ci: gate Deploy changesets job to push events only (2026-07-rc)

[andy-chhuon]

Summary

Backport of #4471 to 2026-07-rc.

The changesets job in .github/workflows/deploy.yml is missing an event-type guard. The workflow runs on both push (release branches) and issue_comment.created (for /snapit). The snapit job correctly guards itself with event_name == 'issue_comment', but changesets has no if: and would fire on every issue_comment.created event from any GitHub user if the trigger were ever active on the default branch.

Today this is non-exploitable on this branch because issue_comment events route through the default branch (unstable), whose deploy.yml does not carry the trigger. The fix here is structural defense-in-depth so the misconfig does not propagate forward when the workflow is updated.

Fix

Symmetric one-line guard mirroring the snapit job's pattern:

  changesets:
    name: Deploy
    if: ${{ github.event_name == 'push' }}
    runs-on: ubuntu-latest

After this change, issue_comment.created events fire only the snapit job; push events to release branches fire only the changesets job. Reported via bug bounty (parent PR: #4471).

[github-actions]

🚨🚨🚨 Docs migration in progress 🚨🚨🚨

We are actively migrating UI extension reference docs to MDX in the areas/platforms/shopify-dev zone of the monorepo. This impacts docs for the following surfaces:

• Admin UI extensions
• App Home
• Checkout UI extensions
• Customer account UI extensions
• POS UI extensions

During this migration, please be aware of the following:

.doc.ts files are being deprecated. Changes to .doc.ts files in this repo will not be reflected in the new MDX-based docs. If you need to update docs for a reference that has already been migrated, make your changes directly in the areas/platforms/shopify-dev zone of the monorepo instead.

Doc comments in .ts source files (the comment blocks above types and functions) are also affected. Generating docs from these comments currently requires a newer version of the @shopify/generate-docs library that isn't yet available. Updates to doc comments may not produce the expected output until the migration is complete.

Examples that previously lived in this repo are being moved to the areas/platforms/shopify-dev zone of the monorepo and should be authored there going forward.

What should I do?

• If your PR includes changes to .doc.ts files, doc comments, or examples, please reach out to us in #devtools-proj-templated-refs so we can help ensure your updates are captured correctly.
• If your PR is limited to source code changes (non-docs), you can ignore this notice.

Thanks for your patience while we complete the migration! 🙏