ci: get PR metadata from API instead of artifact

Replace artifact-based PR metadata with API lookup using the commit
SHA from the workflow_run event. This is more secure because:
- The commit SHA comes from GitHub's event system, not fork-controlled code
- The API returns PRs that actually contain that commit
- Cannot be manipulated by malicious fork code

Changes:
- publish-pr-docs.yml: Use gh api to look up PR by commit SHA
- build-docs.yml: Remove metadata artifact upload (no longer needed)
- pr-checks.yml: Remove prNumber input (no longer needed)

fix: #3812

Author: adrianschmidt-bot

.github/workflows/build-docs.yml

@@ -12,18 +12,14 @@ on:
         default: false
         type: boolean
       buildOnly:
-        description: 'Pass `true` to only build the docs, but not publish them. (Used by PR checks for dependabot and external contributors.)'
+        description: 'Pass `true` to only build the docs, but not publish them. (Used by PR checks where publishing is handled by the publish-pr-docs workflow.)'
         required: false
         default: false
         type: boolean
       ref:
         description: 'Git ref (branch, tag, or SHA) to checkout. If not specified, uses the default ref for the triggering event.'
         required: false
         type: string
-      prNumber:
-        description: 'PR number for metadata (required when buildOnly is true).'
-        required: false
-        type: string
   workflow_dispatch:
     inputs:
       version:
@@ -66,15 +62,6 @@ jobs:
       env:
         DOCS_VERSION: ${{ inputs.version }}
       run: npm run docs:publish -- --v="$DOCS_VERSION" --artifactMode
-    - name: Write metadata
-      if: inputs.buildOnly
-      run: |
-        if [ -z "${{ inputs.prNumber }}" ]; then
-          echo "prNumber input is required when buildOnly=true" >&2
-          exit 1
-        fi
-        echo "${{ inputs.version }}" > pr-metadata.txt
-        echo "${{ inputs.prNumber }}" >> pr-metadata.txt
     - name: Upload docs artifact
       if: inputs.buildOnly
       uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
@@ -86,10 +73,3 @@ jobs:
           docs-index.html
           docs-index.css
         retention-days: 1
-    - name: Upload metadata artifact
-      if: inputs.buildOnly
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-      with:
-        name: pr-docs-metadata
-        path: pr-metadata.txt
-        retention-days: 1

.github/workflows/pr-checks.yml

@@ -73,8 +73,7 @@ jobs:
     uses: ./.github/workflows/build-docs.yml
     with:
       version: "PR-${{ github.event.pull_request.number }}"
-      prNumber: "${{ github.event.pull_request.number }}"
-      # Always build only - publishing is handled by publish-pr-docs workflow
+      # Build only - publishing is handled by publish-pr-docs workflow
       buildOnly: true
     secrets: inherit
 

.github/workflows/publish-pr-docs.yml

@@ -27,42 +27,52 @@ jobs:
       continue-on-error: true
       id: download
 
-    - name: Download metadata
-      if: steps.download.outcome == 'success'
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
-      with:
-        name: pr-docs-metadata
-        run-id: ${{ github.event.workflow_run.id }}
-        github-token: ${{ secrets.GITHUB_TOKEN }}
-
-    - name: Get metadata
+    - name: Get PR metadata from API
       if: steps.download.outcome == 'success'
       id: metadata
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+        REPO: ${{ github.repository }}
       run: |
-        echo "version=$(sed -n '1p' pr-metadata.txt)" >> $GITHUB_OUTPUT
-        echo "pr_number=$(sed -n '2p' pr-metadata.txt)" >> $GITHUB_OUTPUT
+        # Get PR info using the commit SHA from the workflow run.
+        # This is more secure than reading from an artifact because:
+        # - The commit SHA comes from GitHub's event system, not fork-controlled code
+        # - The API returns PRs that actually contain that commit
+        # - Cannot be manipulated by malicious fork code
+        PR_DATA=$(gh api "/repos/${REPO}/commits/${HEAD_SHA}/pulls" --jq '.[0]')
+
+        if [ -z "$PR_DATA" ] || [ "$PR_DATA" = "null" ]; then
+          echo "No PR found for commit ${HEAD_SHA}"
+          exit 1
+        fi
+
+        PR_NUMBER=$(echo "$PR_DATA" | jq -r '.number')
+        echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+        echo "version=PR-$PR_NUMBER" >> $GITHUB_OUTPUT
 
     - uses: ./.github/actions/set-up-node
-      if: steps.download.outcome == 'success'
+      if: steps.download.outcome == 'success' && steps.metadata.outcome == 'success'
 
     - run: npm ci
-      if: steps.download.outcome == 'success'
+      if: steps.download.outcome == 'success' && steps.metadata.outcome == 'success'
 
     - name: Configure git
-      if: steps.download.outcome == 'success'
+      if: steps.download.outcome == 'success' && steps.metadata.outcome == 'success'
       run: |
         git config --global user.email "93315277+lime-opensource@users.noreply.github.com"
         git config --global user.name "Lime Technologies OSS"
 
     - name: Publish docs from artifact
-      if: steps.download.outcome == 'success'
+      if: steps.download.outcome == 'success' && steps.metadata.outcome == 'success'
+      id: publish
       env:
         DOCS_VERSION: ${{ steps.metadata.outputs.version }}
         GH_TOKEN: ${{ secrets.PUBLISH_DOCS }}
       run: npm run docs:publish -- --v="$DOCS_VERSION" --fromArtifact=artifact-docs
 
     - name: Post PR comment
-      if: steps.download.outcome == 'success'
+      if: steps.download.outcome == 'success' && steps.metadata.outcome == 'success' && steps.publish.outcome == 'success'
       uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       env:
         PR_NUMBER: ${{ steps.metadata.outputs.pr_number }}