From 0f01cd4bc9f7893a45a48ac3ff40ac5cf3fb4f59 Mon Sep 17 00:00:00 2001
From: Josh Vlk <josh@vlkpack.com>
Date: Tue, 7 Apr 2026 14:30:28 -0400
Subject: [PATCH 1/5] ci: allow dependabot PRs to deploy via
 pull_request_target

GitHub restricts secrets for pull_request events triggered by
dependabot[bot]. Switch dependabot PRs to pull_request_target,
which runs in the base branch context and has access to secrets.

- Add pull_request_target trigger
- Route dependabot PRs through pull_request_target only
- Route all other PRs through pull_request only (no double runs)
- Checkout PR head SHA for pull_request_target events
---
 .github/workflows/deploy.yml | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index ce4f66a11..9a204e902 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -10,18 +10,28 @@ on:
         required: true
         default: "preview"
   pull_request:
+  pull_request_target:
 
 jobs:
   deploy:
     runs-on: ubuntu-latest
     name: Deploy
-    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
+    if: >-
+      github.event_name == 'push' ||
+      github.event_name == 'workflow_dispatch' ||
+      (github.event_name == 'pull_request' &&
+       github.event.pull_request.head.repo.fork == false &&
+       github.actor != 'dependabot[bot]') ||
+      (github.event_name == 'pull_request_target' &&
+       github.actor == 'dependabot[bot]')
     permissions:
       contents: read
       deployments: write
       pull-requests: write
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
       - name: Setup yarn
         uses: actions/setup-node@v3
         with:
@@ -40,9 +50,9 @@ jobs:
              echo "VITE_DEPLOYMENT_URL=" >> "$GITHUB_ENV"
           else
              SAFE_BRANCH="${RAW_BRANCH//\//-}"
-             
+
              SAFE_BRANCH=$(echo "$SAFE_BRANCH" | tr '[:upper:]' '[:lower:]')
-             
+
              echo "SAFE_BRANCH=$SAFE_BRANCH" >> "$GITHUB_ENV"
              echo "VITE_DEPLOYMENT_URL=https://${SAFE_BRANCH}.rescript-lang.pages.dev" >> "$GITHUB_ENV"
           fi

From db30fd25e66f6d1f8836e5fc507c1c1f1ca93a04 Mon Sep 17 00:00:00 2001
From: Josh Vlk <josh@vlkpack.com>
Date: Tue, 7 Apr 2026 15:10:57 -0400
Subject: [PATCH 2/5] Update .github/workflows/deploy.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/deploy.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index c02b28006..8b12816b9 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -30,8 +30,11 @@ jobs:
       pull-requests: write
     steps:
       - uses: actions/checkout@v6.0.2
+        if: github.event_name == 'pull_request_target'
         with:
-          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
+          ref: ${{ github.event.pull_request.head.sha }}
+      - uses: actions/checkout@v6.0.2
+        if: github.event_name != 'pull_request_target'
       - name: Setup Node.js environment
         uses: actions/setup-node@v6.3.0
         with:

From 17970bf25802981aecf348348ebed31c47c666bd Mon Sep 17 00:00:00 2001
From: Josh Vlk <josh@vlkpack.com>
Date: Tue, 7 Apr 2026 15:21:52 -0400
Subject: [PATCH 3/5] bypass cloudflare

---
 .github/workflows/deploy.yml | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index c02b28006..fdbab8281 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -10,7 +10,6 @@ on:
         required: true
         default: "preview"
   pull_request:
-  pull_request_target:
 
 jobs:
   deploy:
@@ -20,18 +19,13 @@ jobs:
       github.event_name == 'push' ||
       github.event_name == 'workflow_dispatch' ||
       (github.event_name == 'pull_request' &&
-       github.event.pull_request.head.repo.fork == false &&
-       github.actor != 'dependabot[bot]') ||
-      (github.event_name == 'pull_request_target' &&
-       github.actor == 'dependabot[bot]')
+       github.event.pull_request.head.repo.fork == false)
     permissions:
       contents: read
       deployments: write
       pull-requests: write
     steps:
       - uses: actions/checkout@v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
       - name: Setup Node.js environment
         uses: actions/setup-node@v6.3.0
         with:
@@ -63,6 +57,7 @@ jobs:
         env:
           VITE_DEPLOYMENT_URL: ${{ env.VITE_DEPLOYMENT_URL }}
       - name: Deploy
+        if: github.actor != 'dependabot[bot]'
         id: deploy
         uses: cloudflare/wrangler-action@v3
         with:
@@ -74,6 +69,7 @@ jobs:
         env:
           FORCE_COLOR: 0
       - name: Comment PR with deployment link
+        if: github.actor != 'dependabot[bot]'
         uses: marocchino/sticky-pull-request-comment@v2
         with:
           recreate: true

From 15d6b2bc959554335513e372093d620fa7f56aec Mon Sep 17 00:00:00 2001
From: Josh Vlk <josh@vlkpack.com>
Date: Tue, 7 Apr 2026 15:29:16 -0400
Subject: [PATCH 4/5] Simplify deploy job condition in workflow file

---
 .github/workflows/deploy.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index fdbab8281..0eb3dd9cf 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -15,11 +15,7 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     name: Deploy
-    if: >-
-      github.event_name == 'push' ||
-      github.event_name == 'workflow_dispatch' ||
-      (github.event_name == 'pull_request' &&
-       github.event.pull_request.head.repo.fork == false)
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
     permissions:
       contents: read
       deployments: write

From 54093f889a212eb406f0aadd03ad37a2b6bb32fa Mon Sep 17 00:00:00 2001
From: Josh Vlk <josh@vlkpack.com>
Date: Tue, 7 Apr 2026 18:42:38 -0400
Subject: [PATCH 5/5] Fix conditional syntax in deploy workflow steps

---
 .github/workflows/deploy.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 0eb3dd9cf..c995aa6af 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -53,7 +53,7 @@ jobs:
         env:
           VITE_DEPLOYMENT_URL: ${{ env.VITE_DEPLOYMENT_URL }}
       - name: Deploy
-        if: github.actor != 'dependabot[bot]'
+        if: ${{ github.actor != 'dependabot[bot]' }}
         id: deploy
         uses: cloudflare/wrangler-action@v3
         with:
@@ -65,7 +65,7 @@ jobs:
         env:
           FORCE_COLOR: 0
       - name: Comment PR with deployment link
-        if: github.actor != 'dependabot[bot]'
+        if: ${{ github.actor != 'dependabot[bot]' }}
         uses: marocchino/sticky-pull-request-comment@v2
         with:
           recreate: true