GitHub workflow cleanup and alignment with Docusaurus 3.8 (#5420)

kimsauce · github-advanced-security[bot] · web-flow · commit f602a27fcd8a · 2025-05-30T18:05:52.000Z
* GitHub workflow cleanup and alignment with Docusaurus 3.8

* Potential fix for code scanning alert no. 7: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;

* cleanup

* Update .github/workflows/pr.yml

* add pull-requests: read

---------

Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/build_and_deploy.yml b/.github/workflows/build_and_deploy.yml
@@ -1,5 +1,8 @@
 name: Build and Deploy
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
@@ -13,7 +16,7 @@ on:
         default: "/"
         type: string
       environment:
-        description: GHA environment name
+        description: GitHub Actions environment name (used for scoping secrets and deployment)
         required: true
         type: string
     secrets:
@@ -35,6 +38,7 @@ jobs:
     env:
       CI: true
       NODE_ENV: production
+      NODE_OPTIONS: "--max-old-space-size=8192 --max-http-header-size=8192"
       AWS_PAGER: ""
       HOSTNAME: ${{ inputs.hostname }}
       BASE_URL: ${{ inputs.base_url }}
@@ -53,16 +57,14 @@ jobs:
         uses: actions/cache@v3
         with:
           path: node_modules/.cache
-          key: ${{ runner.os }}-webpack-cache
+          key: ${{ runner.os }}-webpack-cache-${{ hashFiles('yarn.lock') }}
       - name: Install awscli
         uses: unfor19/install-aws-cli-action@v1
       - name: Install jq
         run: sudo apt-get install -y jq
       - name: Install dependencies
         run: yarn install --frozen-lockfile
       - name: Build the Docusaurus site
-        env:
-          NODE_OPTIONS: "--max-old-space-size=8192 --max-http-header-size=8192"
         run: yarn build
       - name: Deploy the Docusaurus site
         env:
diff --git a/.github/workflows/delete-review.yml b/.github/workflows/delete-review.yml
@@ -1,5 +1,8 @@
 name: delete-review
 
+permissions:
+  contents: read
+
 on: delete
 
 jobs:
@@ -9,6 +12,7 @@ jobs:
       name: review/${{ github.ref_name }}
     env:
       CI: true
+      NODE_OPTIONS: "--max-old-space-size=8192 --max-http-header-size=8192"
       AWS_PAGER: ""
       BASE_URL: /${{ github.ref_name }}/
       AWS_DEFAULT_REGION: us-east-1
@@ -23,6 +27,7 @@ jobs:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         run: |
+          echo "Removing files at s3://${S3_BUCKET_NAME}${BASE_URL}"
           aws s3 rm --recursive s3://${S3_BUCKET_NAME}${BASE_URL}
           export INVALIDATION_ID=$(
             aws cloudfront create-invalidation \
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -1,40 +1,44 @@
 name: Pull Request Checks
 
+permissions:
+  contents: read
+  pull-requests: read
+
 on:
-    pull_request:
-      branches:
-        - main
-    merge_group:
-      types:
-        - checks_requested
+  pull_request:
+    branches:
+      - main
+  merge_group:
+    types:
+      - checks_requested
+
+env:
+  CI: true
+  NODE_ENV: production
+  NODE_OPTIONS: "--max-old-space-size=8192 --max-http-header-size=8192"
 
 jobs:
-    build-and-deploy:
-      runs-on: ubuntu-latest
-      env:
-          CI: true
-          NODE_ENV: production
-      steps:
-        - uses: actions/checkout@v4
-        - name: Set up Node.js
-          uses: actions/setup-node@v3
-          with:
-            node-version: '20.x'
-            cache: 'yarn'
-        - name: Docusaurus Webpack cache
-          uses: actions/cache@v3
-          with:
-            path: node_modules/.cache
-            key: ${{ runner.os }}-webpack-cache
-        - name: Install dependencies
-          run: yarn install --frozen-lockfile
-        - name: Build the Docusaurus site
-          env:
-            NODE_OPTIONS: "--max-old-space-size=8192 --max-http-header-size=8192"
-          run: yarn build
-    spellcheck:
-      runs-on: ubuntu-latest
-      steps:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: '20.x'
+          cache: 'yarn'
+      - name: Docusaurus Webpack cache
+        uses: actions/cache@v3
+        with:
+          path: node_modules/.cache
+          key: ${{ runner.os }}-webpack-cache-${{ hashFiles('yarn.lock') }}
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+      - name: Build the Docusaurus site
+        run: yarn build
+  spellcheck:
+    runs-on: ubuntu-latest
+    steps:
       - uses: actions/checkout@v4
       - uses: codespell-project/actions-codespell@master
         name: Check spelling
diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
@@ -1,5 +1,8 @@
 name: deploy-to-production
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
