mirror of
https://github.com/Comfy-Org/ComfyUI_frontend.git
synced 2026-07-09 00:29:22 +00:00
## Summary
Skip secret-backed CI deploy and dispatch work for fork PRs so missing
repo secrets do not fail otherwise valid checks.
## Changes
- **What**: Guard Website E2E report deploy, Vercel website preview
deploy, cloud build dispatch, cloud cleanup dispatch, and Storybook
Chromatic deploy so PR paths only run for same-repo PRs.
- **Dependencies**: None
## Why
Fork `pull_request` runs do not receive repository secrets. Several CI
jobs already separated normal validation from privileged follow-up work,
but some deploy or dispatch steps could still run on fork PRs and fail
only because their secret-backed integration token was empty.
The existing Website E2E fork guard only protected the PR comment job.
It did not protect the earlier Cloudflare report deploy step inside
`website-e2e`, which uses `CLOUDFLARE_API_TOKEN` and
`CLOUDFLARE_ACCOUNT_ID`.
The same failure mode existed in these CI jobs:
- `ci-vercel-website-preview.yaml`: preview deploy uses Vercel and
website API secrets.
- `cloud-dispatch-build.yaml`: preview dispatch uses
`CLOUD_DISPATCH_TOKEN` to call `Comfy-Org/cloud`.
- `cloud-dispatch-cleanup.yaml`: preview cleanup dispatch uses
`CLOUD_DISPATCH_TOKEN`.
- `ci-tests-storybook.yaml`: Chromatic deploy uses
`CHROMATIC_PROJECT_TOKEN`.
`ci-website-build.yaml` was left unchanged. Its Ashby and Cloud nodes
integrations intentionally fall back to committed snapshots when secrets
are missing for preview/local builds, so it is not the same class of
fork-secret failure.
## Review Focus
Confirm fork PRs still run the unprivileged validation/build paths,
while same-repo PRs and non-PR events keep the existing deploy or
dispatch behavior.
## Validation PRs
Both validation PRs compare against `main`.
- Fork PR from `shihchi`:
[#13309](https://github.com/Comfy-Org/ComfyUI_frontend/pull/13309)
- Same-repo PR from `origin`:
[#13310](https://github.com/Comfy-Org/ComfyUI_frontend/pull/13310)
| Workflow | Guarded job or step | Fork #13309 | Same-repo #13310 |
| --- | --- | --- | --- |
| CI: Website E2E | `Upload test report` | success ✅ | success ✅ |
| CI: Website E2E | `Deploy report to Cloudflare` | skipped ❌ | success
✅ |
| CI: Vercel Website Preview | `deploy-preview` | skipped ❌ | success ✅
|
| Cloud Frontend Build Dispatch | `dispatch` | skipped ❌ | success ✅ |
| CI: Tests Storybook | `chromatic-deployment` | skipped ❌ | success ✅ |
Expected result: fork PRs still keep the useful validation artifact
path, but skip secret-backed deploy and dispatch work. Same-repo PRs
keep the privileged behavior.
## Screenshots (if applicable)
N/A, CI-only.
Created by Codex
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Workflow `if` condition changes only; no application code. Same-repo
PR behavior is unchanged when secrets are available.
>
> **Overview**
> Adds **`github.event.pull_request.head.repo.fork == false`** guards so
fork PRs no longer run steps that need repo secrets or trigger external
deploys.
>
> **Website E2E** — the Cloudflare Playwright report deploy step now
runs only on non-PR events or same-repo PRs, so fork runs can still pass
tests and upload artifacts without failing on missing `CLOUDFLARE_*`
secrets.
>
> **Vercel website preview** — the preview deploy job is skipped
entirely for fork PRs (Vercel tokens).
>
> **Storybook Chromatic** — Chromatic deployment on `version-bump-*` PRs
is limited to non-fork PRs (`CHROMATIC_PROJECT_TOKEN`).
