Skip to content

Commit 24b3a5d

Browse files
committed
Address review feedback on docs-preview workflows
- Disable the uv Actions cache in the build job: pull_request_target runs share the base-branch cache scope, so a cache populated while untrusted PR code ran could poison later trusted workflows. Mirrors the posture in publish-pypi.yml. - Fix concurrency: workflow-level concurrency is evaluated before job if-conditions, so any PR comment was cancelling in-flight previews. Only runs that actually produce a preview now share a group; unrelated comment runs fall through to a unique run_id group. - Replace .github/zizmor.yml with inline ignore comments anchored to the pull_request_target lines (matching the existing pattern in claude.yml). - Raise the cleanup pagination cap to 200 pages. :house: Remote-Dev: homespace
1 parent dd9eb9d commit 24b3a5d

3 files changed

Lines changed: 17 additions & 15 deletions

File tree

.github/workflows/docs-preview-cleanup.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ name: Docs Preview Cleanup
55
# checks out PR code, so there is no untrusted-code execution risk.
66

77
on:
8-
pull_request_target:
8+
pull_request_target: # zizmor: ignore[dangerous-triggers] never checks out PR code
99
types: [closed]
1010

1111
permissions: {}
@@ -30,7 +30,7 @@ jobs:
3030
# Collect matching ids across all pages first, then delete — deleting
3131
# mid-pagination would shift later pages and skip entries.
3232
ids=""
33-
for page in $(seq 1 50); do
33+
for page in $(seq 1 200); do
3434
resp=$(curl -fsS -H "Authorization: Bearer $CF_API_TOKEN" "$base?env=preview&per_page=25&page=$page")
3535
ids="$ids $(jq -r --arg b "$BRANCH" '.result[]? | select(.deployment_trigger.metadata.branch == $b) | .id' <<<"$resp")"
3636
[ "$(jq '.result | length' <<<"$resp")" -lt 25 ] && break

.github/workflows/docs-preview.yml

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ name: Docs Preview
1515
# - vars.CLOUDFLARE_PAGES_PROJECT (existing Pages project, e.g. mcp-python-sdk-docs)
1616

1717
on:
18-
pull_request_target:
18+
pull_request_target: # zizmor: ignore[dangerous-triggers] build is permission-gated and secret-isolated; see header comment
1919
types: [opened, reopened, synchronize]
2020
paths:
2121
- docs/**
@@ -28,7 +28,16 @@ on:
2828
permissions: {}
2929

3030
concurrency:
31-
group: docs-preview-pr-${{ github.event.pull_request.number || github.event.issue.number }}
31+
# Workflow-level concurrency is evaluated when the run is queued — before any
32+
# job-level `if:` — so an unrelated PR comment would otherwise cancel an
33+
# in-flight build. Only runs that actually produce a preview share a group;
34+
# everything else falls through to a unique run_id group.
35+
group: >-
36+
docs-preview-pr-${{
37+
github.event_name == 'pull_request_target' && github.event.pull_request.number
38+
|| (github.event.issue.pull_request && startsWith(github.event.comment.body, '/preview-docs') && github.event.issue.number)
39+
|| github.run_id
40+
}}
3241
cancel-in-progress: true
3342

3443
jobs:
@@ -113,7 +122,10 @@ jobs:
113122
- name: Install uv
114123
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
115124
with:
116-
enable-cache: true
125+
# pull_request_target runs share the base-branch Actions cache; saving
126+
# a cache populated while untrusted PR code ran would let it poison
127+
# later trusted workflows. Mirrors publish-pypi.yml.
128+
enable-cache: false
117129
version: 0.9.5
118130

119131
- run: uv sync --frozen --group docs

.github/zizmor.yml

Lines changed: 0 additions & 10 deletions
This file was deleted.

0 commit comments

Comments
 (0)