chore: fix preview workflow vulnerability (#2069)

Author: lessmost

.github/workflows/preview-build.yml

@@ -0,0 +1,26 @@
+name: Surge PR Preview - Build Stage
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  build-preview:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: checkout PR
+        uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: build dist
+        run: |
+          npm install
+          npm run site:build
+
+      - name: upload dist artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: pr-build-dist
+          path: public/

.github/workflows/preview-upload.yml

@@ -0,0 +1,28 @@
+name: Surge PR Preview - Upload Stage
+
+on:
+  workflow_run:
+    workflows: ["Surge PR Preview - Build Stage"]
+    types:
+      - completed
+
+jobs:
+  upload-preview:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+      - name: download dist artifact
+        uses: dawidd6/action-download-artifact@v2
+        with:
+          workflow: ${{ github.event.workflow_run.workflow_id }}
+          name: pr-build-dist
+          path: public/
+
+      - name: deploy to Surge
+        uses: afc163/surge-preview@v1
+        with:
+          surge_token: ${{ secrets.SURGE_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          build: echo done
+          dist: public