Fix pull request preview deployment workflow

[riderx]

Summary

This PR overhauls the preview deployment workflow to accurately mirror the production deployment process. The goal is to provide a reliable, production-like testing environment for every pull request. This includes deploying Supabase functions, the frontend, and all Cloudflare Workers (API, Files, Plugin) with their respective production configurations and bindings, but using the PR's code. Upon successful deployment, direct links to all preview environments are now posted as a comment on the pull request.

Test plan

1. Open a new pull request to this repository.
2. Observe the GitHub Actions workflow run for preview_deploy.yml.
3. Verify that all jobs (supabase_deploy, deploy_webapp, deploy_api, deploy_files, deploy_plugin, comment_pr) complete successfully.
4. Check the PR comments for a new comment containing links to the deployed preview environments (frontend, API, files, plugin).
5. Click on each link to ensure the preview environments are accessible and functional.
6. Close the pull request and verify that the preview_cleanup workflow runs and removes the deployed preview resources.

Screenshots

N/A

Checklist

• My code follows the code style of this project and passes bun run lint-backend && bun run lint.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• My change has adequate E2E test coverage.
• I have tested my code manually, and I have provided steps how to reproduce my tests

---

_{Learn more about Cursor Agents}

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cursor/fix-pull-request-preview-deployment-workflow-e35b

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

To fix the problem, we need to avoid dynamic secret access and instead reference secrets statically. Since the workflow currently uses env.SUPA_ENV (set to "PROD") to determine which secret to use, we can directly reference the production secrets. Specifically, replace:

echo "SUPABASE_DB_PASSWORD=${{ secrets[format('SUPABASE_DB_PASS_{0}', env.SUPA_ENV)] }}" >> $GITHUB_ENV
echo "SUPABASE_PROJECT_ID=${{ secrets[format('SUPABASE_PROJECT_ID_{0}', env.SUPA_ENV)] }}" >> $GITHUB_ENV

with:

echo "SUPABASE_DB_PASSWORD=${{ secrets.SUPABASE_DB_PASS_PROD }}" >> $GITHUB_ENV
echo "SUPABASE_PROJECT_ID=${{ secrets.SUPABASE_PROJECT_ID_PROD }}" >> $GITHUB_ENV

This change should be made in .github/workflows/preview_deploy.yml, lines 33 and 34. No new imports or methods are needed, just a direct edit to the workflow YAML.

---

To fix the problem, we need to avoid dynamic secret access and instead reference each required secret explicitly. Since SUPA_ENV is set to PROD in the workflow, only the production secrets are ever used. Therefore, we can replace the dynamic secret access with direct references to secrets.SUPABASE_DB_PASS_PROD and secrets.SUPABASE_PROJECT_ID_PROD. This change should be made in the step "Set Supabase credentials" (lines 31–34). No other changes are needed, as the rest of the workflow already uses explicit secret references.

---

To fix the problem, add a permissions block to the workflow file .github/workflows/preview_deploy.yml. This block should be placed at the top level (after the name: and before concurrency: or on:) to apply to all jobs unless overridden. The minimal starting point is contents: read, which allows jobs to check out code but not modify repository contents. If any job requires additional permissions (e.g., to create issues or pull requests), those can be added as needed, but for the jobs shown, contents: read is sufficient.

To fix the problem, add a permissions block to the root of the workflow file (.github/workflows/preview_deploy.yml). This will set the default permissions for all jobs in the workflow, limiting the GITHUB_TOKEN to only the specified scopes. The recommended minimal starting point is contents: read, which allows jobs to read repository contents but not write to them. If any job requires additional permissions (e.g., to comment on pull requests), those can be added at the job level. The change should be made at the top of the workflow file, after the name: declaration and before the concurrency: or on: blocks.

To fix the problem, add a permissions block at the top level of the workflow file, immediately after the name: field and before any jobs or steps. This block should specify the minimal permissions required for the workflow to function. As a safe default, set contents: read, which allows the workflow to read repository contents but not write to them. If any job requires additional permissions (such as pull-requests: write), those can be added at the job level, but based on the provided code, contents: read is sufficient. The change should be made at the top of .github/workflows/preview_deploy.yml, after the name: field and before concurrency:.

---

To fix the problem, add a permissions block at the top level of the workflow file, specifying the minimal permissions required for all jobs. If some jobs require additional permissions, you can override the permissions block at the job level. For this workflow:

• Most jobs likely only need contents: read (to check out code).
• The comment_pr job needs pull-requests: write to comment on PRs.
• If any other jobs require more permissions, they can be specified as needed.

The best fix is to add the following at the top of the workflow (after name: and before concurrency:):

permissions:
  contents: read

Then, for the comment_pr job, add a permissions block to allow writing to pull requests:

permissions:
  contents: read
  pull-requests: write

No new imports or definitions are needed; only YAML changes.

---

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud