From dc0c634eab5526f46eda2f07f94a3e5bc18c3ac6 Mon Sep 17 00:00:00 2001
From: yanyongyu <yanyongyu_1@126.com>
Date: Thu, 26 Nov 2020 20:18:36 +0800
Subject: [PATCH] :bug: fix workflow vulnerability #79

---
 .../{api_docs.yml => build_docs.yml}          | 15 +++------
 .github/workflows/upload_docs.yml             | 33 +++++++++++++++++++
 2 files changed, 38 insertions(+), 10 deletions(-)
 rename .github/workflows/{api_docs.yml => build_docs.yml} (60%)
 create mode 100644 .github/workflows/upload_docs.yml

diff --git a/.github/workflows/api_docs.yml b/.github/workflows/build_docs.yml
similarity index 60%
rename from .github/workflows/api_docs.yml
rename to .github/workflows/build_docs.yml
index f4ee792b..8f4b0dc2 100644
--- a/.github/workflows/api_docs.yml
+++ b/.github/workflows/build_docs.yml
@@ -1,7 +1,7 @@
 name: Build API Doc
 
 on:
-  pull_request_target:
+  pull_request:
     types: [ opened, synchronize, reopened ]
 
 jobs:
@@ -12,7 +12,6 @@ jobs:
       - uses: actions/checkout@v2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-          token: ${{ secrets.GH_TOKEN }}
 
       - name: Set up Python
         uses: actions/setup-python@v2
@@ -32,11 +31,7 @@ jobs:
       - name: Copy Files
         run: cp -r ./build/markdown/* ./docs/api/
 
-      - run: |
-          git config user.name nonebot
-          git config user.email nonebot@nonebot.dev
-          git add .
-          git diff-index --quiet HEAD || git commit -m ":memo: update api docs"
-          git remote -vv
-          git remote add target ${{github.event.pull_request.head.repo.clone_url}}
-          git push target HEAD:${{github.event.pull_request.head.ref}}
+      - uses: actions/upload-artifact@v2
+        with:
+          name: docs
+          path: docs/
diff --git a/.github/workflows/upload_docs.yml b/.github/workflows/upload_docs.yml
new file mode 100644
index 00000000..d20c3677
--- /dev/null
+++ b/.github/workflows/upload_docs.yml
@@ -0,0 +1,33 @@
+name: Upload API Doc
+
+on:
+  workflow_run:
+    workflows: ["Build API Doc"]
+    types:
+      - completed
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.workflow_run.head_sha }}
+          token: ${{ secrets.GH_TOKEN }}
+
+      - uses: dawidd6/action-download-artifact@v2
+        with:
+          workflow: ${{ github.event.workflow_run.workflow_id }}
+          name: docs
+          path: docs/
+
+      - env:
+          REF: ${{ github.event.workflow_run.head_branch }}
+        run: |
+            git config user.name GitHub
+            git config user.email noreply@github.com
+            git add .
+            git diff-index --quiet HEAD || git commit -m ":memo: update api docs"
+            git remote add target "https://github.com/${{ github.event.workflow_run.head_repository.full_name }}.git"
+            git push target HEAD:$REF