Skip to content

feat: add auto-build-main-module-docs and auto-deploy-docs yml #1732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wuyiping0628 wants to merge 1 commit into
base: develop
Choose a base branch
from
+94 −1
Open

feat: add auto-build-main-module-docs and auto-deploy-docs yml #1732

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions .github/workflows/auto-build-main-module-docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: Auto Build Main Module Docs

on:
pull_request:
branches: [develop]
Copy link
Collaborator

@hexqi hexqi Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

需要包含release分支, ==> [develop, release/*]

paths:
- 'docs/**'
push:
branches: [develop]
paths:
- 'docs/**'

jobs:
verify-main-build:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write

steps:
- uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.SUBMODULE_SSH_KEY_PRIVATE }}
- name: Checkout submodule repo
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.PAT_TOKEN }}

- name: Checkout main repository
run: |
# 克隆主仓库
git clone https://github.com/opentiny/docs.git docs-main
cd docs-main

# 更新子模块到PR分支的版本
git submodule sync --recursive
git submodule update --init --recursive


# 获取PR分支的最新提交
cd ./tiny-engine
BRANCH_NAME="${{ github.head_ref }}"
git fetch origin $BRANCH_NAME
git checkout $BRANCH_NAME
Comment on lines +43 to +45
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Fix script injection vulnerability.

Using github.head_ref directly in an inline script creates a script injection risk. An attacker could create a branch with a malicious name containing shell commands.

🔎 Recommended fix 
       - name: Checkout main repository
         run: |
           # 克隆主仓库
           git clone https://github.com/opentiny/docs.git docs-main
           cd docs-main
 
           # 更新子模块到PR分支的版本
           git submodule sync --recursive
           git submodule update --init --recursive
 
 
           # 获取PR分支的最新提交
           cd ./tiny-engine
-          BRANCH_NAME="${{ github.head_ref }}"
-          git fetch origin $BRANCH_NAME
-          git checkout $BRANCH_NAME
+          git fetch origin "$BRANCH_NAME"
+          git checkout "$BRANCH_NAME"
 
           # 回到主仓库根目录
           cd ../
+        env:
+          BRANCH_NAME: ${{ github.head_ref }}

Based on the static analysis hint provided.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
BRANCH_NAME="${{ github.head_ref }}"
git fetch origin $BRANCH_NAME
git checkout $BRANCH_NAME
# 获取PR分支的最新提交
cd ./tiny-engine
git fetch origin "$BRANCH_NAME"
git checkout "$BRANCH_NAME"
# 回到主仓库根目录
cd ../
env:
BRANCH_NAME: ${{ github.head_ref }}
🤖 Prompt for AI Agents 
.github/workflows/auto-build-main-module-docs.yml around lines 43-45: using
github.head_ref directly in an inline shell creates a script-injection risk;
replace this pattern by either (A) using the actions/checkout step with ref: ${{
github.head_ref }} instead of doing git checkout in an inline script, or (B) if
you must run shell commands, validate the branch name against a strict whitelist
regex (e.g. allow only alphanumerics, dot, underscore, hyphen, slash), exit if
it fails, always wrap the variable in double quotes, and use git commands with a
-- to prevent it being parsed as an option (e.g. git fetch origin --
"$BRANCH_NAME" && git checkout -- "$BRANCH_NAME").


# 回到主仓库根目录
cd ../

- name: Setup pnpm
uses: pnpm/action-setup@v3
with:
version: 9

- name: Run main repo build
id: build
working-directory: ./docs-main
run: |
pnpm i
# 如果使用VitePress
pnpm build

- name: Update PR status
if: always()
run: |
# 检查构建是否成功
if [ ${{ steps.build.outcome }} == 'success' ]; then
echo "✅ 主仓库构建成功"
else
echo "❌ 主仓库构建失败"
exit 1
fi
21 changes: 21 additions & 0 deletions .github/workflows/auto-deploy-docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: Auto Deploy Docs

on:
push:
branches: [develop]
paths:
- 'docs/**'

jobs:
notify:
runs-on: ubuntu-latest
steps:
- name: Trigger main repo workflow
env:
PAT: ${{ secrets.PAT_TOKEN }}
run: |
curl -X POST \
-H "Authorization: token $PAT" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/repos/opentiny/docs/dispatches \
-d '{"event_type":"submodule-updated"}'
2 changes: 1 addition & 1 deletion docs/api/api-overview.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

TinyEngine的API主要分为`TinyEngine能力API`和`开源后端接口API`。

## TinyEngine能力API
## TinyEngine 能力API
主要提供以下几类API
- 主包API
- 画布API
Expand Down