Skip to content

Several CI/Workflow changes and fixes #220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
StrangeRanger merged 11 commits into from
Oct 9, 2025
Merged

Several CI/Workflow changes and fixes #220

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
7d8093e
Fix permissions section in update-from-submodule.yml
StrangeRanger Oct 9, 2025
9be4c91
Change GitHub Actions permissions from write to read
StrangeRanger Oct 9, 2025
8fb6683
Separate build and deploy jobs in mkdocs-deploy.yml
StrangeRanger Oct 9, 2025
1ff51bb
Add permissions to mkdocs-deploy workflow
StrangeRanger Oct 9, 2025
fae0cef
Rename checkout step in PR build workflow
StrangeRanger Oct 9, 2025
51a0b4a
Add permissions section to mkdocs-deploy.yml
StrangeRanger Oct 9, 2025
cadd6b9
Fix permissions indentation in PR build workflow
StrangeRanger Oct 9, 2025
fd96cd4
Refactor GitHub Actions workflow for submodule updates
StrangeRanger Oct 9, 2025
8a4676e
Update .github/workflows/update-from-submodule.yml
StrangeRanger Oct 9, 2025
60ee902
Add rebaseWhen option to renovate configuration
StrangeRanger Oct 9, 2025
483f2cd
Change trigger from pull_request_target to pull_request
StrangeRanger Oct 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 22 additions & 3 deletions .github/workflows/mkdocs-deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@ on:
workflow_dispatch:

permissions:
contents: write
contents: read

jobs:
deploy:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
Expand All @@ -25,5 +25,24 @@ jobs:
- name: Build the site with MkDocs
run: uv run mkdocs build --strict

- name: Upload static files as artifact
uses: actions/upload-pages-artifact@v4
with:
path: ./site

deploy:
needs: build
runs-on: ubuntu-latest

permissions:
pages: write
id-token: write

environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}

steps:
- name: Deploy to GitHub Pages
run: uv run mkdocs gh-deploy --force
id: deployment
uses: actions/deploy-pages@v4
9 changes: 5 additions & 4 deletions .github/workflows/pr-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,18 @@
name: Build the site with MkDocs

permissions:
contents: read

on:
pull_request:
branches: [ main ]

permissions:
contents: read

jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
with:
fetch-depth: 1

Expand Down
35 changes: 22 additions & 13 deletions .github/workflows/update-from-submodule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,34 +3,42 @@
on:
pull_request_target:
types: [opened, synchronize]
branches:
- main
branches: [ main ]
workflow_dispatch:

permissions:
contents: write

jobs:
update-files:
if: github.actor == 'renovate[bot]' && startsWith(github.event.pull_request.head.ref, 'renovate/submodules-')
update-from-submodule:
if: >
github.actor == 'renovate[bot]' &&
startsWith(github.event.pull_request.head.ref, 'renovate/submodules-')

runs-on: ubuntu-latest

steps:
- name: Checkout pull request branch with submodules
- name: Checkout PR branch with submodules

Check failure on line 20 in .github/workflows/update-from-submodule.yml

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

.github/workflows/update-from-submodule.yml#L20 

This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request.
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
with:
# Checkout the repository at the merge commit
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
submodules: true

- name: Validate PR source branch
- name: Validate PR source repository and branch
shell: bash
run: |
if [[ ${{ github.event.pull_request.head.repo.full_name }} != '${{ github.repository }}' ]]; then
echo "Untrusted repository detected! Exiting.";
exit 1;
if [[ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then
echo "Untrusted repository detected! Exiting..."
exit 1
fi

- name: Configure git identity
shell: bash
run: |
git config --global user.name "renovate[bot]"
git config --global user.email "29139614+renovate[bot]@users.noreply.github.com"

- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6
with:
Expand All @@ -38,10 +46,10 @@
passphrase: ${{ secrets.GPG_PASSPHRASE }}
git_user_signingkey: true
git_commit_gpgsign: true
fingerprint: "F768450FB05B817D0B4BC26FB9B6A9B428C8676A"
trust_level: 5

- name: Set up Python

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Potential execution of untrusted code on a privileged workflow (
pull_request_target
Loading
)
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
with:
python-version: '3.x'
Expand All @@ -49,12 +57,13 @@
- name: Run repo update script
run: python update_repo.py

- name: Run CHANGELOG update script
run: bash update-changelog.bash

- name: Commit and push changes

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Potential execution of untrusted code on a privileged workflow (
pull_request_target
Loading
)
shell: bash
run: |
git add .
git add -A
git commit -m "Update files based on submodule changes"
git pull --rebase origin ${{ github.event.pull_request.head.ref }}
git push origin HEAD:${{ github.event.pull_request.head.ref }}
git pull --rebase origin "${{ github.event.pull_request.head.ref }}"
git push origin HEAD:"${{ github.event.pull_request.head.ref }}"