mirror of
https://github.com/ipfs/ipfs-blog.git
synced 2026-05-07 13:54:36 +02:00
Daniel Norman
46 lines
1.3 KiB
YAML
46 lines
1.3 KiB
YAML
# Deploy workflow - triggered by workflow_run after successful build
|
|
# This workflow has access to secrets but never executes untrusted code
|
|
# It only downloads and deploys pre-built artifacts from the build workflow
|
|
# Security: Fork code cannot access secrets as it only runs in build workflow
|
|
# Deploys to IPFS for all branches
|
|
|
|
name: Deploy
|
|
|
|
# Explicitly declare permissions
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
statuses: write
|
|
|
|
on:
|
|
workflow_run:
|
|
workflows: ["Build"]
|
|
types: [completed]
|
|
|
|
env:
|
|
BUILD_PATH: 'blog-build'
|
|
|
|
jobs:
|
|
deploy-ipfs:
|
|
if: github.event.workflow_run.conclusion == 'success'
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
cid: ${{ steps.deploy.outputs.cid }}
|
|
steps:
|
|
- name: Download build artifact
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: blog-build-${{ github.event.workflow_run.id }}
|
|
path: ${{ env.BUILD_PATH }}
|
|
run-id: ${{ github.event.workflow_run.id }}
|
|
github-token: ${{ github.token }}
|
|
|
|
- name: Deploy to IPFS
|
|
uses: ipshipyard/ipfs-deploy-action@v1
|
|
id: deploy
|
|
with:
|
|
path-to-deploy: ${{ env.BUILD_PATH }}
|
|
storacha-key: ${{ secrets.STORACHA_KEY }}
|
|
storacha-proof: ${{ secrets.STORACHA_PROOF }}
|
|
github-token: ${{ github.token }}
|