>
> **Cloud dispatch** — build and cleanup dispatches to the cloud repo
for preview labels no longer run for fork PRs, aligning with the
existing fork-guard comment in those workflows.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
027aabc9e3. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: huang47 <157390+huang47@users.noreply.github.com>
83 lines
3.1 KiB
YAML
83 lines
3.1 KiB
YAML
---
|
|
# Dispatches a frontend-asset-build event to the cloud repo on push to
|
|
# cloud/* branches and main. The cloud repo handles the actual build,
|
|
# GCS upload, and secret management (Sentry, Algolia, GCS creds).
|
|
#
|
|
# This is fire-and-forget — it does NOT wait for the cloud workflow to
|
|
# complete. Status is visible in the cloud repo's Actions tab.
|
|
|
|
name: Cloud Frontend Build Dispatch
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- 'cloud/*'
|
|
- 'main'
|
|
pull_request:
|
|
types: [labeled, synchronize]
|
|
workflow_dispatch:
|
|
|
|
permissions: {}
|
|
|
|
concurrency:
|
|
group: cloud-dispatch-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
dispatch:
|
|
# Fork guard: prevent forks from dispatching to the cloud repo.
|
|
# For pull_request events, only dispatch for preview labels.
|
|
# - labeled: fires when a label is added; check the added label name.
|
|
# - synchronize: fires on push; check existing labels on the PR.
|
|
if: >
|
|
github.repository == 'Comfy-Org/ComfyUI_frontend' &&
|
|
(github.event_name != 'pull_request' ||
|
|
(github.event.pull_request.head.repo.fork == false &&
|
|
((github.event.action == 'labeled' &&
|
|
contains(fromJSON('["preview","preview-cpu","preview-gpu"]'), github.event.label.name)) ||
|
|
(github.event.action == 'synchronize' &&
|
|
(contains(github.event.pull_request.labels.*.name, 'preview') ||
|
|
contains(github.event.pull_request.labels.*.name, 'preview-cpu') ||
|
|
contains(github.event.pull_request.labels.*.name, 'preview-gpu'))))))
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Build client payload
|
|
id: payload
|
|
env:
|
|
EVENT_NAME: ${{ github.event_name }}
|
|
PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
|
|
PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
|
|
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
ACTION: ${{ github.event.action }}
|
|
LABEL_NAME: ${{ github.event.label.name }}
|
|
PR_LABELS: ${{ toJson(github.event.pull_request.labels.*.name) }}
|
|
run: |
|
|
if [ "${EVENT_NAME}" = "pull_request" ]; then
|
|
REF="${PR_HEAD_SHA}"
|
|
BRANCH="${PR_HEAD_REF}"
|
|
|
|
# Derive variant from all PR labels (default to cpu for frontend-only previews)
|
|
VARIANT="cpu"
|
|
echo "${PR_LABELS}" | grep -q '"preview-gpu"' && VARIANT="gpu"
|
|
else
|
|
REF="${GITHUB_SHA}"
|
|
BRANCH="${GITHUB_REF_NAME}"
|
|
PR_NUMBER=""
|
|
VARIANT=""
|
|
fi
|
|
payload="$(jq -nc \
|
|
--arg ref "${REF}" \
|
|
--arg branch "${BRANCH}" \
|
|
--arg pr_number "${PR_NUMBER}" \
|
|
--arg variant "${VARIANT}" \
|
|
'{ref: $ref, branch: $branch, pr_number: $pr_number, variant: $variant}')"
|
|
echo "json=${payload}" >> "${GITHUB_OUTPUT}"
|
|
|
|
- name: Dispatch to cloud repo
|
|
uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
|
|
with:
|
|
token: ${{ secrets.CLOUD_DISPATCH_TOKEN }}
|
|
repository: Comfy-Org/cloud
|
|
event-type: frontend-asset-build
|
|
client-payload: ${{ steps.payload.outputs.json }}
|