Problem

No way to preview webapp (app.nango.dev) changes on open PRs without manually deploying to app-development.nango.dev, overwriting the shared dev environment.

Solution

Adds .github/workflows/preview-webapp.yml — on every PR open/push/reopen:

1. Posts a 🔄 Deploying comment immediately (updates in-place on re-runs, no duplicates)
2. Builds the webapp (npm run ts-build && npm run -w @nangohq/webapp build) with the development API_DOMAIN
3. Assumes the preview deploy role via OIDC (PREVIEW_APP_UI_ROLE) — uses the pull_request OIDC sub claim enabled by NangoHQ/nango-infra#124
4. Syncs packages/webapp/dist/ to s3://$PREVIEW_APP_UI_BUCKET/previews/pr-<number>/
5. Invalidates the CloudFront distribution and updates the comment to ✅ Ready or ❌ Failed

Preview URLs: https://pr-<number>.app-development.nango.dev

Depends on NangoHQ/nango-infra#124 being applied and the following GitHub Actions variables set in the development environment:

• PREVIEW_APP_UI_BUCKET
• PREVIEW_APP_UI_DISTRIBUTION_ID
• PREVIEW_APP_UI_ROLE

Closes NAN-5648

Testing

• Open a test PR and verify a single 🔄 Deploying comment appears immediately
• Push another commit and verify the same comment is updated (no new comment)
• Confirm https://pr-<number>.app-development.nango.dev loads the webapp once infra is applied

Fork PR security validation

Validated via #6231.

For pull_request jobs from forks, GitHub enforces two hard limits that cannot be overridden from within the workflow:

• No OIDC token — the AWS credentials step cannot assume any role
• Read-only GITHUB_TOKEN — even if the workflow requests pull-requests: write, GitHub caps fork PR jobs at read-only

Worth noting: for pull_request events, GitHub runs the workflow file from the fork's head — so a fork contributor could modify the workflow (e.g. remove the if guard). The if guard is therefore an efficiency measure to skip wasted CI builds, not a security boundary. The two limits above are enforced by GitHub regardless of workflow content.