Use pull_request instead and check if secret is set

Author: kasperpeulen

.github/workflows/deploy.yml

@@ -3,11 +3,11 @@ on:
   push:
     branches:
       - main
-  pull_request_target:
+  pull_request:
     types: [opened, reopened, synchronize, closed]
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 permissions:
@@ -25,9 +25,6 @@ jobs:
     steps:
       - name: ⬇️ Checkout repo
         uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha || github.sha }}
-
       - name: ⎔ Setup node
         uses: actions/setup-node@v4
         with:
@@ -51,9 +48,6 @@ jobs:
     steps:
       - name: ⬇️ Checkout repo
         uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha || github.sha }}
-
       - name: ⎔ Setup node
         uses: actions/setup-node@v4
         with:
@@ -80,9 +74,6 @@ jobs:
     steps:
       - name: ⬇️ Checkout repo
         uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha || github.sha }}
-
       - name: ⎔ Setup node
         uses: actions/setup-node@v4
         with:
@@ -107,9 +98,6 @@ jobs:
     steps:
       - name: ⬇️ Checkout repo
         uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha || github.sha }}
-
       - name: 🏄 Copy test env vars
         run: cp .env.example .env
 
@@ -188,7 +176,7 @@ jobs:
   deploy-staging:
     name: 🚁 Deploy staging app for PR
     runs-on: ubuntu-24.04
-    if: ${{ github.event_name == 'pull_request_target' }}
+    if: ${{ github.event_name == 'pull_request' && secrets.FLY_API_TOKEN }}
     outputs:
       url: ${{ steps.deploy.outputs.url }}
     environment:
@@ -199,8 +187,6 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: '50'
-          ref: ${{ github.event.pull_request.head.sha }}
-
       - name: 👀 Read app name
         uses: SebRollen/[email protected]
         id: app_name
@@ -211,7 +197,7 @@ jobs:
       - name: 🎈 Setup Fly
         uses: superfly/flyctl-actions/[email protected]
 
-      - name: 🏗️ Create Fly app and provision resources
+      - name: 🚁️ Deploy PR app to Fly.io
         if: github.event.action != 'closed'
         run: |
           FLY_APP_NAME="${{ steps.app_name.outputs.value }}-pr-${{ github.event.number }}"
@@ -227,7 +213,16 @@ jobs:
             flyctl storage create --app $FLY_APP_NAME --name epic-stack-$FLY_APP_NAME --yes > /dev/null 2>&1
           fi
 
-          flyctl deploy . --ha=false --regions $FLY_REGION --vm-size shared-cpu-1x --env APP_ENV=staging --env ALLOW_INDEXING=false --app $FLY_APP_NAME --image-label ${{ github.sha }} --build-arg COMMIT_SHA=${{ github.sha }} --build-secret SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}
+          flyctl deploy . \
+            --ha=false \ # use only one machine for staging
+            --regions $FLY_REGION \
+            --vm-size shared-cpu-1x \
+            --env APP_ENV=staging \
+            --env ALLOW_INDEXING=false \
+            --app $FLY_APP_NAME \
+            --image-label ${{ github.sha }} \
+            --build-arg COMMIT_SHA=${{ github.sha }} \
+            --build-secret SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}
 
       - name: 🧹 Cleanup resources when PR is closed
         if: github.event.action == 'closed'