fix: handle fork PRs in readme and cli-docs workflows

[koxudaxi]

Summary by CodeRabbit

• Chores
  • Enhanced automated workflow configuration for more reliable pull request processing. Improved checkout and authentication mechanisms to provide better support for contributions from external forks and same-repository sources. Refined conditional logic for automated build and commit operations to increase overall workflow reliability and security.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

GitHub Actions workflows are updated to implement fork-aware conditional checkout logic. Changes distinguish between fork pull requests and same-repository operations, configuring appropriate fetch-depth, ref, and repository parameters. Token-based authentication gating is added for commit and push operations across both workflows.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration Updates .github/workflows/cli-docs.yaml, .github/workflows/readme.yaml	Adds fork-aware conditional checkout steps: fork PRs use dedicated checkout with fetch-depth 0 and head repository reference, while same-repo operations use alternate checkout path. Token-based authentication gating applied to "Commit and push if changed" step, with conditions covering push, pull_request_target, and same-repo PRs. Inline comments clarify fork-specific vs. same-repo branches.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Both files follow identical patterns—repetitive homogeneous changes reduce review complexity
• Primary focus: verify conditional logic correctly distinguishes fork vs. same-repo scenarios
• Ensure token/PAT usage aligns with repository permissions and security requirements
• Confirm fetch-depth and ref parameters function correctly across all GitHub Actions event types (pull_request, push, pull_request_target)

Possibly related PRs

• fix: handle fork PRs in lint workflow #2706 — Applies identical fork-aware checkout and PAT/token gating patterns to GitHub Actions workflows, using same conditional event handling approach.

Poem

🐰 Forks and branches, now with care,
Checking out with proper flair!
Token guards and refs aligned,
CI/CD workflows, well-designed! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding fork PR handling to readme and cli-docs workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/workflow-fork-token-readme-cli

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e52e1e0 and 7afc860.

📒 Files selected for processing (2)

• .github/workflows/cli-docs.yaml (2 hunks)
• .github/workflows/readme.yaml (2 hunks)

🔇 Additional comments (5)

.github/workflows/cli-docs.yaml (3)

46-60: LGTM! Fork-aware checkout logic is well-structured.

The dual checkout pattern correctly separates fork PRs (lines 46-52, read-only without PAT) from same-repo operations (lines 53-60, with PAT). The conditions are mutually exclusive and cover all event types (push, pull_request, pull_request_target).

---

74-74: LGTM! Commit/push correctly gated for operations with write access.

The condition properly prevents fork PRs (without PAT) from attempting to push, while allowing pushes for same-repo PRs, direct pushes to main, and pull_request_target events.

---

53-60: Add safeguards for pull_request_target fork PR handling.

The PAT checkout (line 54-60) executes for pull_request_target events, which include fork PRs when triggered by the 'safe-to-fix' label from maintainers (lines 40-43). While the job condition restricts this to trusted users, the push step (line 74) lacks explicit handling for fork scenarios. Either verify the PAT has write access to maintainer-controlled forks or add a condition to skip the push for fork repositories even when triggered via pull_request_target.

.github/workflows/readme.yaml (2)

34-48: LGTM! Consistent fork-aware checkout logic.

The checkout pattern mirrors cli-docs.yaml, correctly separating fork PRs (lines 34-40, read-only) from same-repo operations (lines 41-48, with PAT). Conditions are mutually exclusive and handle all event types properly. The consistency between workflows enhances maintainability.

---

60-60: LGTM! Commit/push correctly gated.

The condition ensures only operations with write access (push events, pull_request_target, or same-repo PRs with PAT) attempt to commit and push changes.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.33%. Comparing base (e52e1e0) to head (7afc860).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2707   +/-   ##
=======================================
  Coverage   99.33%   99.33%           
=======================================
  Files          81       81           
  Lines       11478    11478           
  Branches     1367     1367           
=======================================
  Hits        11402    11402           
  Misses         45       45           
  Partials       31       31           

Flag	Coverage Δ
unittests	99.33% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[codspeed-hq]

CodSpeed Performance Report

Merging #2707 will not alter performance

_{Comparing fix/workflow-fork-token-readme-cli (7afc860) with main (e52e1e0)}

Summary

✅ 52 untouched
⏩ 10 skipped¹

Footnotes

1. 10 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[koxudaxi]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.