Skip to content

Commit 9f510a2

Browse files
adrianschmidt-botadrianschmidt
authored andcommitted
ci: get PR metadata from API instead of artifact
Replace artifact-based PR metadata with API lookup using the commit SHA from the workflow_run event. This is more secure because: - The commit SHA comes from GitHub's event system, not fork-controlled code - The API returns PRs that actually contain that commit - Cannot be manipulated by malicious fork code Changes: - publish-pr-docs.yml: Use gh api to look up PR by commit SHA - build-docs.yml: Remove metadata artifact upload (no longer needed) - pr-checks.yml: Remove prNumber input (no longer needed) fix: #3812
1 parent 8b83ae0 commit 9f510a2

File tree

3 files changed

+28
-39
lines changed

3 files changed

+28
-39
lines changed

.github/workflows/build-docs.yml

Lines changed: 1 addition & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -12,18 +12,14 @@ on:
1212
default: false
1313
type: boolean
1414
buildOnly:
15-
description: 'Pass `true` to only build the docs, but not publish them. (Used by PR checks for dependabot and external contributors.)'
15+
description: 'Pass `true` to only build the docs, but not publish them. (Used by PR checks where publishing is handled by the publish-pr-docs workflow.)'
1616
required: false
1717
default: false
1818
type: boolean
1919
ref:
2020
description: 'Git ref (branch, tag, or SHA) to checkout. If not specified, uses the default ref for the triggering event.'
2121
required: false
2222
type: string
23-
prNumber:
24-
description: 'PR number for metadata (required when buildOnly is true).'
25-
required: false
26-
type: string
2723
workflow_dispatch:
2824
inputs:
2925
version:
@@ -66,15 +62,6 @@ jobs:
6662
env:
6763
DOCS_VERSION: ${{ inputs.version }}
6864
run: npm run docs:publish -- --v="$DOCS_VERSION" --artifactMode
69-
- name: Write metadata
70-
if: inputs.buildOnly
71-
run: |
72-
if [ -z "${{ inputs.prNumber }}" ]; then
73-
echo "prNumber input is required when buildOnly=true" >&2
74-
exit 1
75-
fi
76-
echo "${{ inputs.version }}" > pr-metadata.txt
77-
echo "${{ inputs.prNumber }}" >> pr-metadata.txt
7865
- name: Upload docs artifact
7966
if: inputs.buildOnly
8067
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
@@ -86,10 +73,3 @@ jobs:
8673
docs-index.html
8774
docs-index.css
8875
retention-days: 1
89-
- name: Upload metadata artifact
90-
if: inputs.buildOnly
91-
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
92-
with:
93-
name: pr-docs-metadata
94-
path: pr-metadata.txt
95-
retention-days: 1

.github/workflows/pr-checks.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -73,8 +73,7 @@ jobs:
7373
uses: ./.github/workflows/build-docs.yml
7474
with:
7575
version: "PR-${{ github.event.pull_request.number }}"
76-
prNumber: "${{ github.event.pull_request.number }}"
77-
# Always build only - publishing is handled by publish-pr-docs workflow
76+
# Build only - publishing is handled by publish-pr-docs workflow
7877
buildOnly: true
7978
secrets: inherit
8079

.github/workflows/publish-pr-docs.yml

Lines changed: 26 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -27,42 +27,52 @@ jobs:
2727
continue-on-error: true
2828
id: download
2929

30-
- name: Download metadata
31-
if: steps.download.outcome == 'success'
32-
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
33-
with:
34-
name: pr-docs-metadata
35-
run-id: ${{ github.event.workflow_run.id }}
36-
github-token: ${{ secrets.GITHUB_TOKEN }}
37-
38-
- name: Get metadata
30+
- name: Get PR metadata from API
3931
if: steps.download.outcome == 'success'
4032
id: metadata
33+
env:
34+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
35+
HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
36+
REPO: ${{ github.repository }}
4137
run: |
42-
echo "version=$(sed -n '1p' pr-metadata.txt)" >> $GITHUB_OUTPUT
43-
echo "pr_number=$(sed -n '2p' pr-metadata.txt)" >> $GITHUB_OUTPUT
38+
# Get PR info using the commit SHA from the workflow run.
39+
# This is more secure than reading from an artifact because:
40+
# - The commit SHA comes from GitHub's event system, not fork-controlled code
41+
# - The API returns PRs that actually contain that commit
42+
# - Cannot be manipulated by malicious fork code
43+
PR_DATA=$(gh api "/repos/${REPO}/commits/${HEAD_SHA}/pulls" --jq '.[0]')
44+
45+
if [ -z "$PR_DATA" ] || [ "$PR_DATA" = "null" ]; then
46+
echo "No PR found for commit ${HEAD_SHA}"
47+
exit 1
48+
fi
49+
50+
PR_NUMBER=$(echo "$PR_DATA" | jq -r '.number')
51+
echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
52+
echo "version=PR-$PR_NUMBER" >> $GITHUB_OUTPUT
4453
4554
- uses: ./.github/actions/set-up-node
46-
if: steps.download.outcome == 'success'
55+
if: steps.download.outcome == 'success' && steps.metadata.outcome == 'success'
4756

4857
- run: npm ci
49-
if: steps.download.outcome == 'success'
58+
if: steps.download.outcome == 'success' && steps.metadata.outcome == 'success'
5059

5160
- name: Configure git
52-
if: steps.download.outcome == 'success'
61+
if: steps.download.outcome == 'success' && steps.metadata.outcome == 'success'
5362
run: |
5463
git config --global user.email "93315277+lime-opensource@users.noreply.github.com"
5564
git config --global user.name "Lime Technologies OSS"
5665
5766
- name: Publish docs from artifact
58-
if: steps.download.outcome == 'success'
67+
if: steps.download.outcome == 'success' && steps.metadata.outcome == 'success'
68+
id: publish
5969
env:
6070
DOCS_VERSION: ${{ steps.metadata.outputs.version }}
6171
GH_TOKEN: ${{ secrets.PUBLISH_DOCS }}
6272
run: npm run docs:publish -- --v="$DOCS_VERSION" --fromArtifact=artifact-docs
6373

6474
- name: Post PR comment
65-
if: steps.download.outcome == 'success'
75+
if: steps.download.outcome == 'success' && steps.metadata.outcome == 'success' && steps.publish.outcome == 'success'
6676
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
6777
env:
6878
PR_NUMBER: ${{ steps.metadata.outputs.pr_number }}

0 commit comments

Comments
 (0)