chore: enforce security hardening for GitHub Actions workflows (#10038) #1775
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # When changes are pushed to the develop branch, | |
| # build the current version of the API documentation | |
| # with phpDocumentor and deploy it to codeigniter4/api. | |
| name: Deploy API Documentation | |
| on: | |
| push: | |
| branches: | |
| - 'develop' | |
| paths: | |
| - 'system/**' | |
| - '.github/workflows/deploy-apidocs.yml' | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| name: Deploy to api | |
| permissions: | |
| contents: write | |
| if: github.repository == 'codeigniter4/CodeIgniter4' | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Setup credentials | |
| run: | | |
| git config --global user.email "action@github.com" | |
| git config --global user.name "${GITHUB_ACTOR}" | |
| - name: Checkout source | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| path: source | |
| persist-credentials: false | |
| - name: Checkout target | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| repository: codeigniter4/api | |
| token: ${{ secrets.ACCESS_TOKEN }} | |
| path: api | |
| persist-credentials: false | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 | |
| with: | |
| php-version: '8.2' | |
| tools: phive | |
| coverage: none | |
| - name: Download latest phpDocumentor | |
| working-directory: source | |
| run: phive --no-progress install --trust-gpg-keys 6DA3ACC4991FFAE5 phpDocumentor | |
| - name: Prepare API repo | |
| working-directory: api | |
| run: | | |
| git reset --hard master | |
| rm -rfv docs | |
| mkdir --parents --verbose docs | |
| - name: Build API in source repo | |
| working-directory: source | |
| run: | | |
| php tools/phpDocumentor --ansi --verbose | |
| cp -R ${GITHUB_WORKSPACE}/source/api/build/* ${GITHUB_WORKSPACE}/api/docs | |
| - name: Deploy to API repo | |
| working-directory: api | |
| env: | |
| PUSH_TOKEN: ${{ secrets.ACCESS_TOKEN }} | |
| run: | | |
| git add . | |
| if ! git diff-index --quiet HEAD; then | |
| git commit -m "Updated API for commit ${GITHUB_SHA}" | |
| bash ${GITHUB_WORKSPACE}/.github/scripts/secure-git-push https://github.com/codeigniter4/api.git HEAD:master | |
| fi |