Automatically deploy to vercel preview in the 'test pull request' git…

[svogt0511]

…hub workflow.

Purpose

Add deploy code to the pull_request.yml github workflow in order to shorten time-to-preview for a pull request.

closes: #955

Approach

Open Questions and Pre-Merge TODOs

Learning

Types of changes

• Bug fix (non-breaking change which fixes an issue)

• New feature (non-breaking change which adds functionality)

• Breaking change (fix or feature that would cause existing functionality to change)

Reviewer, please remember our guidelines:

• Be humble in the language and feedback you give, ask don't tell.
• Consider using positive language as opposed to neutral when offering feedback. This is to avoid the negative bias that can occur with neutral language appearing negative.
• Offer suggestions on how to improve code e.g. simplification or expanding clarity.
• Ensure you give reasons for the changes you are proposing.

Summary by CodeRabbit

• Chores
  • Automated preview deployments are now generated for pull requests, running after build and test steps to enable faster testing and validation.
  • Deployments respect a no-cache toggle and include build-time server configuration so previews reflect intended runtime behavior.
  • Deployment notifications have been integrated to keep teams informed during the code review process.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added a deploy job to the pull request workflow that runs after build and tests, computes BRANCH, GIT_SHA, and GIT_SHA_SHORT, and deploys to Vercel (vercel-bracco-preview environment) using amondnet/[email protected] with conditional deploy args and build-env for HANDLE_SERVER.

Changes

Cohort / File(s)

Summary

Workflow Deployment \.github/workflows/pull_request.yml

Introduced a new deploy job gated by an if condition (workflow_dispatch or PR head repo equals repo), dependent on call_build, ember_test, and cypress_test. Steps: checkout, extract BRANCH, GIT_SHA, GIT_SHA_SHORT (exposed as outputs), then run amondnet/[email protected] with secrets (VERCEL_TOKEN, VERCEL_ORG_ID, VERCEL_PROJECT_ID, VERCEL_SCOPE), project: 'bracco', environment vercel-bracco-preview, and conditional vercel-args that appends --force when vars.VERCEL_NOCACHE == 'true' plus --build-env HANDLE_SERVER=${{vars.HANDLE_SERVER}}. No changes to call_build, ember_test, or cypress_test logic.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding automatic Vercel preview deployment to the pull request workflow.
Linked Issues check	✅ Passed	The PR successfully implements the primary objective from issue #955: integrating automatic Vercel preview deployment into the pull request test workflow.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing the deployment objective; no out-of-scope modifications were introduced.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pb959-auto-preview

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use TruffleHog to scan for secrets in your code with verification capabilities.

Add a TruffleHog config file (e.g. trufflehog-config.yml, trufflehog.yml) to your project to customize detectors and scanning behavior. The tool runs only when a config file is present.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/workflows/pull_request.yml (1)

45-45: Pin to a commit SHA instead of a mutable tag.

Replace amondnet/[email protected] with the full commit SHA amondnet/vercel-action@225d234. GitHub recommends pinning to commit SHAs rather than tags, as tags are mutable and can be retargeted, introducing supply-chain risks.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull_request.yml at line 45, Replace the mutable tag usage
of the Vercel action (the line containing "uses:
amondnet/[email protected]") with the pinned commit SHA version by changing
it to "amondnet/vercel-action@225d234" so the workflow references an immutable
commit; update any other occurrences of that tag in the workflow to the same SHA
if present.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pull_request.yml:
- Around line 26-27: Add a job-level conditional to the deploy job to skip
execution for forked PRs: modify the deploy job (named "deploy") to include an
if condition like `if: github.event_name != 'pull_request' ||
github.event.pull_request.head.repo.full_name == github.repository` so the
deploy runs for non-PR events or PRs originating from the same repository but is
skipped for fork-originated pull_request events.
- Around line 30-31: The job-level env entry exposing SLACK_WEBHOOK_URL is
unnecessary since no step uses it; remove the job-scoped env: SLACK_WEBHOOK_URL
declaration or move it to the specific step that sends Slack notifications (the
step that would consume SLACK_WEBHOOK_URL), ensuring only that step has access
to the secret instead of the entire job environment.
- Around line 26-29: The deploy job currently lacks an explicit permissions
block; add a permissions: entry under the deploy job to explicitly scope the
GITHUB_TOKEN to least privilege for this job (only the specific scopes your
Vercel deploy needs), e.g., create a permissions block for the deploy job named
"deploy" that restricts token scopes (for example: contents: read, id-token:
write or whatever minimal set your deployment action requires) and remove the
default broader access.

