Fix doc builds#484
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the documentation GitHub Actions workflow so documentation builds run for pull requests in addition to master pushes, helping catch doc build failures before merge.
Changes:
- Trigger documentation workflow on
pull_requestevents. - Install a specific CMake version (and Ninja) before running the docs build steps.
Comments suppressed due to low confidence (1)
.github/workflows/documentation.yml:26
- Using floating versions here (
lukka/get-cmake@latestandninjaVersion: latest) makes the docs build non-reproducible and can break unexpectedly when upstream releases change; it also weakens the supply-chain security posture of the workflow. Prefer pinning the action to a tagged major/minor (or a commit SHA) and pin Ninja (or omit it if the runner-provided Ninja is sufficient).
uses: lukka/get-cmake@latest
with:
cmakeVersion: 4.2.3
ninjaVersion: latest
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| on: | ||
| push: | ||
| branches: [master] | ||
| pull_request: |
There was a problem hiding this comment.
Adding a pull_request trigger means the workflow will now run untrusted PR code with the current top-level permissions (pages: write, id-token: write). Those elevated permissions are only needed for the deploy job and increase the blast radius if a PR can execute arbitrary commands. Consider reducing the workflow-level permissions to read-only (e.g., contents: read) and granting pages: write / id-token: write only on the deploy job (and only on push to master).
Docs will be built on PRs, too. Just pushing the docs stays when marging to master.