUTPUT" | grep -o 'https://pkg\.pr\.new/@supabase/[^[:space:]]*' | head -1)
+          
+          if [ -z "$PREVIEW_URL" ]; then
+            echo "Error: Failed to extract preview URL from pkg-pr-new output"
+            exit 1
+          fi
+          
+          echo "Preview Release URL: $PREVIEW_URL"
+          echo "url=$PREVIEW_URL" >> $GITHUB_OUTPUT
+      
+      # Save preview info for the next workflows
+      - name: Save preview info
+        run: |
+          mkdir -p preview-info
+          echo "${{ steps.preview.outputs.url }}" > preview-info/preview-url.txt
+          echo "${{ github.event.pull_request.number }}" > preview-info/pr-number.txt
+          echo "${{ github.event.pull_request.head.sha }}" > preview-info/commit-sha.txt
+          echo "realtime-js" > preview-info/package-name.txt
+          
+      - name: Upload preview info
+        uses: actions/upload-artifact@v4
+        with:
+          name: preview-info
+          path: preview-info/
+          retention-days: 7

.github/workflows/preview-comment.yml

@@ -0,0 +1,112 @@
+name: Update PR Comment
+
+permissions:
+  pull-requests: write
+  actions: read
+
+on:
+  workflow_run:
+    workflows: ["Preview Build", "Trigger Supabase JS Tests"]
+    types: [completed]
+
+jobs:
+  update-comment:
+    runs-on: ubuntu-latest
+    steps:
+      # Get PR number from the workflow run
+      - name: Get PR info
+        id: pr-info
+        uses: actions/github-script@v7
+        with:
+          script: |
+            // Get the workflow run details
+            const workflowRun = context.payload.workflow_run;
+            
+            // Find associated PR
+            const prs = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open',
+              head: `${workflowRun.head_repository.owner.login}:${workflowRun.head_branch}`
+            });
+            
+            if (prs.data.length > 0) {
+              const pr = prs.data[0];
+              core.setOutput('pr-number', pr.number);
+              core.setOutput('found', 'true');
+              console.log(`Found PR #${pr.number}`);
+            } else {
+              core.setOutput('found', 'false');
+              console.log('No associated PR found');
+            }
+      
+      # Only continue if we found a PR
+      - name: Download preview info
+        if: steps.pr-info.outputs.found == 'true' && github.event.workflow_run.name == 'Preview Build' && github.event.workflow_run.conclusion == 'success'
+        uses: actions/download-artifact@v4
+        with:
+          name: preview-info
+          path: preview-info/
+          run-id: ${{ github.event.workflow_run.id }}
+        continue-on-error: true
+      
+      - name: Read preview URL
+        if: steps.pr-info.outputs.found == 'true' && github.event.workflow_run.name == 'Preview Build' && github.event.workflow_run.conclusion == 'success'
+        id: preview-url
+        run: |
+          if [ -f "preview-info/preview-url.txt" ]; then
+            echo "url=$(cat preview-info/preview-url.txt)" >> $GITHUB_OUTPUT
+            echo "found=true" >> $GITHUB_OUTPUT
+          else
+            echo "found=false" >> $GITHUB_OUTPUT
+          fi
+        continue-on-error: true
+      
+      # Find existing comment
+      - name: Find existing comment
+        if: steps.pr-info.outputs.found == 'true'
+        uses: peter-evans/find-comment@v3
+        id: find-comment
+        with:
+          issue-number: ${{ steps.pr-info.outputs.pr-number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: '<!-- functions-js-preview-status -->'
+      
+      # Create or update comment based on workflow status
+      - name: Create or update preview comment
+        if: steps.pr-info.outputs.found == 'true'
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          comment-id: ${{ steps.find-comment.outputs.comment-id }}
+          issue-number: ${{ steps.pr-info.outputs.pr-number }}
+          body: |
+            <!-- functions-js-preview-status -->
+            ## 🚀 Preview Release Status
+            
+            ${{ github.event.workflow_run.name == 'Preview Build' && github.event.workflow_run.conclusion == 'success' && steps.preview-url.outputs.found == 'true' && format('✅ **Preview package created successfully!**
+            
+            📦 **Preview URL:** `{0}`
+            
+            You can install this preview package in your project by running:
+            ```bash
+            npm install {0}
+            ```
+            
+            🔄 Supabase-js CI tests have been automatically triggered to verify compatibility.
+            ', steps.preview-url.outputs.url) || '' }}
+            
+            ${{ github.event.workflow_run.name == 'Preview Build' && github.event.workflow_run.conclusion == 'failure' && '❌ **Preview build failed**
+            
+            Please check the [workflow logs](' }}${{ github.event.workflow_run.name == 'Preview Build' && github.event.workflow_run.conclusion == 'failure' && github.event.workflow_run.html_url || '' }}${{ github.event.workflow_run.name == 'Preview Build' && github.event.workflow_run.conclusion == 'failure' && ') for more details.' || '' }}
+            
+            ${{ github.event.workflow_run.name == 'Trigger Supabase JS Tests' && github.event.workflow_run.conclusion == 'success' && '✅ **Supabase-js tests triggered successfully!**
+            
+            The integration tests are now running. Results will be posted in the supabase-js repository when complete.' || '' }}
+            
+            ${{ github.event.workflow_run.name == 'Trigger Supabase JS Tests' && github.event.workflow_run.conclusion == 'failure' && '⚠️ **Failed to trigger supabase-js tests**
+            
+            The preview package was created but the integration tests could not be triggered. You may need to trigger them manually.' || '' }}
+            
+            ---
+            <sub>Last updated: ${{ github.event.workflow_run.updated_at }}</sub>
+          edit-mode: replace