From 8aa4d1cddede22b2c90a29c7b19836e46ccb0b5b Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Thu, 26 Mar 2026 13:59:45 +0100 Subject: [PATCH 1/6] Pass shared build config via artifact to eliminate duplicate inputs Consumer repos currently must specify the same inputs (strict, continue-on-error, path-pattern, path-pattern-ignore, enable-vale-linting) in both their docs-build and docs-deploy caller workflows. This creates maintenance burden and drift risk when the values diverge. docs-build.yml now exports these shared inputs as a versioned JSON artifact (docs-build-config). docs-deploy.yml downloads it from the triggering workflow_run and uses those values, removing the 5 duplicate inputs from its workflow_call interface. Security: JSON is produced with jq --arg (no shell interpolation), parsed with jq only, schema/type-validated, boolean values allowlisted, and path patterns denied shell metacharacters. The artifact is tied to the specific workflow_run.id. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/docs-build.yml | 35 ++++++++ .github/workflows/docs-deploy.yml | 135 +++++++++++++++++++++++------- 2 files changed, 141 insertions(+), 29 deletions(-) diff --git a/.github/workflows/docs-build.yml b/.github/workflows/docs-build.yml index 25448d0..a63e7c8 100644 --- a/.github/workflows/docs-build.yml +++ b/.github/workflows/docs-build.yml @@ -47,6 +47,41 @@ concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: + export-config: + if: github.event.repository.fork == false + runs-on: ubuntu-latest + permissions: + contents: none + steps: + - name: Write shared config + env: + INPUT_STRICT: ${{ inputs.strict }} + INPUT_CONTINUE_ON_ERROR: ${{ inputs.continue-on-error }} + INPUT_PATH_PATTERN: ${{ inputs.path-pattern }} + INPUT_PATH_PATTERN_IGNORE: ${{ inputs.path-pattern-ignore }} + INPUT_ENABLE_VALE_LINTING: ${{ inputs.enable-vale-linting }} + run: | + jq -n \ + --arg strict "${INPUT_STRICT:-true}" \ + --arg continue_on_error "${INPUT_CONTINUE_ON_ERROR:-false}" \ + --arg path_pattern "${INPUT_PATH_PATTERN:-**}" \ + --arg path_pattern_ignore "${INPUT_PATH_PATTERN_IGNORE:-}" \ + --argjson enable_vale_linting "${INPUT_ENABLE_VALE_LINTING:-false}" \ + '{ + version: 1, + strict: $strict, + "continue-on-error": $continue_on_error, + "path-pattern": $path_pattern, + "path-pattern-ignore": $path_pattern_ignore, + "enable-vale-linting": $enable_vale_linting + }' > docs-build-config.json + - name: Upload config artifact + uses: actions/upload-artifact@v7 + with: + name: docs-build-config + path: docs-build-config.json + retention-days: 1 + match: if: github.event.repository.fork == false runs-on: ubuntu-latest diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml index fb52726..047f001 100644 --- a/.github/workflows/docs-deploy.yml +++ b/.github/workflows/docs-deploy.yml @@ -3,25 +3,6 @@ name: Docs Deploy on: workflow_call: inputs: - strict: - description: 'Treat warnings as errors' - type: string - default: 'true' - continue-on-error: - description: 'Do not fail if build fails' - type: string - required: false - default: 'false' - path-pattern: - description: 'Path pattern to filter files (should match Phase 1 setting)' - type: string - default: '**' - required: false - path-pattern-ignore: - description: 'Path pattern to ignore files (should match Phase 1 setting)' - type: string - default: '' - required: false disable-comments: description: 'Disable PR preview comments' type: boolean @@ -32,11 +13,6 @@ on: type: boolean default: false required: false - enable-vale-linting: - description: 'Enable vale linting report' - type: boolean - default: false - required: false permissions: {} @@ -51,6 +27,7 @@ jobs: && github.event.repository.fork == false runs-on: ubuntu-latest permissions: + actions: read contents: none pull-requests: read outputs: @@ -64,14 +41,114 @@ jobs: is-fork: ${{ steps.context.outputs.is-fork }} base-ref: ${{ steps.context.outputs.base-ref }} author-association: ${{ steps.context.outputs.author-association }} + cfg-strict: ${{ steps.parse-config.outputs.strict }} + cfg-continue-on-error: ${{ steps.parse-config.outputs.continue-on-error }} + cfg-path-pattern: ${{ steps.parse-config.outputs.path-pattern }} + cfg-path-pattern-ignore: ${{ steps.parse-config.outputs.path-pattern-ignore }} + cfg-enable-vale-linting: ${{ steps.parse-config.outputs.enable-vale-linting }} steps: + - name: Download build config + id: download-config + continue-on-error: true + uses: actions/download-artifact@v8 + with: + name: docs-build-config + path: /tmp/build-config + run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ github.token }} + + - name: Parse and validate config + id: parse-config + # language=bash + run: | + CONFIG_FILE="/tmp/build-config/docs-build-config.json" + if [[ ! -f "$CONFIG_FILE" ]]; then + echo "::notice::No build config artifact found — using defaults" + echo "strict=true" >> "$GITHUB_OUTPUT" + echo "continue-on-error=false" >> "$GITHUB_OUTPUT" + echo "path-pattern=**" >> "$GITHUB_OUTPUT" + echo "path-pattern-ignore=" >> "$GITHUB_OUTPUT" + echo "enable-vale-linting=false" >> "$GITHUB_OUTPUT" + exit 0 + fi + + # Validate JSON structure + if ! jq empty "$CONFIG_FILE" 2>/dev/null; then + echo "::error::Build config artifact contains invalid JSON" + exit 1 + fi + + # Validate schema version + VERSION=$(jq -r '.version // empty' "$CONFIG_FILE") + if [[ "$VERSION" != "1" ]]; then + echo "::error::Unsupported config version: ${VERSION}" + exit 1 + fi + + # Validate expected keys exist and types are correct + VALID=$(jq ' + (.strict | type) == "string" + and (."continue-on-error" | type) == "string" + and (."path-pattern" | type) == "string" + and (."path-pattern-ignore" | type) == "string" + and (."enable-vale-linting" | type) == "boolean" + ' "$CONFIG_FILE") + + if [[ "$VALID" != "true" ]]; then + echo "::error::Build config artifact has invalid schema" + exit 1 + fi + + # Extract values safely with jq + STRICT=$(jq -r '.strict' "$CONFIG_FILE") + COE=$(jq -r '."continue-on-error"' "$CONFIG_FILE") + PATH_PAT=$(jq -r '."path-pattern"' "$CONFIG_FILE") + PATH_IGN=$(jq -r '."path-pattern-ignore"' "$CONFIG_FILE") + VALE=$(jq -r '."enable-vale-linting"' "$CONFIG_FILE") + + # Allowlist: strict and continue-on-error must be exactly "true" or "false" + if [[ "$STRICT" != "true" && "$STRICT" != "false" ]]; then + echo "::error::Invalid strict value: must be 'true' or 'false'" + exit 1 + fi + if [[ "$COE" != "true" && "$COE" != "false" ]]; then + echo "::error::Invalid continue-on-error value: must be 'true' or 'false'" + exit 1 + fi + + # Denylist: reject shell metacharacters in path patterns + DENY_RE='[;|&$`(){}\\]' + if [[ "$PATH_PAT" =~ $DENY_RE ]]; then + echo "::error::path-pattern contains disallowed characters" + exit 1 + fi + if [[ "$PATH_IGN" =~ $DENY_RE ]]; then + echo "::error::path-pattern-ignore contains disallowed characters" + exit 1 + fi + + echo "strict=${STRICT}" >> "$GITHUB_OUTPUT" + echo "continue-on-error=${COE}" >> "$GITHUB_OUTPUT" + echo "enable-vale-linting=${VALE}" >> "$GITHUB_OUTPUT" + # Use heredoc for path values that may contain newlines + { + echo "path-pattern<> "$GITHUB_OUTPUT" + { + echo "path-pattern-ignore<> "$GITHUB_OUTPUT" + - name: Resolve workflow run context id: context uses: actions/github-script@v8 env: - PATH_PATTERN: ${{ inputs.path-pattern }} + PATH_PATTERN: ${{ steps.parse-config.outputs.path-pattern }} IGNORE_PATTERNS: | - ${{ inputs.path-pattern-ignore }} + ${{ steps.parse-config.outputs.path-pattern-ignore }} .github/** README.md with: @@ -352,7 +429,7 @@ jobs: # preload the link index before the build. - name: Build documentation id: docs-build - continue-on-error: ${{ fromJSON(inputs.continue-on-error != '' && inputs.continue-on-error || 'false') }} + continue-on-error: ${{ fromJSON(needs.preflight.outputs.cfg-continue-on-error) }} # language=bash run: | CONTAINER_OUTPUT=$(mktemp) @@ -374,7 +451,7 @@ jobs: exit $EXIT_CODE env: - STRICT_FLAG: ${{ fromJSON(inputs.strict != '' && inputs.strict || 'true') }} + STRICT_FLAG: ${{ fromJSON(needs.preflight.outputs.cfg-strict) }} - name: Upload links artifact id: upload-links @@ -664,7 +741,7 @@ jobs: needs.preflight.outputs.event == 'pull_request' && (needs.preflight.outputs.is-fork == 'false' || contains(fromJSON('["MEMBER","OWNER"]'), needs.preflight.outputs.author-association)) - && inputs.enable-vale-linting == true + && needs.preflight.outputs.cfg-enable-vale-linting == 'true' needs: - preflight runs-on: ubuntu-latest From 6f183dcdb2ccb6fb90657e99a3fa1cc6f46c5434 Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Thu, 26 Mar 2026 14:04:16 +0100 Subject: [PATCH 2/6] Simplify config artifact with toJSON/fromJSON for scalability Instead of manually serializing each shared input field, use toJSON(inputs) to pass the entire inputs object as a single JSON blob. The deploy workflow uses fromJSON() to access individual fields. Adding new shared inputs now requires zero changes to the serialization/deserialization code. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/docs-build.yml | 23 ++------- .github/workflows/docs-deploy.yml | 84 +++++++------------------------ 2 files changed, 22 insertions(+), 85 deletions(-) diff --git a/.github/workflows/docs-build.yml b/.github/workflows/docs-build.yml index a63e7c8..b383e76 100644 --- a/.github/workflows/docs-build.yml +++ b/.github/workflows/docs-build.yml @@ -53,28 +53,11 @@ jobs: permissions: contents: none steps: - - name: Write shared config + - name: Write build config env: - INPUT_STRICT: ${{ inputs.strict }} - INPUT_CONTINUE_ON_ERROR: ${{ inputs.continue-on-error }} - INPUT_PATH_PATTERN: ${{ inputs.path-pattern }} - INPUT_PATH_PATTERN_IGNORE: ${{ inputs.path-pattern-ignore }} - INPUT_ENABLE_VALE_LINTING: ${{ inputs.enable-vale-linting }} + INPUTS_JSON: ${{ toJSON(inputs) }} run: | - jq -n \ - --arg strict "${INPUT_STRICT:-true}" \ - --arg continue_on_error "${INPUT_CONTINUE_ON_ERROR:-false}" \ - --arg path_pattern "${INPUT_PATH_PATTERN:-**}" \ - --arg path_pattern_ignore "${INPUT_PATH_PATTERN_IGNORE:-}" \ - --argjson enable_vale_linting "${INPUT_ENABLE_VALE_LINTING:-false}" \ - '{ - version: 1, - strict: $strict, - "continue-on-error": $continue_on_error, - "path-pattern": $path_pattern, - "path-pattern-ignore": $path_pattern_ignore, - "enable-vale-linting": $enable_vale_linting - }' > docs-build-config.json + jq '{version: 1, inputs: .}' <<< "$INPUTS_JSON" > docs-build-config.json - name: Upload config artifact uses: actions/upload-artifact@v7 with: diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml index 047f001..e7bdda5 100644 --- a/.github/workflows/docs-deploy.yml +++ b/.github/workflows/docs-deploy.yml @@ -41,11 +41,7 @@ jobs: is-fork: ${{ steps.context.outputs.is-fork }} base-ref: ${{ steps.context.outputs.base-ref }} author-association: ${{ steps.context.outputs.author-association }} - cfg-strict: ${{ steps.parse-config.outputs.strict }} - cfg-continue-on-error: ${{ steps.parse-config.outputs.continue-on-error }} - cfg-path-pattern: ${{ steps.parse-config.outputs.path-pattern }} - cfg-path-pattern-ignore: ${{ steps.parse-config.outputs.path-pattern-ignore }} - cfg-enable-vale-linting: ${{ steps.parse-config.outputs.enable-vale-linting }} + cfg: ${{ steps.parse-config.outputs.config }} steps: - name: Download build config id: download-config @@ -64,11 +60,12 @@ jobs: CONFIG_FILE="/tmp/build-config/docs-build-config.json" if [[ ! -f "$CONFIG_FILE" ]]; then echo "::notice::No build config artifact found — using defaults" - echo "strict=true" >> "$GITHUB_OUTPUT" - echo "continue-on-error=false" >> "$GITHUB_OUTPUT" - echo "path-pattern=**" >> "$GITHUB_OUTPUT" - echo "path-pattern-ignore=" >> "$GITHUB_OUTPUT" - echo "enable-vale-linting=false" >> "$GITHUB_OUTPUT" + DEFAULT='{"strict":"true","continue-on-error":"false","path-pattern":"**","path-pattern-ignore":"","enable-vale-linting":false}' + { + echo "config<> "$GITHUB_OUTPUT" exit 0 fi @@ -85,60 +82,17 @@ jobs: exit 1 fi - # Validate expected keys exist and types are correct - VALID=$(jq ' - (.strict | type) == "string" - and (."continue-on-error" | type) == "string" - and (."path-pattern" | type) == "string" - and (."path-pattern-ignore" | type) == "string" - and (."enable-vale-linting" | type) == "boolean" - ' "$CONFIG_FILE") - - if [[ "$VALID" != "true" ]]; then - echo "::error::Build config artifact has invalid schema" + # Reject nested objects/arrays in inputs (only scalars allowed) + HAS_COMPLEX=$(jq '[.inputs | to_entries[].value | type] | map(select(. == "object" or . == "array")) | length' "$CONFIG_FILE") + if [[ "$HAS_COMPLEX" != "0" ]]; then + echo "::error::Config inputs contain unexpected complex values" exit 1 fi - # Extract values safely with jq - STRICT=$(jq -r '.strict' "$CONFIG_FILE") - COE=$(jq -r '."continue-on-error"' "$CONFIG_FILE") - PATH_PAT=$(jq -r '."path-pattern"' "$CONFIG_FILE") - PATH_IGN=$(jq -r '."path-pattern-ignore"' "$CONFIG_FILE") - VALE=$(jq -r '."enable-vale-linting"' "$CONFIG_FILE") - - # Allowlist: strict and continue-on-error must be exactly "true" or "false" - if [[ "$STRICT" != "true" && "$STRICT" != "false" ]]; then - echo "::error::Invalid strict value: must be 'true' or 'false'" - exit 1 - fi - if [[ "$COE" != "true" && "$COE" != "false" ]]; then - echo "::error::Invalid continue-on-error value: must be 'true' or 'false'" - exit 1 - fi - - # Denylist: reject shell metacharacters in path patterns - DENY_RE='[;|&$`(){}\\]' - if [[ "$PATH_PAT" =~ $DENY_RE ]]; then - echo "::error::path-pattern contains disallowed characters" - exit 1 - fi - if [[ "$PATH_IGN" =~ $DENY_RE ]]; then - echo "::error::path-pattern-ignore contains disallowed characters" - exit 1 - fi - - echo "strict=${STRICT}" >> "$GITHUB_OUTPUT" - echo "continue-on-error=${COE}" >> "$GITHUB_OUTPUT" - echo "enable-vale-linting=${VALE}" >> "$GITHUB_OUTPUT" - # Use heredoc for path values that may contain newlines - { - echo "path-pattern<> "$GITHUB_OUTPUT" + # Output the inputs object as compact JSON for fromJSON() consumption { - echo "path-pattern-ignore<> "$GITHUB_OUTPUT" @@ -146,9 +100,9 @@ jobs: id: context uses: actions/github-script@v8 env: - PATH_PATTERN: ${{ steps.parse-config.outputs.path-pattern }} + PATH_PATTERN: ${{ fromJSON(steps.parse-config.outputs.config).path-pattern }} IGNORE_PATTERNS: | - ${{ steps.parse-config.outputs.path-pattern-ignore }} + ${{ fromJSON(steps.parse-config.outputs.config).path-pattern-ignore }} .github/** README.md with: @@ -429,7 +383,7 @@ jobs: # preload the link index before the build. - name: Build documentation id: docs-build - continue-on-error: ${{ fromJSON(needs.preflight.outputs.cfg-continue-on-error) }} + continue-on-error: ${{ fromJSON(needs.preflight.outputs.cfg).continue-on-error == 'true' }} # language=bash run: | CONTAINER_OUTPUT=$(mktemp) @@ -451,7 +405,7 @@ jobs: exit $EXIT_CODE env: - STRICT_FLAG: ${{ fromJSON(needs.preflight.outputs.cfg-strict) }} + STRICT_FLAG: ${{ fromJSON(needs.preflight.outputs.cfg).strict == 'true' }} - name: Upload links artifact id: upload-links @@ -741,7 +695,7 @@ jobs: needs.preflight.outputs.event == 'pull_request' && (needs.preflight.outputs.is-fork == 'false' || contains(fromJSON('["MEMBER","OWNER"]'), needs.preflight.outputs.author-association)) - && needs.preflight.outputs.cfg-enable-vale-linting == 'true' + && fromJSON(needs.preflight.outputs.cfg).enable-vale-linting == true needs: - preflight runs-on: ubuntu-latest From 39cd3d48beaf4b300575434d96f94fa96d129341 Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Thu, 26 Mar 2026 14:05:13 +0100 Subject: [PATCH 3/6] =?UTF-8?q?Drop=20version=20envelope=20=E2=80=94=20ser?= =?UTF-8?q?ialize=20inputs=20directly?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The version field added speculative complexity without a concrete use case. The artifact now contains the raw toJSON(inputs) output, and the deploy side reads it directly with no unwrapping. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/docs-build.yml | 2 +- .github/workflows/docs-deploy.yml | 17 +++++------------ 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/.github/workflows/docs-build.yml b/.github/workflows/docs-build.yml index b383e76..04a143d 100644 --- a/.github/workflows/docs-build.yml +++ b/.github/workflows/docs-build.yml @@ -57,7 +57,7 @@ jobs: env: INPUTS_JSON: ${{ toJSON(inputs) }} run: | - jq '{version: 1, inputs: .}' <<< "$INPUTS_JSON" > docs-build-config.json + printenv INPUTS_JSON > docs-build-config.json - name: Upload config artifact uses: actions/upload-artifact@v7 with: diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml index e7bdda5..d004675 100644 --- a/.github/workflows/docs-deploy.yml +++ b/.github/workflows/docs-deploy.yml @@ -75,24 +75,17 @@ jobs: exit 1 fi - # Validate schema version - VERSION=$(jq -r '.version // empty' "$CONFIG_FILE") - if [[ "$VERSION" != "1" ]]; then - echo "::error::Unsupported config version: ${VERSION}" - exit 1 - fi - - # Reject nested objects/arrays in inputs (only scalars allowed) - HAS_COMPLEX=$(jq '[.inputs | to_entries[].value | type] | map(select(. == "object" or . == "array")) | length' "$CONFIG_FILE") + # Reject nested objects/arrays (only scalars allowed) + HAS_COMPLEX=$(jq '[to_entries[].value | type] | map(select(. == "object" or . == "array")) | length' "$CONFIG_FILE") if [[ "$HAS_COMPLEX" != "0" ]]; then - echo "::error::Config inputs contain unexpected complex values" + echo "::error::Config contains unexpected complex values" exit 1 fi - # Output the inputs object as compact JSON for fromJSON() consumption + # Output as compact JSON for fromJSON() consumption { echo "config<> "$GITHUB_OUTPUT" From 94462a88bc0b2435aa61d867a81298cf1c8ff7ba Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Thu, 26 Mar 2026 14:07:14 +0100 Subject: [PATCH 4/6] Fail if build config artifact is missing instead of using defaults The deploy workflow now requires the config artifact from the build workflow. If it is missing, the download step fails hard rather than falling back to defaults silently. