Mirrors_Framework/PX4-Autopilot
1
0
Fork 0
mirror of https://github.com/PX4/PX4-Autopilot.git synced 2026-06-01 02:55:07 +08:00
Code Issues Actions 19 Packages Projects Releases Wiki Activity

ci: harden docs orchestrator before merge

Browse Source 
- Add [skip ci] to auto-commit message to prevent infinite workflow loop
- Add source paths (src/, msg/, ROMFS/, Tools/module_config/) to push
  triggers so metadata regenerates on source-only changes
- Move permissions from workflow-level to job-level (least privilege)

Signed-off-by: Ramon Roche <mrpollo@gmail.com>
This commit is contained in:
Ramon Roche
2026-02-09 09:43:30 -08:00
parent 0966e92e36
commit 61a67b3a09
1 changed files with 18 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/docs-orchestrator.yml
+18 -7
View File
@@ -7,17 +7,15 @@ on:
- "release/**" - "release/**"
paths: paths:
- "docs/**" - "docs/**"
- "src/**"
- "msg/**"
- "ROMFS/**"
- "Tools/module_config/**"
pull_request: pull_request:
paths: paths:
- "docs/**" - "docs/**"
workflow_dispatch: workflow_dispatch:
permissions:
contents: write
actions: read
id-token: write
pull-requests: write
concurrency: concurrency:
group: docs-orchestrator-${{ github.ref }} group: docs-orchestrator-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
@@ -29,6 +27,8 @@ jobs:
detect-changes: detect-changes:
name: "Detect Changed Paths" name: "Detect Changed Paths"
if: github.event_name == 'pull_request' if: github.event_name == 'pull_request'
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
outputs: outputs:
source_changed: ${{ steps.changes.outputs.source }} source_changed: ${{ steps.changes.outputs.source }}
@@ -51,6 +51,8 @@ jobs:
name: "PR: Generate Metadata" name: "PR: Generate Metadata"
needs: [detect-changes] needs: [detect-changes]
if: github.event_name == 'pull_request' && needs.detect-changes.outputs.source_changed == 'true' if: github.event_name == 'pull_request' && needs.detect-changes.outputs.source_changed == 'true'
permissions:
contents: read
runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}",spot=false,extras=s3-cache] runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}",spot=false,extras=s3-cache]
container: container:
image: px4io/px4-dev-nuttx-focal:2024-11-07 image: px4io/px4-dev-nuttx-focal:2024-11-07
@@ -110,6 +112,8 @@ jobs:
metadata-regen: metadata-regen:
name: "Push: Generate & Commit Metadata" name: "Push: Generate & Commit Metadata"
if: github.event_name == 'push' if: github.event_name == 'push'
permissions:
contents: write
runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}",spot=false,extras=s3-cache] runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}",spot=false,extras=s3-cache]
container: container:
image: px4io/px4-dev-nuttx-focal:2024-11-07 image: px4io/px4-dev-nuttx-focal:2024-11-07
@@ -185,7 +189,7 @@ jobs:
if git diff --staged --quiet; then if git diff --staged --quiet; then
echo "No changes to commit" echo "No changes to commit"
else else
git commit -m "docs: auto-sync metadata git commit -m "docs: auto-sync metadata [skip ci]
Co-Authored-By: PX4 BuildBot <${{ secrets.PX4BUILDBOT_EMAIL }}>" Co-Authored-By: PX4 BuildBot <${{ secrets.PX4BUILDBOT_EMAIL }}>"
git push git push
@@ -198,6 +202,9 @@ jobs:
name: "Check Links" name: "Check Links"
needs: [detect-changes, pr-metadata-regen] needs: [detect-changes, pr-metadata-regen]
if: always() && (github.event_name == 'pull_request') if: always() && (github.event_name == 'pull_request')
permissions:
contents: read
pull-requests: write
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
@@ -287,6 +294,8 @@ jobs:
always() && always() &&
(needs.metadata-regen.result == 'success' || needs.metadata-regen.result == 'skipped') && (needs.metadata-regen.result == 'success' || needs.metadata-regen.result == 'skipped') &&
(needs.link-check.result == 'success' || needs.link-check.result == 'skipped') (needs.link-check.result == 'success' || needs.link-check.result == 'skipped')
permissions:
contents: read
runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}",spot=false,extras=s3-cache] runs-on: [runs-on,runner=4cpu-linux-x64,image=ubuntu24-full-x64,"run-id=${{ github.run_id }}",spot=false,extras=s3-cache]
outputs: outputs:
branchname: ${{ steps.set-branch.outputs.branchname }} branchname: ${{ steps.set-branch.outputs.branchname }}
@@ -352,6 +361,8 @@ jobs:
name: "Deploy to AWS" name: "Deploy to AWS"
if: github.event_name == 'push' if: github.event_name == 'push'
needs: [metadata-regen, build-site] needs: [metadata-regen, build-site]
permissions:
id-token: write
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Download Artifact - name: Download Artifact