Skip to content

ci: secure PR preview workflow for fork PRs#16

Merged
TaiSakuma merged 1 commit intomainfrom
dev
Mar 21, 2026
Merged

ci: secure PR preview workflow for fork PRs#16
TaiSakuma merged 1 commit intomainfrom
dev

Conversation

@TaiSakuma
Copy link
Owner

@TaiSakuma TaiSakuma commented Mar 21, 2026

Summary

  • Switch PR preview workflow from pull_request to pull_request_target so fork PRs get write permissions for deploying previews
  • Split into two jobs: a build job (read-only permissions, runs untrusted PR code) and a deploy job (write permissions, runs only trusted code from main)
  • Reference composite actions from @main instead of ./ to prevent PR code from replacing build/deploy scripts
  • Move override_site_url.py into the build-docs action directory and reference via github.action_path for the same reason

Test plan

  • Open a PR from a fork and verify the preview builds and deploys correctly
  • Verify same-repo PRs still work
  • Verify docs.yml and docs-release.yml workflows are unaffected (they use local ./ action refs, which are compatible with the github.action_path change)

🤖 Generated with Claude Code

@TaiSakuma @claude
security: secure PR preview workflow for fork PRs
23bff46 
Use pull_request_target with a two-job split so untrusted PR code never
has access to write permissions. The build job checks out the PR with
read-only permissions, and the deploy job only runs trusted code from
main. Composite actions are referenced from @main to prevent PR code
from replacing build/deploy scripts. The override_site_url.py script
is moved into the build-docs action directory and referenced via
github.action_path for the same reason.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@TaiSakuma TaiSakuma changed the title security: secure PR preview workflow for fork PRs ci: secure PR preview workflow for fork PRs Mar 21, 2026
@github-actions github-actions bot added the ci CI configuration label Mar 21, 2026
@TaiSakuma TaiSakuma merged commit 4d019db into main Mar 21, 2026
3 of 4 checks passed
@TaiSakuma TaiSakuma deleted the dev branch March 21, 2026 21:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci CI configuration

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TaiSakuma