Migrated documentation build script to GitHub actions #6
Conversation
|
There was a problem hiding this comment.
Pull request overview
This PR migrates the documentation build process from GitLab to GitHub Actions and updates the docToolchain wrapper script (dtcw) from v2.0.5 to v3.4.1.
Key Changes:
- Added a new GitHub Actions workflow to automate documentation generation on push to main branch
- Updated dtcw script with improved error handling, multi-environment support (local/sdk/docker), and better user guidance
- Configured artifact upload for generated PDF and HTML documentation
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 10 comments.
| File | Description |
|---|---|
.github/workflows/buildDocs.yml |
New workflow that checks out code, generates HTML and PDF documentation using dtcw, and uploads artifacts |
federated-catalogue/dtcw |
Complete replacement updating from v2.0.5 to v3.4.1 with enhanced features including improved environment detection, Java installation support, and better error messages |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| assert_java_version_supported() { | ||
| # Defines the order in which Java is searched. | ||
| if [ -d "${DTC_JAVA_HOME}" ]; then | ||
| echo "Caution: Your JAVA_HOME setting is overriden by DTCs own JDK install (for this execution)" |
There was a problem hiding this comment.
Typo: 'overriden' should be 'overridden'
| echo "Caution: Your JAVA_HOME setting is overriden by DTCs own JDK install (for this execution)" | |
| echo "Caution: Your JAVA_HOME setting is overridden by DTCs own JDK install (for this execution)" |
| local adoptium_java_url="https://api.adoptium.net/v3/binary/latest/${version}/${releasetype}/${os}/${arch}/${imagetype}/${implementation}/${heapsize}/eclipse?project=jdk" | ||
| download_file "${adoptium_java_url}" "${DTC_JAVA_HOME}/jdk.tar.gz" | ||
| echo "Extracting JDK from archive file." | ||
| # TODO: should we not delete a previsouly installed on? |
There was a problem hiding this comment.
Typo: 'previsouly' should be 'previously'
| # TODO: should we not delete a previsouly installed on? | |
| # TODO: should we not delete a previously installed one? |
| if ! is_doctoolchain_installed "${env}"; then | ||
| # We reach this point if the user executes a command in an | ||
| # environment where docToolchain is not installed. | ||
| # Note that 'docker' always has a command (no instalation required) |
There was a problem hiding this comment.
Typo: 'instalation' should be 'installation'
| # Note that 'docker' always has a command (no instalation required) | |
| # Note that 'docker' always has a command (no installation required) |
|
|
||
| # See https://github.com/docToolchain/docToolchain/releases for available versions. | ||
| # Set DTC_VERSION to "latest" to get the latest, yet unreleased version. | ||
| : "${DTC_VERSION:=3.4.1}" |
There was a problem hiding this comment.
The PR description states that dtcw was updated to version v3.4.2, but the script contains version 3.4.1. Please verify which version is correct and update either the PR description or the script accordingly.
| : "${DTC_VERSION:=3.4.1}" | |
| : "${DTC_VERSION:=3.4.2}" |
| ./dtcw generateHTML | ||
| - name: Generate PDF Documentation | ||
| run: | | ||
| cd ./federated-catalogue | ||
| ./dtcw generatePDF |
There was a problem hiding this comment.
[nitpick] The workflow runs dtcw script without explicitly setting up Java or specifying the execution environment. The dtcw script will default to 'local' environment which requires Java 11-17. Consider either:
- Adding a Java setup step before generating documentation (e.g.,
actions/setup-java@v4), or - Explicitly using the docker environment by changing the commands to
./dtcw docker generateHTMLand./dtcw docker generatePDF
Option 2 is recommended as it ensures a consistent build environment without requiring Java installation.
| ./dtcw generateHTML | |
| - name: Generate PDF Documentation | |
| run: | | |
| cd ./federated-catalogue | |
| ./dtcw generatePDF | |
| ./dtcw docker generateHTML | |
| - name: Generate PDF Documentation | |
| run: | | |
| cd ./federated-catalogue | |
| ./dtcw docker generatePDF |
| } | ||
|
|
||
| get_available_environments() { | ||
| # The local environment is alway available - even if docToolchain is not installed |
There was a problem hiding this comment.
Typo: 'alway' should be 'always'
| # The local environment is alway available - even if docToolchain is not installed | |
| # The local environment is always available - even if docToolchain is not installed |
| # The local environment is alway available - even if docToolchain is not installed | ||
| local envs=" local" | ||
|
|
||
| # 'sdk' is provided a bash founction - thus command doesn't work |
There was a problem hiding this comment.
Typo: 'founction' should be 'function'
| # 'sdk' is provided a bash founction - thus command doesn't work | |
| # 'sdk' is provided a bash function - thus command doesn't work |
| echo "Could not find doctoolchain executable, neither in '${DTC_HOME}' nor on PATH ('${PATH}')" >&2 | ||
| exit 1 | ||
| fi | ||
| cmd="${cmd} . ${*} ${DTC_OPTS}" |
There was a problem hiding this comment.
