CI: skip heavy jobs for docs-only changes#11263
Conversation
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| - name: Detect docs-only changes | ||
| id: scope | ||
| uses: actions/github-script@v7 |
There was a problem hiding this comment.
Missing permissions for API
This composite action calls GitHub REST APIs via actions/github-script@v7, but the action itself doesn’t declare (or document) required permissions. If a workflow doesn’t grant pull-requests: read (for pulls.listFiles) or appropriate contents access (for repos.compareCommits on push), the script will throw and you’ll fall back to docs_only=false, causing “docs-only” PRs to run the full heavy workflow unexpectedly. Consider explicitly setting job/workflow permissions for the docs-change-scope job (or documenting them in the action) so the gate behaves deterministically.
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/actions/detect-docs-only/action.yml
Line: 10:12
Comment:
**Missing permissions for API**
This composite action calls GitHub REST APIs via `actions/github-script@v7`, but the action itself doesn’t declare (or document) required permissions. If a workflow doesn’t grant `pull-requests: read` (for `pulls.listFiles`) or appropriate `contents` access (for `repos.compareCommits` on `push`), the script will throw and you’ll fall back to `docs_only=false`, causing “docs-only” PRs to run the full heavy workflow unexpectedly. Consider explicitly setting job/workflow permissions for the `docs-change-scope` job (or documenting them in the action) so the gate behaves deterministically.
How can I resolve this? If you propose a fix, please make it concise.| docs-change-scope: | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| docs_only: ${{ steps.scope.outputs.docs_only }} | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Detect docs-only changes | ||
| id: scope | ||
| uses: ./.github/actions/detect-docs-only |
There was a problem hiding this comment.
Gate job may fail
docs-change-scope runs actions/github-script (via the composite action) without setting permissions:. If the repository/org default workflow permissions are set to “read repository contents only”, pulls.listFiles requires pull-requests: read and will fail; that makes the gate always output docs_only=false and defeats the purpose (docs-only PRs still run everything). Add explicit permissions on this job (e.g., permissions: { contents: read, pull-requests: read }) so the condition is reliable.
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/ci.yml
Line: 13:23
Comment:
**Gate job may fail**
`docs-change-scope` runs `actions/github-script` (via the composite action) without setting `permissions:`. If the repository/org default workflow permissions are set to “read repository contents only”, `pulls.listFiles` requires `pull-requests: read` and will fail; that makes the gate always output `docs_only=false` and defeats the purpose (docs-only PRs still run everything). Add explicit permissions on this job (e.g., `permissions: { contents: read, pull-requests: read }`) so the condition is reliable.
How can I resolve this? If you propose a fix, please make it concise.
|
Thanks for tackling this — the goal of skipping heavy CI on docs-only PRs is 100% right. But this approach is over-engineered for what we need:
The simpler approach: add Going to close this in favor of the simpler approach. |
|
@quotentiroler please go ahead. |
2 participants
Summary
.github/actions/detect-docs-onlydocs-change-scopegate job in targeted workflowslint,format)Files
.github/actions/detect-docs-only/action.yml.github/workflows/ci.yml.github/workflows/install-smoke.yml.github/workflows/workflow-sanity.yml.github/workflows/formal-conformance.ymlWhy
Validation