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/docs-deploy.yml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml index d004675..799c467 100644 --- a/.github/workflows/docs-deploy.yml +++ b/.github/workflows/docs-deploy.yml @@ -44,8 +44,6 @@ jobs: cfg: ${{ steps.parse-config.outputs.config }} steps: - name: Download build config - id: download-config - continue-on-error: true uses: actions/download-artifact@v8 with: name: docs-build-config @@ -58,16 +56,6 @@ jobs: # language=bash run: | CONFIG_FILE="/tmp/build-config/docs-build-config.json" - if [[ ! -f "$CONFIG_FILE" ]]; then - echo "::notice::No build config artifact found — using defaults" - DEFAULT='{"strict":"true","continue-on-error":"false","path-pattern":"**","path-pattern-ignore":"","enable-vale-linting":false}' - { - echo "config<> "$GITHUB_OUTPUT" - exit 0 - fi # Validate JSON structure if ! jq empty "$CONFIG_FILE" 2>/dev/null; then From d6998cabcf5a4e9e2dbc72a70c49e84ab9b96a05 Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Thu, 26 Mar 2026 14:08:48 +0100 Subject: [PATCH 5/6] Remove redundant config validation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit toJSON(inputs) is produced by GitHub from schema-constrained workflow_call inputs — the JSON is always valid and values are always scalars. No need to re-validate on the deploy side. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/docs-deploy.yml | 29 ++++++----------------------- 1 file changed, 6 insertions(+), 23 deletions(-) diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml index 799c467..d7f8b6a 100644 --- a/.github/workflows/docs-deploy.yml +++ b/.github/workflows/docs-deploy.yml @@ -41,7 +41,7 @@ jobs: is-fork: ${{ steps.context.outputs.is-fork }} base-ref: ${{ steps.context.outputs.base-ref }} author-association: ${{ steps.context.outputs.author-association }} - cfg: ${{ steps.parse-config.outputs.config }} + cfg: ${{ steps.build-config.outputs.config }} steps: - name: Download build config uses: actions/download-artifact@v8 @@ -51,29 +51,12 @@ jobs: run-id: ${{ github.event.workflow_run.id }} github-token: ${{ github.token }} - - name: Parse and validate config - id: parse-config - # language=bash + - name: Read build config + id: build-config run: | - CONFIG_FILE="/tmp/build-config/docs-build-config.json" - - # Validate JSON structure - if ! jq empty "$CONFIG_FILE" 2>/dev/null; then - echo "::error::Build config artifact contains invalid JSON" - exit 1 - fi - - # Reject nested objects/arrays (only scalars allowed) - HAS_COMPLEX=$(jq '[to_entries[].value | type] | map(select(. == "object" or . == "array")) | length' "$CONFIG_FILE") - if [[ "$HAS_COMPLEX" != "0" ]]; then - echo "::error::Config contains unexpected complex values" - exit 1 - fi - - # Output as compact JSON for fromJSON() consumption { echo "config<> "$GITHUB_OUTPUT" @@ -81,9 +64,9 @@ jobs: id: context uses: actions/github-script@v8 env: - PATH_PATTERN: ${{ fromJSON(steps.parse-config.outputs.config).path-pattern }} + PATH_PATTERN: ${{ fromJSON(steps.build-config.outputs.config).path-pattern }} IGNORE_PATTERNS: | - ${{ fromJSON(steps.parse-config.outputs.config).path-pattern-ignore }} + ${{ fromJSON(steps.build-config.outputs.config).path-pattern-ignore }} .github/** README.md with: From 6da40f566015edcb0c0f1a48d7c55351bb7bbf26 Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Thu, 26 Mar 2026 14:10:46 +0100 Subject: [PATCH 6/6] Remove redundant github-token parameter from download-artifact It defaults to github.token already. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/docs-deploy.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml index d7f8b6a..106c2d4 100644 --- a/.github/workflows/docs-deploy.yml +++ b/.github/workflows/docs-deploy.yml @@ -49,7 +49,6 @@ jobs: name: docs-build-config path: /tmp/build-config run-id: ${{ github.event.workflow_run.id }} - github-token: ${{ github.token }} - name: Read build config id: build-config