berachain · qtipbera · May 22, 2026 · May 22, 2026 · May 25, 2026 · May 25, 2026
diff --git a/.github/workflows/post-validate.yml b/.github/workflows/post-validate.yml
@@ -0,0 +1,108 @@
+# This workflow handles the secret-dependent upload step.
+# It runs AFTER the Validate workflow completes and never checks out fork code.
+# Secrets (Cloudflare creds) only exist in this workflow, isolated from
+# any fork-controlled input.
+#
+# The artifact bridge:
+#   Validate (pull_request_target, no secrets)
+#     └── packages asset files + PR metadata as artifacts
+#   Post-Validate (workflow_run, has secrets)
+#     └── downloads artifacts, uploads to Cloudflare using base branch scripts
+
+name: Post-Validate
+
+on:
+  workflow_run:
+    workflows: ["Validate"]
+    types: [completed]
+
+jobs:
+  upload-assets:
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.conclusion == 'success'
+    environment: cloudflare-uploads
+    permissions:
+      contents: read
+      pull-requests: write
+      actions: read
+
+    steps:
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      with:
+        persist-credentials: false
+
+    - name: Setup Node.js
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      with:
+        node-version-file: '.nvmrc'
+        package-manager-cache: false
+
+    - name: Setup pnpm
+      uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+      with:
+        version: 9.15.9
+
+    - name: Get pnpm store directory
+      shell: bash
+      run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+
+    - name: Setup pnpm cache
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      with:
+        path: ${{ env.STORE_PATH }}
+        key: ${{ runner.os }}-pnpm-store-${{ hashFiles('pnpm-lock.yaml') }}
+        restore-keys: |
+          ${{ runner.os }}-pnpm-store-
+
+    - name: Install dependencies
+      run: pnpm install
+
+    # Read PR metadata from artifact saved by Validate workflow.
+    # We use artifacts instead of workflow_run.pull_requests[] because
+    # that array is empty for fork PRs (known GitHub limitation).
+    - name: Download PR info
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      with:
+        name: pr-info
+        run-id: ${{ github.event.workflow_run.id }}
+        github-token: ${{ github.token }}
+
+    - name: Read PR metadata
+      id: pr
+      run: |
+        echo "number=$(cat pr_number.txt)" >> $GITHUB_OUTPUT
+        echo "head_repo=$(cat pr_head_repo.txt)" >> $GITHUB_OUTPUT
+        echo "head_sha=$(cat pr_head_sha.txt)" >> $GITHUB_OUTPUT
+
+    # Try to download the asset artifact. If no assets changed in the PR,
+    # the Validate workflow skipped the package-assets job and this artifact
+    # won't exist — that's expected, so continue-on-error.
+    - name: Download asset files
+      id: download-assets
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      with:
+        name: pr-assets
+        path: ./head/src/assets/
+        run-id: ${{ github.event.workflow_run.id }}
+        github-token: ${{ github.token }}
+      continue-on-error: true
+
+    - name: Upload changed images to Cloudflare Images
+      if: steps.download-assets.outcome == 'success'
+      env:
+        CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+        CLOUDFLARE_IMAGES_API_TOKEN: ${{ secrets.CLOUDFLARE_IMAGES_API_TOKEN }}
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITHUB_REPOSITORY: ${{ github.repository }}
+        PR_NUMBER: ${{ steps.pr.outputs.number }}
+      run: pnpm upload:assets ./head
+
+    - name: Post summary comment
+      if: always() && steps.download-assets.outcome == 'success'
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        PR: ${{ steps.pr.outputs.number }}
+      run: |
+        if [ -s "$GITHUB_STEP_SUMMARY" ]; then
+          gh pr comment "$PR" --body-file "$GITHUB_STEP_SUMMARY"
+        fi