fix(repo): vercel deployments [PLT-95449]

[CalinaCristian]

Automatic PR previews from vercel were using the github author and he needs write access to our team. This is not feasible in open source.

[github-actions]

🤖 AI Code Review (Claude)

⚠️ Automated Review: This is an AI-generated review. Use as guidance, not gospel.

Code Review: Vercel Deployments Workflow

Summary

This PR introduces a custom GitHub Actions workflow to handle Vercel deployments, replacing Vercel's automatic PR previews. The workflow creates an initial comment showing deployment status for 4 projects (apollo-canvas, apollo-ui-react, apollo-vertex, apollo-wind), deploys them in parallel, and updates the comment with results. Also includes configuration updates for Vercel projects and proper .gitignore entries.

Code Quality

✅ Good Practices

• Well-structured workflow with proper job dependencies
• Concurrency group prevents duplicate deployments
• Matrix strategy for parallel deployments
• Proper error handling with continue-on-error
• Comprehensive deployment output and error logging
• Good use of GitHub Actions caching for dependencies

⚠️ Minor Issues

1. Hardcoded project names: Projects are hardcoded in two places (pre-deploy and matrix). Consider extracting to a reusable source:

env:
  PROJECTS: '["apollo-canvas", "apollo-ui-react", "apollo-vertex", "apollo-wind"]'

2. URL extraction fragility: The grep pattern for URL extraction could be more robust:

DEPLOY_URL=$(echo "$DEPLOY_OUTPUT" | grep -oP 'https://[^\s]+\.vercel\.app[^\s]*' | head -n 1)

Falls back gracefully, but could fail if Vercel changes output format.

3. Error message handling: Multiple truncation points (500 chars in bash, 100 chars in JS) - could be unified.

Security

✅ Appropriate Secrets Handling

• Uses VERCEL_TOKEN, VERCEL_ORG_ID, and project-specific IDs from secrets
• Token passed via --token flag (good practice)
• Proper permissions scopes defined (pull-requests: write, contents: read)

✅ No Security Issues

• No hardcoded credentials
• No XSS vulnerabilities in the comment generation
• Proper use of environment variables
• GitHub script actions use official v7 versions

✅ Safe Context Usage

• Uses context.repo.owner, context.repo.repo safely
• No unsanitized user input injected into commands
• Error messages are truncated before output

Type Safety

N/A - This is a YAML workflow file with embedded JavaScript (untyped by design in GitHub Actions)

Testing

N/A - GitHub Actions workflows are typically tested through actual runs. The workflow includes good observability with:

• Step summaries
• Comment updates
• Logs links in PR comments

Performance

✅ Good Performance Optimizations

• Parallel deployments: Matrix strategy deploys all 4 projects simultaneously
• Caching: pnpm store and Vercel CLI are cached
• Concurrency control: Prevents redundant deployments with cancel-in-progress

⚠️ Minor Consideration

• The pre-deploy job runs on every PR, but deploy jobs are gated properly
• Four separate Vercel deployments may have costs, but this is expected for multi-project previews

Additional Observations

Vercel Configuration Files

1. Consistent patterns: All vercel.json files follow similar structure
2. Smart skip logic: ignoreCommand uses git diff to skip unnecessary rebuilds
3. Monorepo awareness: Commands properly navigate to repo root with cd ../..

.gitignore Updates

✅ Proper exclusion of Vercel-specific files (.vercel/, .env*.local)

Recommendation

APPROVE ✅

This is a well-implemented solution to the stated problem. The workflow:

• Properly handles authentication without requiring write access from PR authors
• Provides clear deployment status in PR comments
• Has appropriate error handling and fallbacks
• Uses security best practices for secrets and permissions
• Includes performance optimizations (caching, parallelization)

The minor issues noted (hardcoded project lists, URL extraction fragility) are not blocking and can be addressed in future iterations if they cause problems. The workflow is production-ready and achieves the goal of enabling open-source contributions without compromising security.

---

This automated review is temporary for solo development. Will be replaced with human reviews once the team grows.

[github-actions]

⚠️ AI Review: Please review the concerns raised above before merging.

[github-actions]

✅ AI Review: Changes look good. Auto-approved by Claude AI.

[github-actions]

✅ AI Review: Changes look good. Auto-approved by Claude AI.

[github-actions]

✅ AI Review: Changes look good. Auto-approved by Claude AI.

[github-actions]

✅ AI Review: Changes look good. Auto-approved by Claude AI.

[github-actions]

✅ AI Review: Changes look good. Auto-approved by Claude AI.

[github-actions]

✅ AI Review: Changes look good. Auto-approved by Claude AI.

[github-actions]

⚠️ AI Review: Please review the concerns raised above before merging.

[github-actions]

✅ AI Review: Changes look good. Auto-approved by Claude AI.

[github-actions]

⚠️ AI Review: Please review the concerns raised above before merging.

[github-actions]

⚠️ AI Review: Please review the concerns raised above before merging.

[github-actions]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (PT)
apollo-canvas	🟢 Ready	Preview, Logs	Jan 23, 2026, 09:26:54 PM
apollo-ui-react	🟢 Ready	Preview, Logs	Jan 23, 2026, 09:25:11 PM
apollo-vertex	🟢 Ready	Preview, Logs	Jan 23, 2026, 09:25:55 PM
apollo-wind	🟢 Ready	Preview, Logs	Jan 23, 2026, 09:24:52 PM

[github-actions]

⚠️ AI Review: Please review the concerns raised above before merging.

[github-actions]

✅ AI Review: Changes look good. Auto-approved by Claude AI.

[github-actions]

⚠️ AI Review: Please review the concerns raised above before merging.

[github-actions]

✅ AI Review: Changes look good. Auto-approved by Claude AI.

[github-actions]

⚠️ AI Review: Please review the concerns raised above before merging.

[github-actions]

⚠️ AI Review: Please review the concerns raised above before merging.

[github-actions]

⚠️ AI Review: Please review the concerns raised above before merging.

[github-actions]

✅ AI Review: Changes look good. Auto-approved by Claude AI.

[github-actions]

⚠️ AI Review: Please review the concerns raised above before merging.

[github-actions]

⚠️ AI Review: Please review the concerns raised above before merging.

[github-actions]

✅ AI Review: Changes look good. Auto-approved by Claude AI.