From 027312e470843b311aeae482a328b852cf9005d6 Mon Sep 17 00:00:00 2001
From: Pan YANG <arielyang@gmail.com>
Date: Tue, 6 Jan 2026 13:12:49 +0800
Subject: [PATCH] ci(workflow): improve deploy guard logic with better fallback
 handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Move Dependabot check outside PR condition for broader coverage
- Change missing Cloudflare secrets from hard exit to graceful skip
- Add deployment status (ran/skipped) and skip reason to step summary

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/deploy-preview.yml | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml
index 9a5b300..55daaf6 100644
--- a/.github/workflows/deploy-preview.yml
+++ b/.github/workflows/deploy-preview.yml
@@ -38,22 +38,22 @@ jobs:
           SHOULD_DEPLOY="true"
           REASON=""
 
+          if [[ "$ACTOR" == "dependabot[bot]" ]]; then
+            SHOULD_DEPLOY="false"
+            REASON="Dependabot-triggered workflows do not have access to repository secrets in this workflow."
+          fi
+
           if [[ "$EVENT_NAME" == "pull_request" ]]; then
             if [[ -n "$PR_HEAD_REPO" && "$PR_HEAD_REPO" != "$BASE_REPO" ]]; then
               SHOULD_DEPLOY="false"
               REASON="Fork pull requests do not have access to repository secrets in GitHub Actions."
             fi
-
-            if [[ "$ACTOR" == "dependabot[bot]" ]]; then
-              SHOULD_DEPLOY="false"
-              REASON="Dependabot pull requests do not have access to repository secrets in this workflow."
-            fi
           fi
 
           if [[ "$SHOULD_DEPLOY" == "true" ]]; then
             if [[ -z "$CF_API_TOKEN" || -z "$CF_ACCOUNT_ID" ]]; then
-              echo "Missing required Cloudflare secrets. Please configure CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID in repository secrets."
-              exit 1
+              SHOULD_DEPLOY="false"
+              REASON="Missing required Cloudflare secrets (CLOUDFLARE_API_TOKEN/CLOUDFLARE_ACCOUNT_ID)."
             fi
           fi
 
@@ -180,3 +180,7 @@ jobs:
           echo "- **Context:** ${{ steps.preview_meta.outputs.context_label }}" >> $GITHUB_STEP_SUMMARY
           echo "- **URL:** ${{ steps.preview_meta.outputs.preview_url }}" >> $GITHUB_STEP_SUMMARY
           echo "- **Commit:** ${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Deploy:** ${{ steps.deploy_guard.outputs.should_deploy == 'true' && 'ran' || 'skipped' }}" >> $GITHUB_STEP_SUMMARY
+          if [[ "${{ steps.deploy_guard.outputs.should_deploy }}" != "true" && -n "${{ steps.deploy_guard.outputs.reason }}" ]]; then
+            echo "- **Skip reason:** ${{ steps.deploy_guard.outputs.reason }}" >> $GITHUB_STEP_SUMMARY
+          fi