ci: Fix documentation artefacts automatically#8024
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
|
Caution Review failedAn error occurred during the review process. Please try again later. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #8024 +/- ##
========================================
Coverage 98.64% 98.64%
========================================
Files 1501 1506 +5
Lines 59397 59572 +175
========================================
+ Hits 58591 58766 +175
Misses 806 806 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
1235b2e to
380c28c
Compare
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01HWahXvKyob4DTBgmGzV1gm
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
d104773 to
f38778a
Compare
This reverts commit 180332d.
2804a78 to
e61a1a6
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
.github/workflows/api-fix-docs-artefacts.yml (1)
61-71: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick winImprove commit step reliability and prevent redundant CI runs.
Since this workflow authenticates using a GitHub App token with push access, the resulting push will re-trigger this and any other
on: pull_requestCI workflows. Appending[skip ci]to the commit message prevents these redundant and potentially expensive CI executions.Additionally, while
git add --alloperates on the entire working tree regardless of the current directory in Git 2.0+, explicitly setting the working directory to the repository root makes it much clearer that this step expects to commit changes in both theapi/anddocs/folders.♻️ Proposed refactor
- name: Commit and push fixes + working-directory: ${{ github.workspace }} run: | git add --all if git diff --cached --quiet; then echo "Documentation artefacts are up to date." exit 0 fi git config user.name '${{ steps.app-token.outputs.app-slug }}[bot]' git config user.email '${{ steps.app-token.outputs.app-slug }}[bot]`@users.noreply.github.com`' - git commit --message 'chore: Update documentation artefacts' + git commit --message 'chore: Update documentation artefacts [skip ci]' git push || { git pull --rebase && git push; }
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 6d082014-2688-438c-8ca6-1a53d0b223a1
📒 Files selected for processing (2)
.github/workflows/api-fix-docs-artefacts.ymlapi/Makefile
c574255 to
0d3bb9d
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/api-fix-docs-artefacts.yml (1)
37-59: 🔒 Security & Privacy | 🔴 Critical | 🏗️ Heavy liftDo not execute PR code with privileged credentials.
The workflow checks out attacker-controlled PR content using a push-capable App token, runs Make targets from that checkout, then exports production CodeArtifact credentials before running another PR-controlled Make target. A malicious PR can modify the Makefile or management command to push arbitrary changes or exfiltrate the CodeArtifact token. Run generation only from a trusted post-merge checkout, or isolate PR validation from all write-capable tokens and secrets.
♻️ Duplicate comments (1)
.github/workflows/api-fix-docs-artefacts.yml (1)
8-11: 🎯 Functional Correctness | 🟠 MajorRun this job after merging, not on pull requests.
This still triggers on
pull_requestand pushes generated commits back to the PR branch, contradicting the stated objective that artefacts are regenerated after merging to the default branch. Move this job to a post-merge default-branch workflow.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 4ea38dab-62d5-4913-8684-a0f7a98334bf
📒 Files selected for processing (2)
.github/workflows/api-fix-docs-artefacts.ymlapi/Makefile
After experimenting a few paths, I think I prefer keeping this a new GHA workflow mainly because a pre-commit hook would require every engineer to authenticate to CodeArtifact, which IMO is not necessary. I did improve things a bit (a35b11c) but still not a hook — it would be a manual one, which I think is worse than a make target. Please advise if you see something I can't, otherwise I think the DevEx gain here easily warrants a new CI workflow. |
67cff77 to
59e37ca
Compare
79294f2 to
0fea7ad
Compare
Human text.
Closes #8021
The team has been made responsible to include auto-generated documentation changes in their PRs, leading to some time wasted in back-and-forth make targets and git-fu — not to mention the need to authenticate to AWS for CodeArtefact (private packages). This breaks us free!
Changes
Review effort: 2/5