From 63866853e67733d77d183f14485f62fcf5076f01 Mon Sep 17 00:00:00 2001
From: Philippe Serhal <philippe.serhal@gmail.com>
Date: Sat, 25 Apr 2026 15:57:41 -0400
Subject: [PATCH 1/5] ci: deploy manually to canary env from main

Instead of using "branch tracking" on the canary Vercel env, this triggers a deploy from GitHub Actions on pushes to the `main` branch in this repo.
---
 .github/workflows/deploy-canary.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 .github/workflows/deploy-canary.yml

diff --git a/.github/workflows/deploy-canary.yml b/.github/workflows/deploy-canary.yml
new file mode 100644
index 0000000000..4c3d9485b3
--- /dev/null
+++ b/.github/workflows/deploy-canary.yml
@@ -0,0 +1,16 @@
+on:
+  push:
+    branches: [main]
+
+jobs:
+  deploy-canary:
+    if: github.repository == 'npmx-dev/npmx.dev'
+    name: 🚀 Deploy to canary (main.npmx.dev)
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - run: npx vercel deploy --target=canary --token="$VERCEL_TOKEN"
+        env:
+          VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}

From aa72bd940b42d5b50b9114a40633164e2385328a Mon Sep 17 00:00:00 2001
From: Philippe Serhal <philippe.serhal@gmail.com>
Date: Sat, 25 Apr 2026 16:03:03 -0400
Subject: [PATCH 2/5] Potential fix for pull request finding 'CodeQL / Workflow
 does not contain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/deploy-canary.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/deploy-canary.yml b/.github/workflows/deploy-canary.yml
index 4c3d9485b3..5b0976b9c2 100644
--- a/.github/workflows/deploy-canary.yml
+++ b/.github/workflows/deploy-canary.yml
@@ -2,6 +2,9 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   deploy-canary:
     if: github.repository == 'npmx-dev/npmx.dev'

From 0f68cad0a7fc2f798ca274c4dd0f66b463116ca2 Mon Sep 17 00:00:00 2001
From: Philippe Serhal <philippe.serhal@gmail.com>
Date: Sat, 25 Apr 2026 16:10:20 -0400
Subject: [PATCH 3/5] ci: add missing env vars, configure concurrency

Added concurrency settings for canary deployment.
---
 .github/workflows/deploy-canary.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-canary.yml b/.github/workflows/deploy-canary.yml
index 5b0976b9c2..48e18ed574 100644
--- a/.github/workflows/deploy-canary.yml
+++ b/.github/workflows/deploy-canary.yml
@@ -5,6 +5,10 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: deploy-canary-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   deploy-canary:
     if: github.repository == 'npmx-dev/npmx.dev'
@@ -14,6 +18,8 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      - run: npx vercel deploy --target=canary --token="$VERCEL_TOKEN"
+      - run: npx vercel deploy --target=canary
         env:
           VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}
+          VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
+          VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }}

From 31cd899ca550a69e427e0a5e0a621eec0b4f8f03 Mon Sep 17 00:00:00 2001
From: Philippe Serhal <philippe.serhal@gmail.com>
Date: Sat, 25 Apr 2026 16:32:55 -0400
Subject: [PATCH 4/5] ci: remove unnecessary default fetch-depth opt

Removed fetch-depth option from checkout step.
---
 .github/workflows/deploy-canary.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/deploy-canary.yml b/.github/workflows/deploy-canary.yml
index 48e18ed574..f5ea92f721 100644
--- a/.github/workflows/deploy-canary.yml
+++ b/.github/workflows/deploy-canary.yml
@@ -16,8 +16,6 @@ jobs:
     runs-on: ubuntu-24.04-arm
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
       - run: npx vercel deploy --target=canary
         env:
           VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}

From ff60b88b2bf662c62bf4e3433360ed3c90209cca Mon Sep 17 00:00:00 2001
From: Philippe Serhal <philippe.serhal@gmail.com>
Date: Sat, 25 Apr 2026 16:45:58 -0400
Subject: [PATCH 5/5] ci: use vp instead of npmx

---
 .github/workflows/deploy-canary.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-canary.yml b/.github/workflows/deploy-canary.yml
index f5ea92f721..8dd5576933 100644
--- a/.github/workflows/deploy-canary.yml
+++ b/.github/workflows/deploy-canary.yml
@@ -16,7 +16,14 @@ jobs:
     runs-on: ubuntu-24.04-arm
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - run: npx vercel deploy --target=canary
+
+      - uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1
+        with:
+          node-version: lts/*
+          run-install: false
+
+      - run: vp install -g vercel
+      - run: vercel deploy --target=canary
         env:
           VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}
           VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}