From 3fd38b2edcf89bad75cb38a311f308f70b28ae84 Mon Sep 17 00:00:00 2001 From: Henry Schreiner Date: Wed, 20 May 2026 11:53:52 -0400 Subject: [PATCH 1/3] ci: split deploy-pages workflow into build and deploy jobs Separate the monolithic build-and-deploy job into two jobs with an artifact between them. The build job only needs contents: read permissions, while the deploy job has pages: write and id-token: write permissions and is protected by a github-pages environment. This follows the principle of least privilege and protects the deploy environment. Assisted-by: OpenCode:glm-5 --- .github/workflows/deploy-pages.yml | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/.github/workflows/deploy-pages.yml b/.github/workflows/deploy-pages.yml index 62daf91..573a9f5 100644 --- a/.github/workflows/deploy-pages.yml +++ b/.github/workflows/deploy-pages.yml @@ -12,12 +12,10 @@ concurrency: cancel-in-progress: true jobs: - build-and-deploy: - name: Build and Deploy + build: + name: Build runs-on: ubuntu-latest permissions: - pages: write # needed for pages - id-token: write # needed for pages contents: read steps: - name: Checkout @@ -36,13 +34,25 @@ jobs: - name: Build webapp run: bun run build-html - - name: Configure Pages - uses: actions/configure-pages@v6 - - name: Upload artifact for Pages uses: actions/upload-pages-artifact@v5 with: path: out + deploy: + name: Deploy + needs: build + runs-on: ubuntu-latest + permissions: + pages: write + id-token: write + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + steps: + - name: Configure Pages + uses: actions/configure-pages@v6 + - name: Deploy to GitHub Pages + id: deployment uses: actions/deploy-pages@v5 From 1f0f94f9116353bb1ae500e54d4c4b94e8e9d968 Mon Sep 17 00:00:00 2001 From: Henry Schreiner Date: Wed, 20 May 2026 11:56:57 -0400 Subject: [PATCH 2/3] ci: run build on PRs, only deploy on push to main Add pull_request trigger so the build job runs on PRs too. Gate the deploy job with `if: github.event_name == 'push'` so it only runs when pushing to main, not on PRs. Assisted-by: OpenCode:glm-5 --- .github/workflows/deploy-pages.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy-pages.yml b/.github/workflows/deploy-pages.yml index 573a9f5..e33f023 100644 --- a/.github/workflows/deploy-pages.yml +++ b/.github/workflows/deploy-pages.yml @@ -3,6 +3,7 @@ name: Deploy Webapp to GitHub Pages on: push: branches: [main] + pull_request: workflow_dispatch: permissions: {} @@ -42,6 +43,7 @@ jobs: deploy: name: Deploy needs: build + if: github.event_name == 'push' runs-on: ubuntu-latest permissions: pages: write From ebf1b60b1af5398e34be6dd3659168dddc0c4e9b Mon Sep 17 00:00:00 2001 From: Henry Schreiner Date: Wed, 20 May 2026 12:00:08 -0400 Subject: [PATCH 3/3] ci: add explanatory comments for deploy job permissions zizmor requires undocumented-permissions to have comments. Assisted-by: OpenCode:glm-5 --- .github/workflows/deploy-pages.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy-pages.yml b/.github/workflows/deploy-pages.yml index e33f023..ced847d 100644 --- a/.github/workflows/deploy-pages.yml +++ b/.github/workflows/deploy-pages.yml @@ -46,8 +46,8 @@ jobs: if: github.event_name == 'push' runs-on: ubuntu-latest permissions: - pages: write - id-token: write + pages: write # needed for pages + id-token: write # needed for pages environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }}