QT/sure
1
0
Fork 0
mirror of https://github.com/we-promise/sure.git synced 2026-06-01 00:39:01 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bc7e16ff167c0e8365f4660e8a8db6351cbe0020
sure/.github/workflows/update-docs.yml
Jeff 956c27df6b chore(ci): pin GitHub Actions to commit SHAs (#1811) (#1870) 
* chore(ci): pin GitHub Actions to commit SHAs (#1811)

Follow-up to #1810. The Node-24 upgrade left every workflow on mutable
tag refs (`actions/checkout@v5`, `actions/download-artifact@v7`, etc.)
which superagent-security[bot] flagged on the ci.yml + publish.yml
reviews.

Pin all 18 external actions to the commit SHA they currently resolve to
and add a trailing `# vMAJOR.MINOR.PATCH` comment so reviewers can see
the version. Local reusable-workflow refs (`uses: ./.github/...`) are
left alone — pinning those would defeat the point.

Closes #1811

* chore(ci): address review — persist-credentials + setup-node consistency (#1811)

Two pieces of follow-up feedback on the SHA-pinning PR:

- @coderabbitai (P1 nitpicks) + @JSONbored: add 'persist-credentials:
  false' to checkout steps in jobs that don't perform authenticated git
  operations. Adds the line to 17 read-only checkouts across 9
  workflows (chart-ci, ci, flutter-build, helm-publish, ios-testflight,
  llm-evals, preview-cleanup, preview-deploy, publish:build).
  Checkouts inside jobs that 'git push' (chart-release, mobile-build,
  mobile-release, helm-publish:second-checkout, publish:bump-pre_release)
  are intentionally left alone so they keep their token.

- @jjmata: preview-deploy.yml was the only workflow on
  actions/setup-node v6.4.0; everywhere else pinned v5.0.0. Standardise
  on v5.0.0 to match.

Dependabot config already has a github-actions ecosystem entry with a
weekly schedule, so no addition needed for that point.

* chore(ci): document intentional setup-node v6→5 normalization (#1811)

@superagent-security flagged the v6.4.0 -> v5.0.0 change in
preview-deploy.yml as a possible unintended downgrade. The downgrade
was deliberate, per @jjmata's review request to normalize setup-node
across all workflows. Add an inline YAML comment next to the line so
future scans don't re-flag it.

---------

Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>
Co-authored-by: jeffrey701 <jeffrey701@users.noreply.github.com>
Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
2026-05-30 23:35:19 +02:00

83 lines
2.8 KiB
YAML
Raw Blame History

name: Update Docs
on:
push:
branches:
- main
jobs:
update-docs:
if: github.repository == 'we-promise/sure'
permissions: {}
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
MINTLIFY_API_KEY: ${{ secrets.MINTLIFY_API_KEY }}
PROJECT_ID: ${{ secrets.MINTLIFY_PROJECT_ID }}
with:
script: |
const { owner, repo } = context.repo;
const projectId = process.env.PROJECT_ID;
const apiKey = process.env.MINTLIFY_API_KEY;
if (!projectId || !apiKey) {
core.setFailed('Missing MINTLIFY_PROJECT_ID or MINTLIFY_API_KEY secrets');
return;
}
const url = `https://api.mintlify.com/v1/agent/${projectId}/job`;
const payload = {
branch: `mintlify/docs-update-${Date.now()}`,
messages: [
{
role: 'system',
content: 'You are an action runner that updates documentation based on code changes. You should never ask questions. If you are not able to access the repository, report the error and exit.'
},
{
role: 'user',
content: `Update the documentation for our recent pushes to main:\n\nRepository: ${owner}/${repo}`
}
],
asDraft: false
};
try {
const response = await fetch(url, {
method: 'POST',
headers: {
'Authorization': `Bearer ${apiKey}`,
'Content-Type': 'application/json'
},
body: JSON.stringify(payload)
});
if (!response.ok) {
throw new Error(`API request failed with status ${response.status}: ${await response.text()}`);
}
const reader = response.body.getReader();
const decoder = new TextDecoder();
let buffer = '';
while (true) {
const { done, value } = await reader.read();
if (done) break;
buffer += decoder.decode(value, { stream: true });
const lines = buffer.split('\n');
buffer = lines.pop() || '';
for (const line of lines) {
if (line.trim()) {
console.log(line);
}
}
}
if (buffer.trim()) {
console.log(buffer);
}
core.notice(`Documentation update job triggered for ${owner}/${repo}`);
} catch (error) {
core.setFailed(`Failed to create documentation update job: ${error.message}`);
}
Reference in New Issue View Git Blame Copy Permalink