---

Nitpick comments:
In @.github/workflows/pull_request.yml:
- Line 45: Replace the mutable tag usage of the Vercel action (the line
containing "uses: amondnet/[email protected]") with the pinned commit SHA
version by changing it to "amondnet/vercel-action@225d234" so the workflow
references an immutable commit; update any other occurrences of that tag in the
workflow to the same SHA if present.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4b3d18e2-be4b-4516-81b4-420592942b67

📥 Commits

Reviewing files that changed from the base of the PR and between f98ed93 and 2597bee.

📒 Files selected for processing (1)

• .github/workflows/pull_request.yml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pull_request.yml:
- Line 47: Change the mutable action reference "uses:
amondnet/[email protected]" to a pinned commit SHA; locate the line
containing uses: amondnet/[email protected] and replace the tag with the
exact commit SHA (e.g.,
amondnet/vercel-action@225d234cfe5340ca1f9a6cd158338126b5b6845f) so the workflow
uses an immutable, audit-able revision.
- Around line 33-34: The workflow contains an invalid empty env: mapping that
breaks YAML parsing; remove the empty env: declaration (or replace it with a
valid mapping) so the workflow top-level sequence starting at steps: parses
correctly — locate the lone env: entry near the steps: key and delete that empty
env: line or populate it with proper key: value pairs if environment variables
are intended.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b48b7c47-09f3-402a-b926-5704708555ae

📥 Commits

Reviewing files that changed from the base of the PR and between 2597bee and 208fa38.

📒 Files selected for processing (1)

• .github/workflows/pull_request.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify workflow syntax after the fix
# (run if actionlint is available in your environment)
actionlint -oneline .github/workflows/pull_request.yml

Repository: datacite/bracco

Length of output: 215

---

Remove invalid empty env: block that breaks workflow parsing.

Line 33 declares env: without providing any mapping values. This causes a YAML syntax error that prevents the workflow from running.

Fix

-    env:
     steps:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	env:
	steps:
	steps:

🧰 Tools

🪛 actionlint (1.7.11)

[error] 33-33: expecting a single ${{...}} expression or mapping value for "env" section, but found plain text node

(syntax-check)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull_request.yml around lines 33 - 34, The workflow
contains an invalid empty env: mapping that breaks YAML parsing; remove the
empty env: declaration (or replace it with a valid mapping) so the workflow
top-level sequence starting at steps: parses correctly — locate the lone env:
entry near the steps: key and delete that empty env: line or populate it with
proper key: value pairs if environment variables are intended.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Resolve the exact commit behind v25.1.1 (read-only)
git ls-remote https://github.com/amondnet/vercel-action refs/tags/v25.1.1 refs/tags/v25.1.1^{}

Repository: datacite/bracco

Length of output: 117

---

🏁 Script executed:

cat -n .github/workflows/pull_request.yml | sed -n '45,50p'

Repository: datacite/bracco

Length of output: 294

---

Pin GitHub Action to commit SHA.

Line 47 uses a mutable tag (@v25.1.1). For supply-chain safety, pin to the exact commit SHA instead.

Replace with:

uses: amondnet/vercel-action@225d234cfe5340ca1f9a6cd158338126b5b6845f

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull_request.yml at line 47, Change the mutable action
reference "uses: amondnet/[email protected]" to a pinned commit SHA; locate
the line containing uses: amondnet/[email protected] and replace the tag
with the exact commit SHA (e.g.,
amondnet/vercel-action@225d234cfe5340ca1f9a6cd158338126b5b6845f) so the workflow
uses an immutable, audit-able revision.

[svogt0511]

@jrhoads - Thanks for the commit. Do you think we should do this in branch-to-staging.yml and deploy.yml. I think they all do the same thing - build, test, deploy to staging. I will look at this on Monday. Thanks again!