github-action: Add AsciiDoc freeze warning #16969
Conversation
| @@ -2,7 +2,8 @@ | |||
| name: Comment on PR for .asciidoc changes | |||
|
|
|||
| on: | |||
| pull_request: | |||
| # We need to use pull_request_target to be able to comment on PRs from forks | |||
| pull_request_target: | |||
There was a problem hiding this comment.
Given the comment-on-asciidoc-changes workflow checks out the code from a PR, allowing the action to run from forks is inherently risky. While I dont see an injection point for execution of malicious code I think it is a significant surface area to try to keep safe. Would it be possible to instead use the github API to detect if files are changed (Rather than checking out the code in the action context? https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#list-pull-requests-files )
There was a problem hiding this comment.
Thank you for the feedback.
I just found that the action in use can utilize the GitHub API instead of git.
https://github.com/tj-actions/changed-files?tab=readme-ov-file#using-githubs-api-octocat
I will verify if this works as expected for forks.
Details
Add a workflow that will comment on PRs with AsciiDoc changes.
Why
During the migration to Elastic Docs v3, the Docs team will focus exclusively on migrating content.
To maintain consistency, prevent conflicts, and ensure a smoother transition we will freeze all AsciiDoc changes.
This means you will get a warning when you create AsciiDoc changes in your PRs.
See elastic/docs-builder#281 for details
If there are any questions, please reach out to the @elastic/docs-engineering