🐛 fix workflow vulnerability #79

2024-09-20 21:02:36 +00:00 · 2020-11-26 20:18:36 +08:00 · 2020-11-26 20:18:36 +08:00 · dc0c634eab
commit dc0c634eab
parent 168f366efc
2 changed files with 38 additions and 10 deletions
--- a/.github/workflows/build_docs.yml
+++ b/.github/workflows/build_docs.yml
@ -1,7 +1,7 @@
 name: Build API Doc

 on:
-  pull_request_target:
+  pull_request:
    types: [ opened, synchronize, reopened ]

 jobs:
@ -12,7 +12,6 @@ jobs:
      - uses: actions/checkout@v2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
-          token: ${{ secrets.GH_TOKEN }}

      - name: Set up Python
        uses: actions/setup-python@v2
@ -32,11 +31,7 @@ jobs:
      - name: Copy Files
        run: cp -r ./build/markdown/* ./docs/api/

-      - run: |
-          git config user.name nonebot
-          git config user.email nonebot@nonebot.dev
-          git add .
-          git diff-index --quiet HEAD || git commit -m ":memo: update api docs"
-          git remote -vv
-          git remote add target ${{github.event.pull_request.head.repo.clone_url}}
-          git push target HEAD:${{github.event.pull_request.head.ref}}
+      - uses: actions/upload-artifact@v2
+        with:
+          name: docs
+          path: docs/
--- a/.github/workflows/upload_docs.yml
+++ b/.github/workflows/upload_docs.yml
@ -0,0 +1,33 @@
+name: Upload API Doc
+
+on:
+  workflow_run:
+    workflows: ["Build API Doc"]
+    types:
+      - completed
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.workflow_run.head_sha }}
+          token: ${{ secrets.GH_TOKEN }}
+
+      - uses: dawidd6/action-download-artifact@v2
+        with:
+          workflow: ${{ github.event.workflow_run.workflow_id }}
+          name: docs
+          path: docs/
+
+      - env:
+          REF: ${{ github.event.workflow_run.head_branch }}
+        run: |
+            git config user.name GitHub
+            git config user.email noreply@github.com
+            git add .
+            git diff-index --quiet HEAD || git commit -m ":memo: update api docs"
+            git remote add target "https://github.com/${{ github.event.workflow_run.head_repository.full_name }}.git"
+            git push target HEAD:$REF