Skip to content

[CI] Add Report Preview URLs Workflow #7524

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 7, 2025
Merged

[CI] Add Report Preview URLs Workflow #7524

merged 2 commits into from
Oct 7, 2025
+152 −0

Conversation

ooooo-create
Copy link
Collaborator

No description provided.

@paddle-bot Paddle-bot
Copy link

paddle-bot bot commented Oct 6, 2025

感谢你贡献飞桨文档,文档预览构建中,Docs-New 跑完后即可预览,预览链接:http://preview-pr-7524.paddle-docs-preview.paddlepaddle.org.cn/documentation/docs/zh/api/index_cn.html
预览工具的更多说明,请参考:飞桨文档预览工具

@ooooo-create ooooo-create requested a review from Copilot October 6, 2025 14:50
@ooooo-create ooooo-create marked this pull request as ready for review October 6, 2025 14:50
Copilot
Copilot AI reviewed Oct 6, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a GitHub Actions workflow to automatically generate and post preview URLs for documentation changes in pull requests. It creates a CI system that helps reviewers easily preview documentation modifications before they are merged.

  • Adds a shell script to generate preview URLs for changed documentation files
  • Creates a GitHub Actions workflow that triggers on documentation changes in PRs
  • Includes a minor documentation fix for Chinese API documentation formatting

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
docs/api/paddle/abs_cn.rst Minor formatting fix changing comma to "和" in Chinese parameter type list
ci_scripts/report_preview_url.sh Shell script to generate preview URLs for modified documentation files
.github/workflows/preview-url-report.yml GitHub Actions workflow to automatically post preview URLs in PR comments

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@ooooo-create ooooo-create marked this pull request as draft October 6, 2025 14:53
@ooooo-create ooooo-create force-pushed the ci/report_preview_url branch from db193cd to 7a28dbd Compare October 7, 2025 00:36
@ooooo-create
Copy link
Collaborator Author

@SigureMo 一师傅,我用了两个 workflow。评论需要写权限,一个流水线的话要用 pull_request_target trigger 才行,但是感觉用这个不安全。改成了只读的得到要 comment 的内容,触发实际 comment 的流水线,但是现在另外一个被流水线触发的 workflow run 流水线的日志得去点 action 才能看见,pr 下面的 check 不会显示
我在我 fork 的仓库测试了一下好像可以(workflow_run 触发的工作流好像得合入才会跑): https://github.com/ooooo-create/docs/pull/1 https://github.com/ooooo-create/docs/pull/2

SigureMo
SigureMo reviewed Oct 7, 2025
View reviewed changes
Copy link
Member

@SigureMo SigureMo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

一个流水线的话要用 pull_request_target trigger 才行,但是感觉用这个不安全

pull_request_target 倒没什么,和 workflow_runcomment 等一样必须合入后才会生效,因此不会有什么安全问题

不过我记得 pull_request_target 即便提 PR 的人有写权限,其携带的 GITHUB_TOKEN 也没有写权限,需要从该 repo 直接拉分支提 PR 才有,而如果是 forked repo 则仍然没有(可以参见 PyTorch 的开发方式与我们大有不同,PyTorch 有上千个开发分支,不是从 forked repo 拉分支开发的)

因此需要确定下:

  • 是否 pull_request_target 限制一定比 pull_request + workflow_run 多?
  • pull_request + workflow_run 是否可以绕开上面说的 forked repo 所带来的限制?

@ooooo-create
Copy link
Collaborator Author

ooooo-create commented Oct 7, 2025
edited
Loading

  • 是否 pull_request_target 限制一定比 pull_request + workflow_run 多?
  • pull_request + workflow_run 是否可以绕开上面说的 forked repo 所带来的限制?

This event allows your workflow to do things like label or comment on pull requests from forks
Workflows triggered via pull_request_target have write permission to the target repository

我看了 https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target 这个文章,里面表达了一下事件的上下文这个概念,pull_request_target 会在 pr target 的上下文运行,这个时候的 GITHUB_TOKEN 是拥有写权限的,就相当于信任已经合入的内容。
https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ 中也是这方面的内容。这个文章也比较了 pull_request , pull_request_target h和 workflow_run,workflow_run 是伴随着 pull_request_target 一起引入的,目的是对于可能不信任的地方就使用 pull_request,workflow_run 也是自带了写权限的(也是得合入才行)。(我没用是文章中说最后能确保真的安全在使用 pull_request_target,还有一个原因是如果使用了 pull_request_target,如果我修改了 report_preview_url.sh,就没办法实时预览新的修改,而且这个时候拥有写权限也是最好不执行 pr 引入的任何内容。但是我通过先 pull_request 可以在安全环境下执行 pr 引入内容,然后 workflow_run 写评论,主要是想有一个实时查看和验证被更新过的 report_preview_url 的功能,直接使用 pull_request_target 也可以

@SigureMo
Copy link
Member

SigureMo commented Oct 7, 2025

主要是想有一个实时查看和验证被更新过的 report_preview_url 的功能

嗯那没问题

不过我记得 pull_request_target 即便提 PR 的人有写权限,其携带的 GITHUB_TOKEN 也没有写权限,需要从该 repo 直接拉分支提 PR 才有,而如果是 forked repo 则仍然没有

这个是我记错了,这应该是 pull_request event 的限制,pull_request_target 就是为了解决这个问题的

@ooooo-create
Copy link
Collaborator Author

要是我把文档的修改拆出来是不是就可以合入啦(doge

@ooooo-create ooooo-create marked this pull request as ready for review October 7, 2025 06:39
@SigureMo SigureMo merged commit 0eac505 into PaddlePaddle:develop Oct 7, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@SigureMo SigureMo SigureMo approved these changes

Assignees
No one assigned
Labels
contributor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ooooo-create @SigureMo