ci(pr-review-companion): support fork PRs

.github/workflows/_deploy.yml

@@ -15,6 +15,10 @@ on:
         description: "Name of the build artifact to download"
         required: true
         type: string
+      build-workflow-run-id:
+        description: "ID of the workflow run that created the artifact"
+        type: number
+        required: false
     outputs:
       url:
         description: "Deployment URL"
@@ -24,6 +28,8 @@ permissions:
   contents: read
   # Authenticate with GCP.
   id-token: write
+  # Download artifact from workflow run.
+  actions: read
 
 concurrency:
   group: ci-${{ github.workflow }}-${{ inputs.prefix }}
@@ -51,6 +57,8 @@ jobs:
         with:
           name: ${{ inputs.build-artifact-name }}
           path: ${{ env.BUILD_OUT_ROOT }}
+          github-token: ${{ inputs.build-workflow-run-id && github.token || '' }}
+          run-id: ${{ inputs.build-workflow-run-id || '' }}
 
       - name: Authenticate with GCP
         uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0

.github/workflows/pr-build.yml

@@ -0,0 +1,17 @@
+name: PR Build
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    if: github.repository_owner == 'mdn' && github.event.pull_request.user.login != 'dependabot[bot]'
+    uses: ./.github/workflows/_build.yml
+    secrets: inherit
+    with:
+      partial: true

.github/workflows/pr-review-companion.yml

@@ -1,37 +1,47 @@
 name: PR Review Companion
 
 on:
-  pull_request:
-    branches:
-      - main
+  workflow_run:
+    workflows: ["PR Build"]
+    types:
+      - completed
 
 permissions:
   contents: read
   # Authenticate with GCP (same as _deploy.yml).
   id-token: write
   # Post comment in pull request.
   pull-requests: write
+  # Download artifacts from triggering workflow.
+  actions: read
 
 jobs:
-  build:
-    if: github.repository_owner == 'mdn' && github.event.pull_request.user.login != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository
-    uses: ./.github/workflows/_build.yml
-    secrets: inherit
-    with:
-      partial: true
+  identify-pr:
+    if: github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    outputs:
+      pr-number: ${{ steps.identify-pr.outputs.number }}
+    steps:
+      - name: Identify PR
+        id: identify-pr
+        run: |
+          PR_NUMBER=$(gh api repos/${{ github.repository }}/commits/${{ github.event.workflow_run.head_sha }}/pulls --jq '.[0].number')
+          echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
 
   deploy:
-    needs: build
-    if: github.repository_owner == 'mdn' && github.event.pull_request.user.login != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository
+    needs: identify-pr
     uses: ./.github/workflows/_deploy.yml
     secrets: inherit
     with:
       cancel-in-progress: true
-      prefix: fred-pr${{ github.event.pull_request.number }}
-      build-artifact-name: ${{ needs.build.outputs.artifact-name }}
+      prefix: fred-pr${{ needs.identify-pr.outputs.pr-number }}
+      build-artifact-name: build-output
+      build-workflow-run-id: ${{ github.event.workflow_run.id }}
 
   comment:
-    needs: deploy
+    needs: [identify-pr, deploy]
     runs-on: ubuntu-latest
     steps:
       - name: Comment in PR
@@ -51,6 +61,6 @@ jobs:
             gh pr comment "$PR_NUMBER" --repo "${{ github.repository }}" --body "$BODY"
           fi
         env:
-          BODY: "${{ github.sha }} was deployed to: ${{ needs.deploy.outputs.url }}"
-          PR_NUMBER: ${{ github.event.pull_request.number }}
+          BODY: "${{ github.event.workflow_run.head_sha }} was deployed to: ${{ needs.deploy.outputs.url }}"
+          PR_NUMBER: ${{ needs.identify-pr.outputs.pr-number }}
           GITHUB_TOKEN: ${{ github.token }}