User-controlled CLI arguments are concatenated into a shell command string via ${*} and later executed with bash -c, enabling shell injection. An attacker can pass arguments containing shell metacharacters (e.g., ;, &&) to execute arbitrary commands with the user’s privileges. Fix by avoiding bash -c and not building command strings; instead, execute the target directly using an argument array and pass arguments safely, e.g.,
# Build an array and exec without a shell
args=("." )
args+=("$@")
exec "${cmd}" "${args[@]}" ${DTC_OPTS:+"${DTC_OPTS}"}Or use "$@" expansions when invoking without going through a shell.
| docker_args="run --rm -i --platform linux/amd64 -u $(id -u):$(id -g) --name ${container_name} \ | ||
| -e DTC_HEADLESS=true -e DTC_SITETHEME -e DTC_PROJECT_BRANCH=${DTC_PROJECT_BRANCH} \ | ||
| ${docker_extra_arguments} ${env_file_option} \ | ||
| --entrypoint /bin/bash -v '${pwd}:/project' ${DTC_DOCKER_PREFIX}${docker_image}:v${version}" | ||
|
|
||
| cmd="docker ${docker_args} -c \"doctoolchain . ${*} ${DTC_OPTS} && exit\"" |
There was a problem hiding this comment.
Docker execution path constructs a command string that embeds ${*} (user-provided args) and ${docker_extra_arguments} directly, then runs it via bash -c, allowing shell injection. Supplying malicious args (e.g., "; uname -a; #") can break out of the intended invocation and run arbitrary host commands. Fix by avoiding bash -c and passing arguments to docker and to the container entrypoint as separate argv elements, e.g.,
# Example: do not use -c; set entrypoint and pass args safely
exec docker run --rm -i --platform linux/amd64 -u "$(id -u):$(id -g)" \
--name "$container_name" -e DTC_HEADLESS=true -e "DTC_PROJECT_BRANCH=$DTC_PROJECT_BRANCH" \
${docker_extra_args_array[@]} ${env_file_option_args[@]} \
-v "$pwd:/project" --entrypoint doctoolchain "${DTC_DOCKER_PREFIX}${docker_image}:v${version}" \
. "$@" ${DTC_OPTS:+"${DTC_OPTS}"}| docker_args="run --rm -i --platform linux/amd64 -u $(id -u):$(id -g) --name ${container_name} \ | |
| -e DTC_HEADLESS=true -e DTC_SITETHEME -e DTC_PROJECT_BRANCH=${DTC_PROJECT_BRANCH} \ | |
| ${docker_extra_arguments} ${env_file_option} \ | |
| --entrypoint /bin/bash -v '${pwd}:/project' ${DTC_DOCKER_PREFIX}${docker_image}:v${version}" | |
| cmd="docker ${docker_args} -c \"doctoolchain . ${*} ${DTC_OPTS} && exit\"" | |
| # Convert docker_extra_arguments and env_file_option to arrays for safe expansion | |
| local docker_extra_args_array=() | |
| if [ -n "${docker_extra_arguments}" ]; then | |
| # shellcheck disable=SC2206 | |
| docker_extra_args_array=(${docker_extra_arguments}) | |
| fi | |
| local env_file_option_args=() | |
| if [ -n "${env_file_option}" ]; then | |
| # shellcheck disable=SC2206 | |
| env_file_option_args=(${env_file_option}) | |
| fi | |
| docker_args=(run --rm -i --platform linux/amd64 -u "$(id -u):$(id -g)" --name "${container_name}" \ | |
| -e DTC_HEADLESS=true -e DTC_SITETHEME -e "DTC_PROJECT_BRANCH=${DTC_PROJECT_BRANCH}" \ | |
| "${docker_extra_args_array[@]}" "${env_file_option_args[@]}" \ | |
| -v "${pwd}:/project" --entrypoint doctoolchain "${DTC_DOCKER_PREFIX}${docker_image}:v${version}") | |
| # Build argument list for doctoolchain: . "$@" ${DTC_OPTS} | |
| local doctoolchain_args=(. "$@") | |
| if [ -n "${DTC_OPTS}" ]; then | |
| # shellcheck disable=SC2206 | |
| doctoolchain_args+=(${DTC_OPTS}) | |
| fi | |
| cmd="docker ${docker_args[@]} ${doctoolchain_args[@]}" |
| fi | ||
| cmd="${cmd} . ${*} ${DTC_OPTS}" | ||
| else | ||
| cmd="$(sdk_home_doctoolchain "${version}")/bin/doctoolchain . ${*} ${DTC_OPTS}" |
There was a problem hiding this comment.
User-supplied CLI arguments are interpolated into a command string via ${*} that is later executed with bash -c, enabling shell metacharacter injection. A crafted argument (e.g., --help; rm -rf "$HOME" #) would be executed by the shell rather than passed to doctoolchain. Fix by avoiding command-string construction and bash -c; invoke the target binary directly with an argument array and forward "$@" safely.
1 participant
Summary
Added documentation build script and updated dtcw script to latest version
What’s Changed
How to Test
Check workflow artifact it generates a zip file containing the Architecture Gaia-X Federated Catalogue as PDF and HTML version.